NAV

Overview

The User Account and Authentication Service (UAA):

Authorization

Authorization Code Grant

Browser flow

$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Fredirect.to%2Fapp' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Fredirect.to%2Fapp HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://redirect.to/app?code=ORS5mgA0Ti

Request Parameters

Parameter Type Constraints Description
response_type String Required either code for requesting an authorization code for an access token, as per OAuth spec
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

Api flow

$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf&state=qR39xd' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI5YzYwZWZkYTA4MDM0YjllYTRhY2MzZDUyMWM4ODc0MiIsInN1YiI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI1ODAyNDVjOS02NTFlLTRjNWQtYWI0Yy0xMDMzMmNiODYwOTYiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNDg4MzI2MDY3LCJyZXZfc2lnIjoiODllN2Q4YzkiLCJpYXQiOjE0ODgzMjYwNjgsImV4cCI6MTQ4ODM2OTI2OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.f5fMBwZfzoVCQdECpN8A5To7NmCCimKaTw2_GiFj6sg'
GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf&state=qR39xd HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI5YzYwZWZkYTA4MDM0YjllYTRhY2MzZDUyMWM4ODc0MiIsInN1YiI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI1ODAyNDVjOS02NTFlLTRjNWQtYWI0Yy0xMDMzMmNiODYwOTYiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNDg4MzI2MDY3LCJyZXZfc2lnIjoiODllN2Q4YzkiLCJpYXQiOjE0ODgzMjYwNjgsImV4cCI6MTQ4ODM2OTI2OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.f5fMBwZfzoVCQdECpN8A5To7NmCCimKaTw2_GiFj6sg
Host: localhost

HTTP/1.1 302 Found
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: https://uaa.cloudfoundry.com/redirect/cf?code=DewQ14RqGz&state=qR39xd

Request Parameters

Parameter Type Constraints Description
response_type String Required code for requesting an authorization code for an access token, as per OAuth spec
client_id String Required a unique string representing the registration information provided by the client
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
state String Required any random string to be returned in the Location header as a query parameter, used to achieve per-request customization

Request Headers

Name Description
Authorization Bearer token containing uaa.user scope - the authentication for this user

Implicit Grant

$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2NDE1MmUzYjVkNWQ0OGUzYTFkZjlmZDU1NDBiOWJjMSIsInN1YiI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNTgwMjQ1YzktNjUxZS00YzVkLWFiNGMtMTAzMzJjYjg2MDk2Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI2ZTU4MDMyNSIsImlhdCI6MTQ4ODMyNjA2OCwiZXhwIjoxNDg4MzY5MjY4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.NDyBZf742HxFhQiV1L_kZxV0vfGl4eWjxxm-a-_lCEE&expires_in=43199&jti=64152e3b5d5d48e3a1df9fd5540b9bc1

Request Parameters

Parameter Type Constraints Description
response_type String Required Expected response type, in this case “token”, i.e. an access token
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

Response Headers

Name Description
Location Location as defined in the spec includes access_token in the reply fragment if successful

Implicit Grant with prompt

$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#error=login_required

Request Parameters

Parameter Type Constraints Description
response_type String Required Expected response type, in this case “token”, i.e. an access token
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
prompt String Optional specifies whether to prompt for user authentication. Only value none is supported.

Response Headers

Name Description
Location Redirect url specified in the request parameters.

OpenID Connect flow

OpenID Provider Configuration Request

An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.

$ curl 'http://localhost/.well-known/openid-configuration' -i -H 'Accept: application/json'
GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1239

{
  "issuer" : "http://localhost:8080/uaa/oauth/token",
  "authorization_endpoint" : "http://localhost/oauth/authorize",
  "token_endpoint" : "http://localhost/oauth/token",
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
  "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "userinfo_endpoint" : "http://localhost/userInfo",
  "jwks_uri" : "http://localhost/token_keys",
  "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
  "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
  "subject_types_supported" : [ "public" ],
  "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "id_token_encryption_alg_values_supported" : [ "none" ],
  "claim_types_supported" : [ "normal" ],
  "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
  "claims_parameter_supported" : false,
  "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
  "ui_locales_supported" : [ "en-US" ]
}

Response Fields

Path Type Description
issuer String URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
authorization_endpoint String URL of authorization endpoint.
token_endpoint String URL of token endpoint.
userinfo_endpoint String URL of the OP’s UserInfo Endpoint.
jwks_uri String URL of the OP’s JSON Web Key Set document.
scopes_supported Array JSON array containing a list of the OAuth 2.0 scope values that this server supports.
subject_types_supported Array JSON array containing a list of the Subject Identifier types that this OP supports.
token_endpoint_auth_methods_supported Array JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
token_endpoint_auth_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms.
response_types_supported Array JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
id_token_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
id_token_encryption_alg_values_supported Array JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
claim_types_supported Array JSON array containing a list of the Claim Types that the OpenID Provider supports.
claims_supported Array JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
claims_parameter_supported Boolean Boolean value specifying whether the OP supports use of the claims parameter.
service_documentation String URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
ui_locales_supported Array Languages and scripts supported for the user interface.

ID token

The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.

$ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI1ODAyNDVjOS02NTFlLTRjNWQtYWI0Yy0xMDMzMmNiODYwOTYiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE0ODgzNjkyNjgsImlhdCI6MTQ4ODMyNjA2OCwianRpIjoiN2RiYzBkOGUxMzExNGUxMGE2ODU0ZDM5MjYwZTVkNTEiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNmU1ODAzMjUiLCJjaWQiOiJhcHAifQ.vSs4D21V16AEnuVCz2mHXyJ-oSpUqfXeOr4N5e93QI8&expires_in=43199&jti=7dbc0d8e13114e10a6854d39260e5d51

Request Parameters

Parameter Type Constraints Description
response_type String Required Expected response type, in this case “id_token”
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

Response Headers

Name Description
Location Location as defined in the spec includes id_token in the reply fragment if successful

ID token and Access token

The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.

$ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJiZWE4NmE2ZDJkMzU0MjA5ODAzMWQ4NjA4MzU3MDVjNyIsInN1YiI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNTgwMjQ1YzktNjUxZS00YzVkLWFiNGMtMTAzMzJjYjg2MDk2Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI2ZTU4MDMyNSIsImlhdCI6MTQ4ODMyNjA2OCwiZXhwIjoxNDg4MzY5MjY4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.2jR8MR66RkH53jnZWu8ZNDgcLZhfBSsbpSvgm9wGrtY&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI1ODAyNDVjOS02NTFlLTRjNWQtYWI0Yy0xMDMzMmNiODYwOTYiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE0ODgzNjkyNjgsImlhdCI6MTQ4ODMyNjA2OCwianRpIjoiYmVhODZhNmQyZDM1NDIwOTgwMzFkODYwODM1NzA1YzciLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNmU1ODAzMjUiLCJjaWQiOiJhcHAifQ.s0qk-n-7V-LmODIH2q18YbXf42pY7YwzfiqJW7FhNtU&expires_in=43199&jti=bea86a6d2d3542098031d860835705c7

Request Parameters

Parameter Type Constraints Description
response_type String Required Expected response type, in this case “token id_token”, indicating both an access token and an ID token.
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

Response Headers

Name Description
Location Location as defined in the spec includes access_token and id_token in the reply fragment if successful

Hybrid flow

The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.

$ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI1ODAyNDVjOS02NTFlLTRjNWQtYWI0Yy0xMDMzMmNiODYwOTYiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjU4MDI0NWM5LTY1MWUtNGM1ZC1hYjRjLTEwMzMyY2I4NjA5NiIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE0ODgzNjkyNjgsImlhdCI6MTQ4ODMyNjA2OCwianRpIjoiY2YyYjk3MzNhMDVmNDNlN2I4ZGUyZjU4YzdjMmI5ZDQiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNmU1ODAzMjUiLCJjaWQiOiJhcHAifQ.ZOXrRqzswkTaat1AnjIXEcVXN1g9uF_cvAQbzm9obd8&code=FQPcxh0urT&expires_in=43199&jti=cf2b9733a05f43e7b8de2f58c7c2b9d4

Request Parameters

Parameter Type Constraints Description
response_type String Required Expected response type, in this case “id_token code”, indicating a request for an ID token and an authorization code.
client_id String Required a unique string representing the registration information provided by the client
scope String Optional requested scopes, space-delimited
redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

Response Headers

Name Description
Location Location as defined in the spec includes code and id_token in the reply fragment if successful

Token

The /oauth/token endpoint requires client authentication to be accessed. Client Authentication can be passed as as part of the request authorization header, using basic authentication, or as part of the request parameters, using the client_id and client_secret parameter names.

Authorization Code Grant

$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=WeeQgWDi2x&token_format=opaque&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=WeeQgWDi2x&token_format=opaque&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 250

{
  "access_token" : "77cc685e8e244bd88ef3e7227ab15110",
  "token_type" : "bearer",
  "refresh_token" : "655b19516a6f4c4a949244e88569a514-r",
  "expires_in" : 43199,
  "scope" : "openid oauth.approvals",
  "jti" : "77cc685e8e244bd88ef3e7227ab15110"
}

Request Headers

Name Description
Authorization Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters.

Request Parameters

Parameter Type Constraints Description
response_type String Required The type of token that should be issued.
client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
code String Required the authorization code, obtained from /oauth/authorize, issued for the user
grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
token_format String Optional UAA 3.3.0 Can be set to ‘opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token for the user to whom the authorization code was issued
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
refresh_token String an OAuth refresh token for refresh grants
jti String a globally unique identifier for this token

Client Credentials Grant

Without Authorization

$ curl 'http://localhost/oauth/token' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 306

{
  "access_token" : "d4725305885d44dca6fe7f91168b3f38",
  "token_type" : "bearer",
  "expires_in" : 43199,
  "scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
  "jti" : "d4725305885d44dca6fe7f91168b3f38"
}

Request Parameters

Parameter Type Constraints Description
response_type String Required The type of token that should be issued.
client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
jti String a globally unique identifier for this token

With Authorization

$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&response_type=token&token_format=opaque'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Host: localhost

grant_type=client_credentials&response_type=token&token_format=opaque
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 306

{
  "access_token" : "890c72d330f24847b223f5a5e3842a63",
  "token_type" : "bearer",
  "expires_in" : 43199,
  "scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
  "jti" : "890c72d330f24847b223f5a5e3842a63"
}

Request Header

Name Description
Authorization Base64 encoded client details in the format: Basic client_id:client_secret

Request Parameters

Parameter Type Constraints Description
response_type String Required The type of token that should be issued.
grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
jti String a globally unique identifier for this token

Password Grant

$ curl 'http://localhost/oauth/token' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=n3jQnK%40test.org&password=secr3T&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=app&client_secret=appclientsecret&grant_type=password&username=n3jQnK%40test.org&password=secr3T&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 307

{
  "access_token" : "27f7bb8ec63b411b8d6c2ac9773b92e1",
  "token_type" : "bearer",
  "refresh_token" : "449e94b6e7d14f009e3c8bb77a7e7abc-r",
  "expires_in" : 43199,
  "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
  "jti" : "27f7bb8ec63b411b8d6c2ac9773b92e1"
}

Request Parameters

Parameter Type Constraints Description
response_type String Required The type of token that should be issued.
client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
grant_type String Required the type of authentication being used to obtain the token, in this case password
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
username String Required the username for the user trying to get a token
password String Required the password for the user trying to get a token
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
refresh_token String an OAuth refresh token for refresh grants
jti String a globally unique identifier for this token

One-time Passcode

$ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&passcode=E5qGNdQK0b&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost

grant_type=password&passcode=E5qGNdQK0b&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 307

{
  "access_token" : "efb6760ac920480899871e4f3f2fcb50",
  "token_type" : "bearer",
  "refresh_token" : "e6ef4f83a131434bb5f2f8edf2f191a4-r",
  "expires_in" : 43199,
  "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
  "jti" : "efb6760ac920480899871e4f3f2fcb50"
}

Request Header

Name Description
Authorization Base64 encoded client details in the format: Basic client_id:client_secret

Request Parameters

Parameter Type Constraints Description
response_type String Required The type of token that should be issued.
grant_type String Required the type of authentication being used to obtain the token, in this case password
passcode String Required the one-time passcode for the user which can be retrieved by going to /passcode
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
refresh_token String an OAuth refresh token for refresh grants
jti String a globally unique identifier for this token

User Token Grant

A user_token grant, is a flow that allows the generation of a refresh_token for another client. The requesting client, must have grant_type=user_token and the bearer token for this request must have uaa.user and be a token that represents an authenticated user.

The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.

The refresh_token that results from this grant, is opaque, and can only be exchanged by the client it was intended for.

$ curl 'http://localhost/oauth/token' -i -X POST -H 'Authorization: Bearer 236539bfd1df44a39f19224d91549f2f' -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token'
POST /oauth/token HTTP/1.1
Authorization: Bearer 236539bfd1df44a39f19224d91549f2f
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 206

{
  "access_token" : null,
  "token_type" : "bearer",
  "refresh_token" : "b6fe3a3f45674e96a3ad7aa68bdb2a29-r",
  "expires_in" : 43199,
  "scope" : "openid",
  "jti" : "b6fe3a3f45674e96a3ad7aa68bdb2a29-r"
}

Request Parameters

Parameter Type Constraints Description
response_type String Required Response type of the grant, should be set to token
client_id String Optional The client ID of the receiving client, this client must have refresh_token grant type
grant_type String Required The type of token grant requested, in this case user_token
token_format String Optional This parameter is ignored. The refresh_token will always be opaque
scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

Response Fields

Path Type Description
access_token Null Always null
token_type String The type of the access token issued, always bearer
expires_in Number Number of seconds of lifetime for an access_token, when retrieved
scope String Space-delimited list of scopes authorized by the user for this client
refresh_token String An OAuth refresh token for refresh grants
jti String A globally unique identifier for this refresh token

SAML2 Bearer Grant

The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer. In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.

This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world. The endpoint of the bearer assertion is /oauth/token so the Recipient attribute in the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token.

$ curl 'http://n4x7ra.localhost:8080/uaa/oauth/token/alias/n4x7ra.cloudfoundry-saml-login' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclient7q9yYV&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTRpZzRqMmVkZjU4aDQzMzUwYjFqYzNjaTBiYTk1IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDItMjhUMjM6NTQ6NTEuMjY3WiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXI-bjR4N3JhLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpJc3N1ZXI-PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PGRzOlNpZ25lZEluZm8-PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8-PGRzOlJlZmVyZW5jZSBVUkk9IiNhNGlnNGoyZWRmNThoNDMzNTBiMWpjM2NpMGJhOTUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InhzIi8-PC9kczpUcmFuc2Zvcm0-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT51TmgweCtqYWt1WjNsTmNocVhOOEZjOUFGamM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8-PGRzOlNpZ25hdHVyZVZhbHVlPkZob0tEMG5KcWdtbGVuSng4TCt1UXRvcEt2Ukd0NFhtTk5iR296ZUx5OEJJMGpsMGJaZThKVTFyd3dTTVBBYkZLeDQxaU45RmRNR1ZFditST1FLSk02VEpuOTFFYnFRWm5zR0xZdUsvdVBNbkVMS3M2amN2eCsyTHA1T2ZkcDg2N2srZUl5eHVCbzRUck5KMFl2VGZDMWYxOFBxUGZpZkxCU3NlNEJzSUp1WT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURTVENDQXJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRUUZBREI4TVFzd0NRWURWUVFHRXdKaGR6RU9NQXdHQTFVRUNCTUYKWVhKMVltRXhEakFNQmdOVkJBb1RCV0Z5ZFdKaE1RNHdEQVlEVlFRSEV3VmhjblZpWVRFT01Bd0dBMVVFQ3hNRllYSjFZbUV4RGpBTQpCZ05WQkFNVEJXRnlkV0poTVIwd0d3WUpLb1pJaHZjTkFRa0JGZzVoY25WaVlVQmhjblZpWVM1aGNqQWVGdzB4TlRFeE1qQXlNakkyCk1qZGFGdzB4TmpFeE1Ua3lNakkyTWpkYU1Id3hDekFKQmdOVkJBWVRBbUYzTVE0d0RBWURWUVFJRXdWaGNuVmlZVEVPTUF3R0ExVUUKQ2hNRllYSjFZbUV4RGpBTUJnTlZCQWNUQldGeWRXSmhNUTR3REFZRFZRUUxFd1ZoY25WaVlURU9NQXdHQTFVRUF4TUZZWEoxWW1FeApIVEFiQmdrcWhraUc5dzBCQ1FFV0RtRnlkV0poUUdGeWRXSmhMbUZ5TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRREh0QzVnVVh4QktwRXFaVExrTnZGd05Hbk5Ja2dnTk93T1FWTmJwTzBXVkhJaXZpZzVMMzlXcVM5dTBobkErTzdNQ0EvS2xyQVIKNGJYYWVWVmh3ZlVQWUJLSXBhYVRXRlFSNWNUUjFVRlpKTC9PRjl2QWZwT3d6bm9ENjZERENuUVZwYkNqdERZV1greDZpbXhuOEhDWQp4aE1vbDZablRiU3NGVzZWWmpGTWpRSURBUUFCbzRIYU1JSFhNQjBHQTFVZERnUVdCQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5CkdEQ0Jwd1lEVlIwakJJR2ZNSUdjZ0JUeDBsRHpqSC9pT0JuT1NRYVNFV1FMeDFzeUdLR0JnS1IrTUh3eEN6QUpCZ05WQkFZVEFtRjMKTVE0d0RBWURWUVFJRXdWaGNuVmlZVEVPTUF3R0ExVUVDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTApFd1ZoY25WaVlURU9NQXdHQTFVRUF4TUZZWEoxWW1FeEhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlnZ0VBCk1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRUJRQURnWUVBWXZCSjBIT1piYkhDbFhtR1VqR3MrR1MreEMxRk8vYW0KMnN1Q1NZcU5COWR5TVhmT1dpSjErVExKaytvL1ladDh2dXhDS2RjWllnbDRsL0w2UHhKOTgyU1JoYzgzWlcyZGtBWkk0TTAvVWQzbwplUGU4NGs4am0zQTdFdkg1d2k1aHZDa0tScHVSQnduM0VpK2pDUm91eFRiektQc3VDVkIrMXNOeXhNVFh6ZjA9PC9kczpYNTA5Q2VydGlmaWNhdGU-PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8-PC9kczpTaWduYXR1cmU-PHNhbWwyOlN1YmplY3Q-PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5TYW1sMkJlYXJlckludGVncmF0aW9uVXNlcjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0wMVQwMDo1NDo1MS4yODZaIiBSZWNpcGllbnQ9Imh0dHA6Ly9uNHg3cmEubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuL2FsaWFzL240eDdyYS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTAyLTI4VDIzOjU0OjUxLjI3M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0wMVQwMDo1NDo1MS4yODZaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-bjR4N3JhLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24-PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDItMjhUMjM6NTQ6NTEuMjY5WiIgU2Vzc2lvbkluZGV4PSJhMzVkZ2E4Z2k5MmExODA0amZnZGo0NjA2aGIxMGkiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJhdXRob3JpdGllcyI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYS51c2VyPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImVtYWlsIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYUB0ZXN0aW5nLm9yZzwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJpZCI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmM2YzNhNWM3LWRmMjYtNGFiNy1hNTM2LWMwYWU0MTRiNmQyNDwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJuYW1lIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJvcmlnaW4iPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iem9uZUlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=openid'
POST /uaa/oauth/token/alias/n4x7ra.cloudfoundry-saml-login HTTP/1.1
Accept: application/json
Host: n4x7ra.localhost
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclient7q9yYV&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTRpZzRqMmVkZjU4aDQzMzUwYjFqYzNjaTBiYTk1IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDItMjhUMjM6NTQ6NTEuMjY3WiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXI-bjR4N3JhLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpJc3N1ZXI-PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PGRzOlNpZ25lZEluZm8-PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8-PGRzOlJlZmVyZW5jZSBVUkk9IiNhNGlnNGoyZWRmNThoNDMzNTBiMWpjM2NpMGJhOTUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InhzIi8-PC9kczpUcmFuc2Zvcm0-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT51TmgweCtqYWt1WjNsTmNocVhOOEZjOUFGamM9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8-PGRzOlNpZ25hdHVyZVZhbHVlPkZob0tEMG5KcWdtbGVuSng4TCt1UXRvcEt2Ukd0NFhtTk5iR296ZUx5OEJJMGpsMGJaZThKVTFyd3dTTVBBYkZLeDQxaU45RmRNR1ZFditST1FLSk02VEpuOTFFYnFRWm5zR0xZdUsvdVBNbkVMS3M2amN2eCsyTHA1T2ZkcDg2N2srZUl5eHVCbzRUck5KMFl2VGZDMWYxOFBxUGZpZkxCU3NlNEJzSUp1WT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURTVENDQXJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRUUZBREI4TVFzd0NRWURWUVFHRXdKaGR6RU9NQXdHQTFVRUNCTUYKWVhKMVltRXhEakFNQmdOVkJBb1RCV0Z5ZFdKaE1RNHdEQVlEVlFRSEV3VmhjblZpWVRFT01Bd0dBMVVFQ3hNRllYSjFZbUV4RGpBTQpCZ05WQkFNVEJXRnlkV0poTVIwd0d3WUpLb1pJaHZjTkFRa0JGZzVoY25WaVlVQmhjblZpWVM1aGNqQWVGdzB4TlRFeE1qQXlNakkyCk1qZGFGdzB4TmpFeE1Ua3lNakkyTWpkYU1Id3hDekFKQmdOVkJBWVRBbUYzTVE0d0RBWURWUVFJRXdWaGNuVmlZVEVPTUF3R0ExVUUKQ2hNRllYSjFZbUV4RGpBTUJnTlZCQWNUQldGeWRXSmhNUTR3REFZRFZRUUxFd1ZoY25WaVlURU9NQXdHQTFVRUF4TUZZWEoxWW1FeApIVEFiQmdrcWhraUc5dzBCQ1FFV0RtRnlkV0poUUdGeWRXSmhMbUZ5TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCCmdRREh0QzVnVVh4QktwRXFaVExrTnZGd05Hbk5Ja2dnTk93T1FWTmJwTzBXVkhJaXZpZzVMMzlXcVM5dTBobkErTzdNQ0EvS2xyQVIKNGJYYWVWVmh3ZlVQWUJLSXBhYVRXRlFSNWNUUjFVRlpKTC9PRjl2QWZwT3d6bm9ENjZERENuUVZwYkNqdERZV1greDZpbXhuOEhDWQp4aE1vbDZablRiU3NGVzZWWmpGTWpRSURBUUFCbzRIYU1JSFhNQjBHQTFVZERnUVdCQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5CkdEQ0Jwd1lEVlIwakJJR2ZNSUdjZ0JUeDBsRHpqSC9pT0JuT1NRYVNFV1FMeDFzeUdLR0JnS1IrTUh3eEN6QUpCZ05WQkFZVEFtRjMKTVE0d0RBWURWUVFJRXdWaGNuVmlZVEVPTUF3R0ExVUVDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTApFd1ZoY25WaVlURU9NQXdHQTFVRUF4TUZZWEoxWW1FeEhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlnZ0VBCk1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRUJRQURnWUVBWXZCSjBIT1piYkhDbFhtR1VqR3MrR1MreEMxRk8vYW0KMnN1Q1NZcU5COWR5TVhmT1dpSjErVExKaytvL1ladDh2dXhDS2RjWllnbDRsL0w2UHhKOTgyU1JoYzgzWlcyZGtBWkk0TTAvVWQzbwplUGU4NGs4am0zQTdFdkg1d2k1aHZDa0tScHVSQnduM0VpK2pDUm91eFRiektQc3VDVkIrMXNOeXhNVFh6ZjA9PC9kczpYNTA5Q2VydGlmaWNhdGU-PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8-PC9kczpTaWduYXR1cmU-PHNhbWwyOlN1YmplY3Q-PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5TYW1sMkJlYXJlckludGVncmF0aW9uVXNlcjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0wMVQwMDo1NDo1MS4yODZaIiBSZWNpcGllbnQ9Imh0dHA6Ly9uNHg3cmEubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuL2FsaWFzL240eDdyYS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTAyLTI4VDIzOjU0OjUxLjI3M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0wMVQwMDo1NDo1MS4yODZaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-bjR4N3JhLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24-PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDItMjhUMjM6NTQ6NTEuMjY5WiIgU2Vzc2lvbkluZGV4PSJhMzVkZ2E4Z2k5MmExODA0amZnZGo0NjA2aGIxMGkiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJhdXRob3JpdGllcyI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYS51c2VyPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImVtYWlsIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYUB0ZXN0aW5nLm9yZzwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJpZCI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmM2YzNhNWM3LWRmMjYtNGFiNy1hNTM2LWMwYWU0MTRiNmQyNDwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJuYW1lIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJvcmlnaW4iPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iem9uZUlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=openid
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Disposition: inline;filename=f.txt
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1796

{
  "access_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlOGE3MWNiMzk1NWM0YWU1YWI5ZDQ1MTkzMWZiZjEwZCIsInN1YiI6ImY2ZmIwOTQ4LWVkMmItNDU0OC05MjVlLWFhMzcyOGZmZTBhOSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50N3E5eVlWIiwiY2lkIjoidGVzdGNsaWVudDdxOXlZViIsImF6cCI6InRlc3RjbGllbnQ3cTl5WVYiLCJncmFudF90eXBlIjoidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6c2FtbDItYmVhcmVyIiwidXNlcl9pZCI6ImY2ZmIwOTQ4LWVkMmItNDU0OC05MjVlLWFhMzcyOGZmZTBhOSIsIm9yaWdpbiI6Im40eDdyYS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwiZW1haWwiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlckB1bmtub3duLm9yZyIsInJldl9zaWciOiI3MzgwN2Y5ZiIsImlhdCI6MTQ4ODMyNjA5MSwiZXhwIjoxNDg4MzI2NjkxLCJpc3MiOiJodHRwOi8vbjR4N3JhLmxvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6Im40eDdyYSIsImF1ZCI6W119.g-7hWES1ueVHeryDJzQSurWwNepUKTP-hJz15mtgQcA",
  "token_type" : "bearer",
  "refresh_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI1Y2IyYzU3ZmE0NmE0MjBiODA2ZTE5ZmE3YThmNDkwNi1yIiwic3ViIjoiZjZmYjA5NDgtZWQyYi00NTQ4LTkyNWUtYWEzNzI4ZmZlMGE5Iiwic2NvcGUiOlsib3BlbmlkIl0sImlhdCI6MTQ4ODMyNjA5MSwiZXhwIjoxNDkwOTE4MDkxLCJjaWQiOiJ0ZXN0Y2xpZW50N3E5eVlWIiwiY2xpZW50X2lkIjoidGVzdGNsaWVudDdxOXlZViIsImlzcyI6Imh0dHA6Ly9uNHg3cmEubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoibjR4N3JhIiwiZ3JhbnRfdHlwZSI6InVybjppZXRmOnBhcmFtczpvYXV0aDpncmFudC10eXBlOnNhbWwyLWJlYXJlciIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwib3JpZ2luIjoibjR4N3JhLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIiwidXNlcl9pZCI6ImY2ZmIwOTQ4LWVkMmItNDU0OC05MjVlLWFhMzcyOGZmZTBhOSIsInJldl9zaWciOiI3MzgwN2Y5ZiIsImF1ZCI6W119.B1_OR0lofUakbvYPt9vU7toEfpR1mAB3cVNMGb7NBFQ",
  "expires_in" : 599,
  "scope" : "openid",
  "jti" : "e8a71cb3955c4ae5ab9d451931fbf10d"
}

Request Parameters

Parameter Type Constraints Description
client_id String Optional The client ID of the receiving client, this client must have urn:ietf:params:oauth:grant-type:saml2-bearer grant type
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
grant_type String Required The type of token grant requested, in this case urn:ietf:params:oauth:grant-type:saml2-bearer
assertion String Required An XML based SAML 2.0 bearer assertion, which is Base64URl encoded.
scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

Response Fields

Path Type Description
access_token String Always null
token_type String The type of the access token issued, always bearer
expires_in Number Number of seconds of lifetime for an access_token, when retrieved
scope String Space-delimited list of scopes authorized by the user for this client
refresh_token String An OAuth refresh token for refresh grants
jti String A globally unique identifier for this refresh token

Refresh Token

$ curl 'http://localhost/oauth/token' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=0f6ece0d13e944f3b785efdda4fad43a-r'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=0f6ece0d13e944f3b785efdda4fad43a-r
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 307

{
  "access_token" : "2fb98ac0bb004ac3a8bca13a898bc410",
  "token_type" : "bearer",
  "refresh_token" : "0f6ece0d13e944f3b785efdda4fad43a-r",
  "expires_in" : 43199,
  "scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
  "jti" : "2fb98ac0bb004ac3a8bca13a898bc410"
}

Request Parameters

Parameter Type Constraints Description
grant_type String Required the type of authentication being used to obtain the token, in this case refresh_token
client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
refresh_token String Required the refresh_token that was returned along with the access token.
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token
refresh_token String the refresh token
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
jti String a globally unique identifier for this token

OpenID Connect

The token endpoint can provide an ID token as defined by OpenID Connect.

$ curl 'http://localhost/oauth/token' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=N60mhzv874&token_format=opaque&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=N60mhzv874&token_format=opaque&redirect_uri=https%3A%2F%2Fuaa.cloudfoundry.com%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1056

{
  "access_token" : "4b1b799838fa407f8afd416e5d765c6d",
  "token_type" : "bearer",
  "id_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI3ZjAwYTYxZi1lMjQ5LTQ2Y2EtYTc2Yy1jOTliN2JhOGI2MTgiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJJYldqRERAdGVzdC5vcmciLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJjbGllbnRfaWQiOiJsb2dpbiIsImF1ZCI6WyJsb2dpbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjdmMDBhNjFmLWUyNDktNDZjYS1hNzZjLWM5OWI3YmE4YjYxOCIsImF6cCI6ImxvZ2luIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTQ4ODMyNjA5MCwiZXhwIjoxNDg4MzY5MjkwLCJpYXQiOjE0ODgzMjYwOTAsImp0aSI6IjRiMWI3OTk4MzhmYTQwN2Y4YWZkNDE2ZTVkNzY1YzZkIiwiZW1haWwiOiJJYldqRERAdGVzdC5vcmciLCJyZXZfc2lnIjoiZTVlNjg5OTYiLCJjaWQiOiJsb2dpbiJ9.U-HvaFjcZwoi08E-dS8aKzaIpvp7TEANZwvyOXbTR1E",
  "refresh_token" : "fdc3b47af55a4c8fb352782a89dbd310-r",
  "expires_in" : 43199,
  "scope" : "openid oauth.approvals",
  "jti" : "4b1b799838fa407f8afd416e5d765c6d"
}

Request Parameters

Parameter Type Constraints Description
response_type String Required the type of token that should be issued. possible values are id_token token and id_token.
client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
code String Required the authorization code, obtained from /oauth/authorize, issued for the user
grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
token_format String Optional UAA 3.3.0 Can be set to 'opaque’ to retrieve an opaque and revocable token.

Response Fields

Path Type Description
access_token String the access token for the user to whom the authorization code was issued
id_token String the OpenID Connect ID token for the user to whom the authorization code was issued
token_type String the type of the access token issued, i.e. bearer
expires_in Number number of seconds until token expiry
scope String space-delimited list of scopes authorized by the user for this client
refresh_token String an OAuth refresh token for refresh grants
jti String a globally unique identifier for this token

Revoke tokens

Revoke all tokens for a user

$ curl 'http://localhost/oauth/token/revoke/user/f21798f4-575a-4c4d-9ada-9fd56d27efc5' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJjOGQzNDgzY2M1NTc0YmYzOTIxMmZlNzQ2ZGI1ZDhiMCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiIxM2I3ZDJkYyIsImlhdCI6MTQ4ODMyNjA5MywiZXhwIjoxNDg4MzY5MjkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.X-Q6bYsv_wnVfORz0Qr8c4qFTZtFtyhlVPgb4DxRZJ4'
GET /oauth/token/revoke/user/f21798f4-575a-4c4d-9ada-9fd56d27efc5 HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJjOGQzNDgzY2M1NTc0YmYzOTIxMmZlNzQ2ZGI1ZDhiMCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiIxM2I3ZDJkYyIsImlhdCI6MTQ4ODMyNjA5MywiZXhwIjoxNDg4MzY5MjkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.X-Q6bYsv_wnVfORz0Qr8c4qFTZtFtyhlVPgb4DxRZJ4
Host: localhost

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/user/{userId}

Parameter Description
userId The identifier for the user to revoke all tokens for

Request Header

Name Description
Authorization Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching user_id may also be used for self revocation.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Revoke all tokens for a client

$ curl 'http://localhost/oauth/token/revoke/client/o9oCAf' -i -H 'Authorization: Bearer b98695c4fdf6463ea174feaa9df9185d'
GET /oauth/token/revoke/client/o9oCAf HTTP/1.1
Authorization: Bearer b98695c4fdf6463ea174feaa9df9185d
Host: localhost

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/client/{clientId}

Parameter Description
clientId The identifier for the client to revoke all tokens for

Request Header

Name Description
Authorization Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching client_id may also be used for self revocation.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Revoke a single token

$ curl 'http://localhost/oauth/token/revoke/5b889b8724c54c27b391ccfa8845fb18' -i -X DELETE -H 'Authorization: Bearer d44a735744794b2da6b27bf51af3cf75'
DELETE /oauth/token/revoke/5b889b8724c54c27b391ccfa8845fb18 HTTP/1.1
Authorization: Bearer d44a735744794b2da6b27bf51af3cf75
Host: localhost

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/{tokenId}

Parameter Description
tokenId The identifier for the token to be revoked. For JWT tokens use the jti claim in the token.

Request Header

Name Description
Authorization Bearer token with uaa.admin or tokens.revoke scope. You can use any token with matching token ID to revoke itself.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

List tokens

List all tokens for a user

The /oauth/token/list/user/{userId} will return all the tokens that match the user_id in the path parameter. This token requires the tokens.list scope.

$ curl 'http://localhost/oauth/token/list/user/c49bd882-1b5a-4a7b-9e26-353d49935bd8' -i -H 'Authorization: Bearer 37eaba276dba4cacaf21f62b53999eb6' -H 'Accept: application/json'
GET /oauth/token/list/user/c49bd882-1b5a-4a7b-9e26-353d49935bd8 HTTP/1.1
Authorization: Bearer 37eaba276dba4cacaf21f62b53999eb6
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 631

[ {
  "tokenId" : "af816b1f8d6242eb9d82793a2a38bc38",
  "clientId" : "ufd5vz",
  "userId" : "c49bd882-1b5a-4a7b-9e26-353d49935bd8",
  "format" : "OPAQUE",
  "responseType" : "ACCESS_TOKEN",
  "issuedAt" : 1488326095145,
  "expiresAt" : 1488369295143,
  "scope" : "[openid]",
  "value" : null,
  "zoneId" : "uaa"
}, {
  "tokenId" : "bef256eaf34141b99050a38d9d6ea7b3-r",
  "clientId" : "ufd5vz",
  "userId" : "c49bd882-1b5a-4a7b-9e26-353d49935bd8",
  "format" : "OPAQUE",
  "responseType" : "REFRESH_TOKEN",
  "issuedAt" : 1488326095145,
  "expiresAt" : 1490918095140,
  "scope" : "[openid]",
  "value" : null,
  "zoneId" : "uaa"
} ]

Request Header

Name Description
Authorization Bearer token containing the tokens.list scope.
Accept Set to application/json
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/oauth/token/list/user/{userId}

Parameter Description
userId The user ID to retrieve tokens for

Response Fields

Path Type Description
[].zoneId String The zone ID for the token
[].tokenId String The unique ID for the token
[].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
[].userId String User ID for this token, will always match the user_id claim in the access token used for this call
[].format String What format was requested, OPAQUE or JWT
[].expiresAt Number Epoch time - token expiration date
[].issuedAt Number Epoch time - token issue date
[].scope String Comma separated list of scopes this token holds, up to 1000 characters
[].responseType String response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN
[].value String Access token value will always be null

List all tokens for a client

The /oauth/token/list/client/{clientId} will return all the tokens that match the client_id in the path parameter. This token requires the tokens.list scope.

$ curl 'http://localhost/oauth/token/list/client/ADUDBr' -i -H 'Authorization: Bearer d6ef2ad7f50946509edffa8d444f1a47' -H 'Accept: application/json'
GET /oauth/token/list/client/ADUDBr HTTP/1.1
Authorization: Bearer d6ef2ad7f50946509edffa8d444f1a47
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 286

[ {
  "tokenId" : "d6ef2ad7f50946509edffa8d444f1a47",
  "clientId" : "ADUDBr",
  "userId" : null,
  "format" : "OPAQUE",
  "responseType" : "ACCESS_TOKEN",
  "issuedAt" : 1488326094291,
  "expiresAt" : 1488369294288,
  "scope" : "[tokens.list]",
  "value" : null,
  "zoneId" : "uaa"
} ]

Request Header

Name Description
Authorization Bearer token containing the tokens.list scope.
Accept Set to application/json
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/oauth/token/list/client/{clientId}

Parameter Description
clientId The client ID to retrieve tokens for

Response Fields

Path Type Description
[].zoneId String The zone ID for the token
[].tokenId String The unique ID for the token
[].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
[].userId String User ID for this token, will always match the user_id claim in the access token used for this call
[].format String What format was requested, OPAQUE or JWT
[].expiresAt Number Epoch time - token expiration date
[].issuedAt Number Epoch time - token issue date
[].scope String Comma separated list of scopes this token holds, up to 1000 characters
[].responseType String response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN
[].value String Access token value will always be null

Check Token

$ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST -d 'token=991cf488ca7e4cab8d69dca591f076db&scopes=password.write%2Cscim.userids'
POST /check_token HTTP/1.1
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
Content-Type: application/x-www-form-urlencoded

token=991cf488ca7e4cab8d69dca591f076db&scopes=password.write%2Cscim.userids
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 687

{
  "user_id" : "580245c9-651e-4c5d-ab4c-10332cb86096",
  "user_name" : "marissa",
  "email" : "marissa@test.org",
  "client_id" : "app",
  "exp" : 1488369269,
  "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
  "jti" : "991cf488ca7e4cab8d69dca591f076db",
  "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
  "sub" : "580245c9-651e-4c5d-ab4c-10332cb86096",
  "iss" : "http://localhost:8080/uaa/oauth/token",
  "iat" : 1488326069,
  "cid" : "app",
  "grant_type" : "password",
  "azp" : "app",
  "auth_time" : 1488326069,
  "zid" : "uaa",
  "rev_sig" : "6e580325",
  "origin" : "uaa",
  "revocable" : true
}

Request Headers

Name Description
Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

Request Parameters

Parameter Type Constraints Description
token String Required The token
scopes Array Optional String of comma-separated scopes, for checking presence of scopes on the token

Response Fields

Path Type Description
user_id String Only applicable for user tokens
user_name String Only applicable for user tokens
email String Only applicable for user tokens
client_id String A unique string representing the registration information provided by the client
exp Number Expiration Time Claim
authorities Array Only applicable for client tokens
scope Array List of scopes authorized by the user for this client
jti String JWT ID Claim
aud Array Audience Claim
sub String Subject Claim
iss String Issuer Claim
iat Number Issued At Claim
cid String See client_id
grant_type String The type of authentication being used to obtain the token, in this case password
azp String Authorized party
auth_time Number Only applicable for user tokens
zid String Zone ID
rev_sig String Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
origin String Only applicable for user tokens
revocable String Set to true if this token is revocable

Token Key(s)

Token Key

An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.

JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId to use it to sign all new tokens. /check_token will continue to verify tokens signed with the previous signing key for as long as it is present in the keys of the identity zone’s token policy. Remove it to invalidate all those tokens.

Asymmetric

$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' -H 'Accept: application/json'
GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 922

{
  "kty" : "RSA",
  "e" : "AQAB",
  "use" : "sig",
  "kid" : "testKey",
  "alg" : "RS256",
  "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
  "n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc="
}

Request Headers

Name Description
Authorization No authorization is required for requesting public keys.

Response Fields

Path Type Description
kid String Key ID of key to be used for verification of the token.
alg String Encryption algorithm
value String Verifier key
kty String Key type (RSA)
use String Public key use parameter - identifies intended use of the public key. (defaults to “sig”)
n String RSA key modulus
e String RSA key public exponent

Error Codes

Error Code Description
401 Unauthorized - Unregistered client or incorrect client secret

Symmetric

$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' -H 'Accept: application/json'
GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 95

{
  "kty" : "MAC",
  "alg" : "HS256",
  "value" : "key",
  "use" : "sig",
  "kid" : "testKey"
}

Request Headers

Name Description
Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

Response Fields

Path Type Description
kid String Key ID of key to be used for verification of the token.
alg String Encryption algorithm
value String Verifier key
kty String Key type (MAC)
use String Public key use parameter - identifies intended use of the public key. (defaults to “sig”)

Error Codes

Error Code Description
401 Unauthorized - Unregistered client or incorrect client secret
403 Forbidden - Not a resource server (missing uaa.resource scope)

Token Keys

An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid field, indicating which key should be used for verification of the token.

$ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' -H 'Accept: application/json'
GET /token_keys HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 957

{
  "keys" : [ {
    "kty" : "RSA",
    "e" : "AQAB",
    "use" : "sig",
    "kid" : "testKey",
    "alg" : "RS256",
    "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
    "n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc="
  } ]
}

Request Headers

Name Description
Authorization Basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority. Header not required (anonymous) for obtaining only asymmetric keys. uaa.resource authority also not required for obtaining only asymmetric keys should you choose to provide this header.

Response Fields

Path Type Description
keys.[].kid String Key ID of key to be used for verification of the token.
keys.[].alg String Encryption algorithm
keys.[].value String Verifier key
keys.[].kty String Key type (RSA or MAC)
keys.[].use String Public key use parameter - identifies intended use of the public key. (defaults to “sig”)
keys.[].n String RSA key modulus
keys.[].e String RSA key public exponent

Error Codes

Error Code Description
401 Unauthorized - Unregistered client or incorrect client secret

Identity Zones

The UAA supports multi tenancy. This is referred to as identity zones. An identity zones is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io

A zone contains a unique identifier as well as a unique subdomain:

{
    "id":"testzone1",
    "subdomain":"testzone1",
    "name":"The Twiglet Zone[testzone1]",
    "version":0,
    "description":"Like the Twilight Zone but tastier[testzone1].",
    "created":1426258488910,
    "last_modified":1426258488910
}

The UAA by default creates a default zone. This zone will always be present, the ID will always be uaa, and the subdomain is blank:

{
    "id": "uaa",
    "subdomain": "",
    "name": "uaa",
    "version": 0,
    "description": "The system zone for backwards compatibility",
    "created": 946710000000,
    "last_modified": 946710000000
}

Creating an identity zone

An identity zone is created using a POST with an IdentityZone object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain field of the identity zone. When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.

$ curl 'http://localhost/identity-zones' -i -X POST -H 'Authorization: Bearer e2518f1d134f471f9b1ac939bca14df8' -H 'Content-Type: application/json' -d '{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : 300,
      "lockoutAfterFailures" : 5,
      "countFailuresWithin" : 3600
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null,
      "keys" : {
        "exampleKeyId" : {
          "signingKey" : "s1gNiNg.K3y/t3XT"
        }
      }
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
      "privateKeyPassword" : "password"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326083194,
  "last_modified" : 1488326083194
}'
POST /identity-zones HTTP/1.1
Authorization: Bearer e2518f1d134f471f9b1ac939bca14df8
Content-Type: application/json
Host: localhost
Content-Length: 4153

{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : 300,
      "lockoutAfterFailures" : 5,
      "countFailuresWithin" : 3600
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null,
      "keys" : {
        "exampleKeyId" : {
          "signingKey" : "s1gNiNg.K3y/t3XT"
        }
      }
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
      "privateKeyPassword" : "password"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326083194,
  "last_modified" : 1488326083194
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3474

{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : 300,
      "lockoutAfterFailures" : 5,
      "countFailuresWithin" : 3600
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326083208,
  "last_modified" : 1488326083208
}

Request Headers

Name Description
Authorization Bearer token containing zones.write or zones.<zone id>.admin

Request Fields

Path Type Constraints Description
id String Optional Unique ID of the identity zone
subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Required Human-readable zone name
description String Optional Description of the zone
version Number Optional Reserved for future use of E-Tag versioning
config.clientLockoutPolicy.lockoutPeriodSeconds Number Required when LockoutPolicy in the config is not null Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Required when LockoutPolicy in the config is not null Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Required when LockoutPolicy in the config is not null Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.tokenPolicy Object Optional Various fields pertaining to the JWT access and refresh tokens.
config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
config.tokenPolicy.keys Object Optional Keys which will be used to sign the token
config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Optional. Can only be used in conjunction with privateKey and privateKeyPassword Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.samlConfig.privateKey String Optional. Can only be used in conjunction with certificate and privateKeyPassword Exposed SAML metadata property. The SAML provider’s private key.
config.samlConfig.privateKeyPassword String Optional. Can only be used in conjunction with certificate and privateKey Exposed SAML metadata property. The SAML provider’s private key password. Reserved for future use.
config.links.logout.redirectUrl String Optional Logout redirect url
config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Optional Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array Optional List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Optional Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Optional Where users are directed upon clicking the password reset link
config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Optional Name of field
config.prompts[].type String Optional What kind of field this is (e.g. text or password)
config.prompts[].text String Optional Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean Optional This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
config.branding.footerLinks Object Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Response Fields

Path Type Description
id String Unique ID of the identity zone
subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Human-readable zone name
description String Description of the zone
version Number Reserved for future use of E-Tag versioning
config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.clientLockoutPolicy.lockoutPeriodSeconds Number Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.links.logout.redirectUrl String Logout redirect url
config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Where users are directed upon clicking the password reset link
config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Name of field
config.prompts[].type String What kind of field this is (e.g. text or password)
config.prompts[].text String Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String This text appears on the footer of all UAA pages
config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Error Codes

Error Code Description
400 Bad Request
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.)
422 Unprocessable Entity - Invalid zone details

Sequential example of creating a zone and creating an admin client in that zone:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"

uaac token client get admin -s adminsecret

uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones

uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients

uaac target http://testzone1.localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac token decode

Retrieving an identity zone

$ curl 'http://localhost/identity-zones/twiglet-get' -i -H 'Authorization: Bearer fc71cea233f0476aa2e7ba7176116001'
GET /identity-zones/twiglet-get HTTP/1.1
Authorization: Bearer fc71cea233f0476aa2e7ba7176116001
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3409

{
  "id" : "twiglet-get",
  "subdomain" : "twiglet-get",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1488326083036,
  "last_modified" : 1488326083036
}

Path Parameters

/identity-zones/{id}

Parameter Description
id Unique ID of the identity zone to retrieve

Request Headers

Name Description
Authorization Bearer token containing zones.read or zones.<zone id>.admin or zones.<zone id>.read

Response Fields

Path Type Description
id String Unique ID of the identity zone
subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Human-readable zone name
description String Description of the zone
version Number Reserved for future use of E-Tag versioning
config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.clientLockoutPolicy.lockoutPeriodSeconds Number Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.links.logout.redirectUrl String Logout redirect url
config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Where users are directed upon clicking the password reset link
config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Name of field
config.prompts[].type String What kind of field this is (e.g. text or password)
config.prompts[].text String Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String This text appears on the footer of all UAA pages
config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Error Codes

Error Code Description
400 Bad Request
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope
404 Not Found - Zone does not exist

Retrieving all identity zones

$ curl 'http://localhost/identity-zones' -i -H 'Authorization: Bearer 6d926b63b96844f3bb209c0cef3c575a'
GET /identity-zones HTTP/1.1
Authorization: Bearer 6d926b63b96844f3bb209c0cef3c575a
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 17291

[ {
  "id" : "c2g4nkq4",
  "subdomain" : "c2g4nkq4",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326080179,
  "last_modified" : 1488326080179
}, {
  "id" : "dfdsbc8k",
  "subdomain" : "dfdsbc8k",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326077166,
  "last_modified" : 1488326077166
}, {
  "id" : "fc8lbwp1",
  "subdomain" : "fc8lbwp1",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1488326078871,
  "last_modified" : 1488326078871
}, {
  "id" : "twiglet-get-1",
  "subdomain" : "twiglet-get-1",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1488326082468,
  "last_modified" : 1488326082468
}, {
  "id" : "twiglet-get-2",
  "subdomain" : "twiglet-get-2",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1488326082531,
  "last_modified" : 1488326082531
}, {
  "id" : "uaa",
  "subdomain" : "",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 43200,
      "refreshTokenValidity" : 2592000,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code ( Get one at http://localhost:8080/uaa/passcode )"
    } ],
    "idpDiscoveryEnabled" : false,
    "accountChooserEnabled" : false
  },
  "name" : "uaa",
  "version" : 1,
  "description" : "The system zone for backwards compatibility",
  "created" : 946684800000,
  "last_modified" : 1488326059527
} ]

Request Headers

Name Description
Authorization Bearer token containing zones.read or zones.<zone id>.admin

Response Fields

Path Type Description
[].id String Unique ID of the identity zone
[].subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
[].name String Human-readable zone name
[].description String Description of the zone
[].version Number Reserved for future use of E-Tag versioning
[].config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
[].config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
[].config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
[].config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
[].config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
[].config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
[].config.clientLockoutPolicy.lockoutPeriodSeconds Number Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
[].config.clientLockoutPolicy.lockoutAfterFailures Number Number of allowed failures before account is locked (defaults to 5).
[].config.clientLockoutPolicy.countFailuresWithin Number Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
[].config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
[].config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
[].config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
[].config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
[].config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
[].config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
[].config.links.logout.redirectUrl String Logout redirect url
[].config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
[].config.links.logout.redirectParameterName String Changes the name of the redirect parameter
[].config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
[].config.links.logout.whitelist Array List of allowed whitelist redirects
[].config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
[].config.links.selfService.signup String Where users are directed upon clicking the account creation link
[].config.links.selfService.passwd String Where users are directed upon clicking the password reset link
[].config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
[].config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
[].config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
[].config.branding.footerLegalText String This text appears on the footer of all UAA pages
[].config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
[].config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
[].config.prompts[].name String List of fields that users are prompted for to login. Defaults to username, password, and passcode.
[].config.prompts[].type String What kind of field this is (e.g. text or password)
[].config.prompts[].text String Actual text displayed on prompt for field
[].config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
[].config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
[].config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
[].config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
[].config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
[].config.branding.footerLegalText String This text appears on the footer of all UAA pages
[].config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
[].config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
[].config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
[].config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
[].config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
[].config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
[].config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
[].config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
[].config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
[].config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
[].config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
[].config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
[].config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
[].config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
[].config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
[].config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
[].config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Error Codes

Error Code Description
400 Bad Request
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope

Updating an Identity Zone

$ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT -H 'Authorization: Bearer 267316f4c3a54ec79c73c777ed5bffe2' -H 'Content-Type: application/json' -d '{
  "subdomain" : "twiglet-update",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null,
      "keys" : {
        "updatedKeyId" : {
          "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
        }
      }
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
      "privateKeyPassword" : "password"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1488326082874,
  "last_modified" : 1488326082874
}'
PUT /identity-zones/twiglet-update HTTP/1.1
Authorization: Bearer 267316f4c3a54ec79c73c777ed5bffe2
Content-Type: application/json
Host: localhost
Content-Length: 4144

{
  "subdomain" : "twiglet-update",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null,
      "keys" : {
        "updatedKeyId" : {
          "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
        }
      }
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
      "privateKeyPassword" : "password"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1488326082874,
  "last_modified" : 1488326082874
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3484

{
  "id" : "twiglet-update",
  "subdomain" : "twiglet-update",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 1,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1488326082847,
  "last_modified" : 1488326082894
}

Path Parameters

/identity-zones/{id}

Parameter Description
id Unique ID of the identity zone to update

Request Headers

Name Description
Authorization Bearer token containing zones.write or zones.<zone id>.admin

Request Fields

Path Type Constraints Description
subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Required Human-readable zone name
description String Optional Description of the zone
version Number Optional Reserved for future use of E-Tag versioning
config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
config.tokenPolicy.keys Object Optional Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained.
config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.clientLockoutPolicy.lockoutPeriodSeconds Number Required when LockoutPolicy in the config is not null Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Required when LockoutPolicy in the config is not null Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Required when LockoutPolicy in the config is not null Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Optional. Can only be used in conjunction with privateKey and privateKeyPassword Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.samlConfig.privateKey String Optional. Can only be used in conjunction with certificate and privateKeyPassword Exposed SAML metadata property. The SAML provider’s private key.
config.samlConfig.privateKeyPassword String Optional. Can only be used in conjunction with certificate and privateKey Exposed SAML metadata property. The SAML provider’s private key password. Reserved for future use.
config.links.logout.redirectUrl String Optional Logout redirect url
config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Optional Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array Optional List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Optional Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Optional Where users are directed upon clicking the password reset link
config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Optional Name of field
config.prompts[].type String Optional What kind of field this is (e.g. text or password)
config.prompts[].text String Optional Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean Optional This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
config.branding.footerLinks Object Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Response Fields

Path Type Description
id String Unique ID of the identity zone
subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Human-readable zone name
description String Description of the zone
version Number Reserved for future use of E-Tag versioning
config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.clientLockoutPolicy.lockoutPeriodSeconds Number Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.links.logout.redirectUrl String Logout redirect url
config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Where users are directed upon clicking the password reset link
config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Name of field
config.prompts[].type String What kind of field this is (e.g. text or password)
config.prompts[].text String Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String This text appears on the footer of all UAA pages
config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Error Codes

Error Code Description
400 Bad Request
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (zone admins can only update own zone)
404 Not Found - Update to nonexistent zone
422 Unprocessable Entity - Invalid zone details

Deleting an Identity Zone

$ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE -H 'Authorization: Bearer f9361e034ae5482f95e55a17af9879e0' -H 'Content-Type: application/json'
DELETE /identity-zones/twiglet-delete HTTP/1.1
Authorization: Bearer f9361e034ae5482f95e55a17af9879e0
Content-Type: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3415

{
  "id" : "twiglet-delete",
  "subdomain" : "twiglet-delete",
  "config" : {
    "clientLockoutPolicy" : {
      "lockoutPeriodSeconds" : -1,
      "lockoutAfterFailures" : -1,
      "countFailuresWithin" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenFormat" : "jwt",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "assertionSigned" : true,
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "wantAuthnRequestSigned" : false,
      "assertionTimeToLiveSeconds" : 600,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : "/create_account",
        "passwd" : "/forgot_password"
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "One Time Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      }
    },
    "accountChooserEnabled" : false
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1488326082693,
  "last_modified" : 1488326082693
}

Path Parameters

/identity-zones/{id}

Parameter Description
id Unique ID of the identity zone to delete

Request Headers

Name Description
Authorization Bearer token containing zones.write

Response Fields

Path Type Description
id String Unique ID of the identity zone
subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name String Human-readable zone name
description String Description of the zone
version Number Reserved for future use of E-Tag versioning
config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to true.
config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to opaque.
config.clientLockoutPolicy.lockoutPeriodSeconds Number Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.clientLockoutPolicy.lockoutAfterFailures Number Number of allowed failures before account is locked (defaults to 5).
config.clientLockoutPolicy.countFailuresWithin Number Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.links.logout.redirectUrl String Logout redirect url
config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
config.links.logout.redirectParameterName String Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist Array List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup String Where users are directed upon clicking the account creation link
config.links.selfService.passwd String Where users are directed upon clicking the password reset link
config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name String Name of field
config.prompts[].type String What kind of field this is (e.g. text or password)
config.prompts[].text String Actual text displayed on prompt for field
config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText String This text appears on the footer of all UAA pages
config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, “*”, or “null” in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache

Error Codes

Error Code Description
400 Bad Request
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (zone admins can only delete their own zone)
404 Not Found - Zone does not exist

Identity Providers

Create

SAML

$ curl 'http://localhost/identity-providers' -i -X POST -H 'Authorization: Bearer 08669c98d9064eb7b432b94bee4c6116' -H 'Content-Type: application/json' -d '{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAML",
  "name" : "SAML name",
  "active" : true
}'
POST /identity-providers HTTP/1.1
Authorization: Bearer 08669c98d9064eb7b432b94bee4c6116
Content-Type: application/json
Host: localhost
Content-Length: 2692

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAML",
  "name" : "SAML name",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2941

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "idpEntityAlias" : "SAML",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "id" : "ff83614d-9f8d-47fb-bd97-fe985e1ce59a",
  "originKey" : "SAML",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1488326076942,
  "last_modified" : 1488326076942,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required saml
originKey String Required A unique alias for the SAML provider
config.skipSslValidation Boolean Optional (defaults to false) Set to true, to skip SSL validation when fetching metadata.
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
config.metaDataLocation String Required SAML Metadata - either an XML string or a URL that will deliver XML content
config.nameID String Optional The name ID to use for the username, default is “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.
config.assertionConsumerIndex Number Optional SAML assertion consumer index, default is 0
config.metadataTrustCheck Boolean Optional Should metadata be validated, defaults to false
config.showSamlLink Boolean Optional Should the SAML login link be displayed on the login page, defaults to false
config.linkText String Required if the showSamlLink is set to true The link text for the SAML IDP on the login page
config.groupMappingMode String Optional (defaults to "EXPLICITLY_MAPPED") Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
config.iconUrl String Optional Reserved for future use
config.socketFactoryClassName Null Optional Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively
config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion.
config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion.

Response Fields

Path Type Description
name String Human-readable name for this provider
config.providerDescription String Human readable name/description of this provider
config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Defaults to true.
config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String saml
originKey String A unique alias for the SAML provider
config.skipSslValidation Boolean Set to true, to skip SSL validation when fetching metadata.
config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
config.metaDataLocation String SAML Metadata - either an XML string or a URL that will deliver XML content
config.nameID String The name ID to use for the username, default is “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.
config.assertionConsumerIndex Number SAML assertion consumer index, default is 0
config.metadataTrustCheck Boolean Should metadata be validated, defaults to false
config.showSamlLink Boolean Should the SAML login link be displayed on the login page, defaults to false
config.linkText String The link text for the SAML IDP on the login page
config.groupMappingMode String Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
config.iconUrl String Reserved for future use
config.socketFactoryClassName Null Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively
config.addShadowUserOnLogin Boolean Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings String Map external attribute to UAA recognized mappings.
config.attributeMappings.given_name String Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.email String Map email to the attribute for email in the provider assertion.
config.attributeMappings.phone_number String Map phone_number to the attribute for phone number in the provider assertion.
version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
id String Unique identifier for this provider - GUID generated by the UAA
config.additionalConfiguration Object (Unused.)
identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
created Number UAA sets the creation date
last_modified Number UAA sets the modification date
config.idpEntityAlias String This will be set to originKey
config.zoneId String This will be set to the ID of the zone where the provider is being created

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error

LDAP

LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are

Group integration also supports different strategies

LDAP Simple Bind

$ curl 'http://localhost/identity-providers' -i -X POST -H 'X-Identity-Zone-Subdomain: c2g4nkq4' -H 'Authorization: Bearer 23fce27108ad4ec0b89eb6696b96c300' -H 'Content-Type: application/json' -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "bindPassword" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}'
POST /identity-providers HTTP/1.1
X-Identity-Zone-Subdomain: c2g4nkq4
Authorization: Bearer 23fce27108ad4ec0b89eb6696b96c300
Content-Type: application/json
Host: localhost
Content-Length: 1184

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "bindPassword" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1385

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "bindPassword" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "id" : "2681c338-79bc-4bdf-bcce-298de5fdcd09",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1488326080436,
  "last_modified" : 1488326080436,
  "active" : true,
  "identityZoneId" : "c2g4nkq4"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Error Codes

Error Code Description
401 Unauthorized - Missing or invalid token
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error

LDAP Search and Bind

$ curl 'http://localhost/identity-providers' -i -X POST -H 'X-Identity-Zone-Subdomain: dfdsbc8k' -H 'Authorization: Bearer 477ec6eadf56415c9cd9eec7578ac2c1' -H 'Content-Type: application/json' -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}'
POST /identity-providers HTTP/1.1
X-Identity-Zone-Subdomain: dfdsbc8k
Authorization: Bearer 477ec6eadf56415c9cd9eec7578ac2c1
Content-Type: application/json
Host: localhost
Content-Length: 1262

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1463

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "id" : "7c80bea8-8a4f-4b01-adfe-1d0f526fc2c0",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1488326077480,
  "last_modified" : 1488326077480,
  "active" : true,
  "identityZoneId" : "dfdsbc8k"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Error Codes

Error Code Description
401 Unauthorized - Missing or invalid token
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error

LDAP Search and Compare

$ curl 'http://localhost/identity-providers' -i -X POST -H 'X-Identity-Zone-Subdomain: fc8lbwp1' -H 'Authorization: Bearer d948458ba22a45dfa11e370ef28b7cd4' -H 'Content-Type: application/json' -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}'
POST /identity-providers HTTP/1.1
X-Identity-Zone-Subdomain: fc8lbwp1
Authorization: Bearer d948458ba22a45dfa11e370ef28b7cd4
Content-Type: application/json
Host: localhost
Content-Length: 1339

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1540

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "id" : "33578ede-19d5-44cf-9540-eb1d206ccb97",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1488326079302,
  "last_modified" : 1488326079302,
  "active" : true,
  "identityZoneId" : "fc8lbwp1"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required ldap
originKey String Required Origin key must be ldap for an LDAP provider
config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-no-groups.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user’s email address
config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
  • follow → Referrals are followed
  • ignore → Referrals are ignored and the partial result is returned
  • throw → An error is thrown and the authentication is aborted
Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

Error Codes

Error Code Description
401 Unauthorized - Missing or invalid token
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error

OAuth/OIDC

$ curl 'http://localhost/identity-providers' -i -X POST -H 'Authorization: Bearer 5df8f18435f543cdb185551217eafb4e' -H 'Content-Type: application/json' -d '{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code"
  },
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "active" : true
}'
POST /identity-providers HTTP/1.1
Authorization: Bearer 5df8f18435f543cdb185551217eafb4e
Content-Type: application/json
Host: localhost
Content-Length: 641

{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code"
  },
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 902

{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "checkTokenUrl" : null
  },
  "id" : "82df2665-8068-41b3-bdb3-5d44593b4582",
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1488326078640,
  "last_modified" : 1488326078640,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required "oauth2.0"
originKey String Required A unique alias for a OAuth provider
config.authUrl String Required The OAuth 2.0 authorization endpoint URL
config.tokenUrl String Required The OAuth 2.0 token endpoint URL
config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider’s login will be shown on the UAA login page
config.linkText String Optional Text to use for the login link to the provider
config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider
config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes Array Optional What scopes to request on a call to the external OAuth provider
config.checkTokenUrl Object Optional Reserved for future OAuth use.
config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.

Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required "oauth2.0"
originKey String Required A unique alias for a OAuth provider
config.authUrl String Required The OAuth 2.0 authorization endpoint URL
config.tokenUrl String Required The OAuth 2.0 token endpoint URL
config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider’s login will be shown on the UAA login page
config.linkText String Optional Text to use for the login link to the provider
config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider
config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes Array Optional What scopes to request on a call to the external OAuth provider
config.checkTokenUrl Object Optional Reserved for future OAuth use.
config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error
$ curl 'http://localhost/identity-providers' -i -X POST -H 'Authorization: Bearer 1748ddbce78e47ada0e97fe3604aef5b' -H 'Content-Type: application/json' -d '{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userInfoUrl" : null,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
  },
  "originKey" : "my-oidc-provider-ucesfv",
  "name" : "UAA Provider",
  "active" : true
}'
POST /identity-providers HTTP/1.1
Authorization: Bearer 1748ddbce78e47ada0e97fe3604aef5b
Content-Type: application/json
Host: localhost
Content-Length: 721

{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userInfoUrl" : null,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
  },
  "originKey" : "my-oidc-provider-ucesfv",
  "name" : "UAA Provider",
  "active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 954

{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userInfoUrl" : null,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
  },
  "id" : "18904203-2eb8-4bda-93d3-55e87765ac87",
  "originKey" : "my-oidc-provider-ucesfv",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1488326078700,
  "last_modified" : 1488326078700,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required "oidc1.0"
originKey String Required A unique alias for the OIDC 1.0 provider
config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
config.authUrl String Required The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenUrl String Required The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKey String Optional A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider’s login will be shown on the UAA login page
config.linkText String Optional Text to use for the login link to the provider
config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider
config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.

Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required "oidc1.0"
originKey String Required A unique alias for the OIDC 1.0 provider
config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
config.authUrl String Required The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenUrl String Required The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKey String Optional A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider’s login will be shown on the UAA login page
config.linkText String Optional Text to use for the login link to the provider
config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider
config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
config.attributeMappings String Optional Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
409 Conflict - Provider with same origin and zone id exists
422 Unprocessable Entity - Invalid configuration
500 Internal Server Error

Retrieve All

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -H 'Authorization: Bearer 19a4272d1a804d84a677ab41aff68057' -H 'Content-Type: application/json'
GET /identity-providers?rawConfig=true HTTP/1.1
Authorization: Bearer 19a4272d1a804d84a677ab41aff68057
Content-Type: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5885

[ {
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "idpEntityAlias" : "SAML",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "id" : "ff83614d-9f8d-47fb-bd97-fe985e1ce59a",
  "originKey" : "SAML",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1488326076942,
  "last_modified" : 1488326076942,
  "active" : true,
  "identityZoneId" : "uaa"
}, {
  "type" : "keystone",
  "config" : null,
  "id" : "9803c2c2-72ff-49cd-beaf-38b78ecc6332",
  "originKey" : "keystone",
  "name" : "keystone",
  "version" : 1,
  "created" : 946684800000,
  "last_modified" : 1488326058973,
  "active" : false,
  "identityZoneId" : "uaa"
}, {
  "type" : "ldap",
  "config" : null,
  "id" : "c26e0159-9070-498e-8002-460754b7c7f1",
  "originKey" : "ldap",
  "name" : "ldap",
  "version" : 1,
  "created" : 946684800000,
  "last_modified" : 1488326059230,
  "active" : false,
  "identityZoneId" : "uaa"
}, {
  "type" : "login-server",
  "config" : null,
  "id" : "e1622bab-386c-4d40-aa06-61f3aad96e37",
  "originKey" : "login-server",
  "name" : "login-server",
  "version" : 1,
  "created" : 946684800000,
  "last_modified" : 1488326059245,
  "active" : false,
  "identityZoneId" : "uaa"
}, {
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "checkTokenUrl" : null
  },
  "id" : "82df2665-8068-41b3-bdb3-5d44593b4582",
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1488326078640,
  "last_modified" : 1488326078640,
  "active" : true,
  "identityZoneId" : "uaa"
}, {
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "linkText" : null,
    "showLinkText" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userInfoUrl" : null,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
  },
  "id" : "18904203-2eb8-4bda-93d3-55e87765ac87",
  "originKey" : "my-oidc-provider-ucesfv",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1488326078700,
  "last_modified" : 1488326078700,
  "active" : true,
  "identityZoneId" : "uaa"
}, {
  "type" : "uaa",
  "config" : null,
  "id" : "8cb905e7-fa54-4e4c-a4f6-9358936c5861",
  "originKey" : "uaa",
  "name" : "uaa",
  "version" : 3,
  "created" : 946684800000,
  "last_modified" : 1488326078784,
  "active" : true,
  "identityZoneId" : "uaa"
} ]

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path Type Description
[].type String Type of the identity provider.
[].originKey String Unique identifier for the identity provider.
[].name String Human-readable name for this provider
[].config Varies Json config for the Identity Provider
[].version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
[].active Boolean Defaults to true.
[].id String Unique identifier for this provider - GUID generated by the UAA
[].identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
[].created Number UAA sets the creation date
[].last_modified Number UAA sets the modification date

Error Codes

Error Code Description
403 Forbidden - Insufficient scope

Retrieve

$ curl 'http://localhost/identity-providers/6a366161-eeb2-484a-b5ec-b3ca577dfbe8?rawConfig=true' -i -H 'Authorization: Bearer d1f5e433ab2e4abf82b4c80f9468446f' -H 'Content-Type: application/json'
GET /identity-providers/6a366161-eeb2-484a-b5ec-b3ca577dfbe8?rawConfig=true HTTP/1.1
Authorization: Bearer d1f5e433ab2e4abf82b4c80f9468446f
Content-Type: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2981

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/saml-for-get\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "idpEntityAlias" : "saml-for-get",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:saml-for-get",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "id" : "6a366161-eeb2-484a-b5ec-b3ca577dfbe8",
  "originKey" : "saml-for-get",
  "name" : "saml-for-get name",
  "version" : 0,
  "created" : 1488326078502,
  "last_modified" : 1488326078502,
  "active" : true,
  "identityZoneId" : "uaa"
}

Path Parameters

/identity-providers/{id}

Parameter Description
id Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path Type Description
name String Human-readable name for this provider
config.providerDescription String Human readable name/description of this provider
config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Defaults to true.
config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Type of the identity provider.
originKey String Unique identifier for the identity provider.
config Object Various configuration properties for the identity provider.
config.additionalConfiguration Object (Unused.)
version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
id String Unique identifier for this provider - GUID generated by the UAA
identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
created Number UAA sets the creation date
last_modified Number UAA sets the modification date

Error Codes

Error Code Description
403 Forbidden - Insufficient scope

Update

$ curl 'http://localhost/identity-providers/8cb905e7-fa54-4e4c-a4f6-9358936c5861' -i -X PUT -H 'Authorization: Bearer b12010e1916c4d028660c270655499d1' -H 'Content-Type: application/json' -d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}'
PUT /identity-providers/8cb905e7-fa54-4e4c-a4f6-9358936c5861 HTTP/1.1
Authorization: Bearer b12010e1916c4d028660c270655499d1
Content-Type: application/json
Host: localhost
Content-Length: 280

{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 559

{
  "type" : "uaa",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "passwordPolicy" : null,
    "lockoutPolicy" : {
      "lockoutPeriodSeconds" : 8,
      "lockoutAfterFailures" : 8,
      "countFailuresWithin" : 8
    },
    "disableInternalUserManagement" : false
  },
  "id" : "8cb905e7-fa54-4e4c-a4f6-9358936c5861",
  "originKey" : "uaa",
  "name" : "uaa",
  "version" : 4,
  "created" : 946684800000,
  "last_modified" : 1488326080115,
  "active" : true,
  "identityZoneId" : "uaa"
}

Path Parameters

/identity-providers/{id}

Parameter Description
id Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request and Response Fields

Path Type Constraints Description
name String Required Human-readable name for this provider
config.providerDescription String Optional Human readable name/description of this provider
config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Optional Defaults to true.
config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Optional (defaults to false) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Required uaa
originKey String Required A unique identifier for the IDP. Cannot be updated.
version Number Required Version of the identity provider data. Clients can use this to protect against conflicting updates
config.passwordPolicy.minLength Number Required when passwordPolicy in the config is not null Minimum number of characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.maxLength Number Required when passwordPolicy in the config is not null Maximum number of characters required for password to be considered valid (defaults to 255).
config.passwordPolicy.requireUpperCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of uppercase characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireLowerCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of lowercase characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireDigit Number Required when passwordPolicy in the config is not null Minimum number of digits required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireSpecialCharacter Number Required when passwordPolicy in the config is not null Minimum number of special characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.expirePasswordInMonths Number Required when passwordPolicy in the config is not null Number of months after which current password expires (defaults to 0).
config.passwordPolicy.passwordNewerThan Number Required when passwordPolicy in the config is not null This timestamp value can be used to force change password for every user. If the user’s passwordLastModified is older than this value, the password is expired (defaults to null).
config.lockoutPolicy.lockoutPeriodSeconds Number Required when LockoutPolicy in the config is not null Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.lockoutPolicy.lockoutAfterFailures Number Required when LockoutPolicy in the config is not null Number of allowed failures before account is locked (defaults to 5).
config.lockoutPolicy.countFailuresWithin Number Required when LockoutPolicy in the config is not null Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.disableInternalUserManagement Boolean Optional When set to true, user management is disabled for this provider, defaults to false

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
422 Unprocessable Entity - Invalid config

Delete

$ curl 'http://localhost/identity-providers/730c9e2d-263d-4ad5-9a72-32f03ce77ccd' -i -X DELETE -H 'Authorization: Bearer 59c1fecc08c3412bb2991196d6fda91f' -H 'Content-Type: application/json'
DELETE /identity-providers/730c9e2d-263d-4ad5-9a72-32f03ce77ccd HTTP/1.1
Authorization: Bearer 59c1fecc08c3412bb2991196d6fda91f
Content-Type: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2996

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : false,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/saml-for-delete\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "idpEntityAlias" : "saml-for-delete",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:saml-for-delete",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "socketFactoryClassName" : null
  },
  "id" : "730c9e2d-263d-4ad5-9a72-32f03ce77ccd",
  "originKey" : "saml-for-delete",
  "name" : "saml-for-delete name",
  "version" : 0,
  "created" : 1488326080046,
  "last_modified" : 1488326080046,
  "active" : true,
  "identityZoneId" : "uaa"
}

Path Parameters

/identity-providers/{id}

Parameter Description
id Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request Parameters

Parameter Type Constraints Description
rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path Type Description
name String Human-readable name for this provider
config.providerDescription String Human readable name/description of this provider
config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active Boolean Defaults to true.
config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type String Type of the identity provider.
originKey String Unique identifier for the identity provider.
config Object Various configuration properties for the identity provider.
config.additionalConfiguration Object (Unused.)
version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
id String Unique identifier for this provider - GUID generated by the UAA
identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
created Number UAA sets the creation date
last_modified Number UAA sets the modification date

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
422 Unprocessable Entity

Force pasword change for Users

$ curl 'http://localhost/identity-providers/8cb905e7-fa54-4e4c-a4f6-9358936c5861/status' -i -X PATCH -H 'Authorization: Bearer 952b8d8b3bb04df48fbaf2aa1e2509c1' -H 'Content-Type: application/json' -d '{"requirePasswordChange":true}'
PATCH /identity-providers/8cb905e7-fa54-4e4c-a4f6-9358936c5861/status HTTP/1.1
Authorization: Bearer 952b8d8b3bb04df48fbaf2aa1e2509c1
Content-Type: application/json
Host: localhost
Content-Length: 30

{"requirePasswordChange":true}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 36

{
  "requirePasswordChange" : true
}

Path Parameters

/identity-providers/{id}/status

Parameter Description
id Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name Description
Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

Request and Response Fields

Path Type Constraints Description
requirePasswordChange Boolean Required Set to true in order to force password change for all users. The passwordNewerThan property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user’s passwordLastModified is older than this value, the password is expired.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
422 Unprocessable Entity - Invalid config

Service Providers

UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.

Obtaining the UAA SAML IdP metadata:

In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.

GET http://localhost:8080/uaa/saml/idp/metadata

List

$ curl 'http://localhost/saml/service-providers' -i -H 'Authorization: Bearer 6cb8e439ce364182adcf9451aacb807b'
GET /saml/service-providers HTTP/1.1
Authorization: Bearer 6cb8e439ce364182adcf9451aacb807b
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7038

[ {
  "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Qzdwexyhlw.cloudfoundry-saml-login\\\" entityID=\\\"Qzdwexyhlw.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Qzdwexyhlw.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Qzdwexyhlw.localhost:8080/uaa/saml/SingleLogout/alias/Qzdwexyhlw.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Qzdwexyhlw.localhost:8080/uaa/saml/SingleLogout/alias/Qzdwexyhlw.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Qzdwexyhlw.localhost:8080/uaa/saml/SSO/alias/Qzdwexyhlw.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Qzdwexyhlw.localhost:8080/uaa/saml/SSO/alias/Qzdwexyhlw.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"nameID\":null,\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false}",
  "id" : "a18be9fb-6a0f-477c-ba58-5fd9dfbd66fc",
  "entityId" : "Qzdwexyhlw.cloudfoundry-saml-login",
  "name" : "Qzdwexyhlw",
  "version" : 0,
  "created" : 1488326095381,
  "lastModified" : 1488326095381,
  "active" : true,
  "identityZoneId" : "uaa"
} ]

Request Headers

Name Description
Authorization Bearer token containing sps.read
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path Type Description
[].id String Unique identifier for this provider - GUID generated by the UAA.
[].name String Human readable name for the SAML SP.
[].entityId String The entity id of the SAML SP.
[].active Boolean Defaults to true.
[].created Number UAA sets this to the UTC creation date.
[].identityZoneId String Set to the zone that this provider will be active in. Determined by either.
[].lastModified Number UAA sets this to the UTC last date of modification.
[].version Number Version of the identity provider data. Clients can use this.
[].config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
[].config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
[].config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope

Get

$ curl 'http://localhost/saml/service-providers/304a1173-79b5-4269-a30a-03f5f3ef1498' -i -H 'Authorization: Bearer 6b120f724edc40cca4f4ef1ad6a39c6f'
GET /saml/service-providers/304a1173-79b5-4269-a30a-03f5f3ef1498 HTTP/1.1
Authorization: Bearer 6b120f724edc40cca4f4ef1ad6a39c6f
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7034

{
  "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"aXXM9ltQ1c.cloudfoundry-saml-login\\\" entityID=\\\"aXXM9ltQ1c.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#aXXM9ltQ1c.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://aXXM9ltQ1c.localhost:8080/uaa/saml/SingleLogout/alias/aXXM9ltQ1c.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://aXXM9ltQ1c.localhost:8080/uaa/saml/SingleLogout/alias/aXXM9ltQ1c.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://aXXM9ltQ1c.localhost:8080/uaa/saml/SSO/alias/aXXM9ltQ1c.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://aXXM9ltQ1c.localhost:8080/uaa/saml/SSO/alias/aXXM9ltQ1c.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"nameID\":null,\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false}",
  "id" : "304a1173-79b5-4269-a30a-03f5f3ef1498",
  "entityId" : "aXXM9ltQ1c.cloudfoundry-saml-login",
  "name" : "aXXM9ltQ1c",
  "version" : 0,
  "created" : 1488326095482,
  "lastModified" : 1488326095482,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing sps.read
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/saml/service-providers/{id}

Parameter Description
id Unique ID of the service provider

Response Fields

Path Type Description
id String Unique identifier for this provider - GUID generated by the UAA.
name String Human readable name for the SAML SP.
entityId String The entity id of the SAML SP.
active Boolean Defaults to true.
created Number UAA sets this to the UTC creation date.
identityZoneId String Set to the zone that this provider will be active in. Determined by either.
lastModified Number UAA sets this to the UTC last date of modification.
version Number Version of the identity provider data. Clients can use this.
config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope

Create

$ curl 'http://localhost/saml/service-providers' -i -X POST -H 'Authorization: Bearer ca50209ecf9141bdb8c6d99067359917' -H 'Content-Type: application/json' -d '{
  "name" : "f9ZEQIqSlB",
  "entityId" : "f9ZEQIqSlB.cloudfoundry-saml-login",
  "active" : true,
  "config" : "{\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\" entityID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true }"
}'
POST /saml/service-providers HTTP/1.1
Authorization: Bearer ca50209ecf9141bdb8c6d99067359917
Content-Type: application/json
Host: localhost
Content-Length: 6807

{
  "name" : "f9ZEQIqSlB",
  "entityId" : "f9ZEQIqSlB.cloudfoundry-saml-login",
  "active" : true,
  "config" : "{\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\" entityID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true }"
}
HTTP/1.1 201 Created
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7034

{
  "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\" entityID=\\\"f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#f9ZEQIqSlB.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SingleLogout/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://f9ZEQIqSlB.localhost:8080/uaa/saml/SSO/alias/f9ZEQIqSlB.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"nameID\":null,\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false}",
  "id" : "d6252cd7-b7e2-42b7-991a-472c4e0c40fe",
  "entityId" : "f9ZEQIqSlB.cloudfoundry-saml-login",
  "name" : "f9ZEQIqSlB",
  "version" : 0,
  "created" : 1488326095725,
  "lastModified" : 1488326095725,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing sps.write
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
name String Required Human readable name for the SAML SP.
entityId String Optional If provided, it should match the entityId in the SP metadata.
active Boolean Optional Defaults to true
config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.

Response Fields

Path Type Description
id String Unique identifier for this provider - GUID generated by the UAA.
name String Human readable name for the SAML SP.
entityId String The entity id of the SAML SP.
active Boolean Defaults to true.
created Number UAA sets this to the UTC creation date.
identityZoneId String Set to the zone that this provider will be active in. Determined by either.
lastModified Number UAA sets this to the UTC last date of modification.
version Number Version of the identity provider data. Clients can use this.
config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
422 Unprocessable Entity
409 Conflict - A provider with the same entity id and zone id exists.

Update

$ curl 'http://localhost/saml/service-providers/c46bc4b4-d2b2-45c0-9e18-c65804c58edd' -i -X PUT -H 'Authorization: Bearer ecdb1bf58670445e9cbaa92ecfb488b7' -H 'Content-Type: application/json' -d '{
  "name" : "ij6ynp6Or2",
  "entityId" : "ij6ynp6Or2.cloudfoundry-saml-login",
  "active" : true,
  "config" : "{\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\" entityID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true }"
}'
PUT /saml/service-providers/c46bc4b4-d2b2-45c0-9e18-c65804c58edd HTTP/1.1
Authorization: Bearer ecdb1bf58670445e9cbaa92ecfb488b7
Content-Type: application/json
Host: localhost
Content-Length: 6807

{
  "name" : "ij6ynp6Or2",
  "entityId" : "ij6ynp6Or2.cloudfoundry-saml-login",
  "active" : true,
  "config" : "{\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\" entityID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true }"
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7034

{
  "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\" entityID=\\\"ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ij6ynp6Or2.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SingleLogout/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ij6ynp6Or2.localhost:8080/uaa/saml/SSO/alias/ij6ynp6Or2.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"nameID\":null,\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false}",
  "id" : "c46bc4b4-d2b2-45c0-9e18-c65804c58edd",
  "entityId" : "ij6ynp6Or2.cloudfoundry-saml-login",
  "name" : "ij6ynp6Or2",
  "version" : 1,
  "created" : 1488326095822,
  "lastModified" : 1488326095877,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing sps.write
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
name String Required Human readable name for the SAML SP.
entityId String Optional If provided, it should match the entityId in the SP metadata.
active Boolean Optional Defaults to true
config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.

Path Parameters

/saml/service-providers/{id}

Parameter Description
id Unique ID of the service provider

Response Fields

Path Type Description
id String Unique identifier for this provider - GUID generated by the UAA.
name String Human readable name for the SAML SP.
entityId String The entity id of the SAML SP.
active Boolean Defaults to true.
created Number UAA sets this to the UTC creation date.
identityZoneId String Set to the zone that this provider will be active in. Determined by either.
lastModified Number UAA sets this to the UTC last date of modification.
version Number Version of the identity provider data. Clients can use this.
config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope
422 Unprocessable Entity
409 Conflict - A provider with the same entity id and zone id exists.

Delete

$ curl 'http://localhost/saml/service-providers/31a189ae-3b63-4826-8c08-e36211bb46d6' -i -X DELETE -H 'Authorization: Bearer ec3b7b148fb14232a2ca4c0e6c6a3848' -H 'Accept: application/json'
DELETE /saml/service-providers/31a189ae-3b63-4826-8c08-e36211bb46d6 HTTP/1.1
Authorization: Bearer ec3b7b148fb14232a2ca4c0e6c6a3848
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7034

{
  "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"0VMZehlUmc.cloudfoundry-saml-login\\\" entityID=\\\"0VMZehlUmc.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#0VMZehlUmc.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0VMZehlUmc.localhost:8080/uaa/saml/SingleLogout/alias/0VMZehlUmc.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://0VMZehlUmc.localhost:8080/uaa/saml/SingleLogout/alias/0VMZehlUmc.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0VMZehlUmc.localhost:8080/uaa/saml/SSO/alias/0VMZehlUmc.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://0VMZehlUmc.localhost:8080/uaa/saml/SSO/alias/0VMZehlUmc.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"nameID\":null,\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false}",
  "id" : "31a189ae-3b63-4826-8c08-e36211bb46d6",
  "entityId" : "0VMZehlUmc.cloudfoundry-saml-login",
  "name" : "0VMZehlUmc",
  "version" : 0,
  "created" : 1488326095588,
  "lastModified" : 1488326095588,
  "active" : true,
  "identityZoneId" : "uaa"
}

Request Headers

Name Description
Authorization Bearer token containing sps.write
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/saml/service-providers/{id}

Parameter Description
id Unique ID of the service provider

Response Fields

Path Type Description
id String Unique identifier for this provider - GUID generated by the UAA.
name String Human readable name for the SAML SP.
entityId String The entity id of the SAML SP.
active Boolean Defaults to true.
created Number UAA sets this to the UTC creation date.
identityZoneId String Set to the zone that this provider will be active in. Determined by either.
lastModified Number UAA sets this to the UTC last date of modification.
version Number Version of the identity provider data. Clients can use this.
config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

Error Codes

Error Code Description
403 Forbidden - Insufficient scope

Users

Users can be queried, created and updated via the /Users endpoint.

Get

$ curl 'http://localhost/Users/4884e9d7-105d-48af-bafb-5275e24ad053' -i -H 'Accept: application/json' -H 'Authorization: Bearer 25ee856845964156919759303b2581bf' -H 'Content-Type: application/json' -H 'If-Match: 0'
GET /Users/4884e9d7-105d-48af-bafb-5275e24ad053 HTTP/1.1
Accept: application/json
Authorization: Bearer 25ee856845964156919759303b2581bf
Content-Type: application/json
If-Match: 0
Host: localhost

HTTP/1.1 200 OK
ETag: "0"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2880

{
  "id" : "4884e9d7-105d-48af-bafb-5275e24ad053",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:47.207Z",
    "lastModified" : "2017-02-28T23:54:47.207Z"
  },
  "userName" : "Vfqs7s@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "Vfqs7s@test.org",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "32429404-4e05-47cf-8cda-96668903217e",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
    "display" : "roles",
    "type" : "DIRECT"
  }, {
    "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "4884e9d7-105d-48af-bafb-5275e24ad053",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:54:47.217Z",
    "expiresAt" : "2017-02-28T23:54:57.217Z"
  }, {
    "userId" : "4884e9d7-105d-48af-bafb-5275e24ad053",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:55:17.220Z",
    "expiresAt" : "2017-02-28T23:55:17.220Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:47.000Z",
  "previousLogonTime" : 1488326087222,
  "lastLogonTime" : 1488326087223,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.write or uaa.admin required
If-Match The version of the SCIM object to be deleted. Optional.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path Type Description
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
id String Unique user identifier.
userName String User name of the user, typically an email address.
name Object A map with the user’s first name and last name.
name.familyName String The user’s last name.
name.givenName String The user’s first name.
phoneNumbers Array The user’s phone numbers.
phoneNumbers[].value String The phone number.
emails Array The user’s email addresses.
emails[].value String The email address.
emails[].primary Boolean Set to true if this is the user’s primary email address.
groups Array A list of groups the user belongs to.
groups[].value String Unique group identifier
groups[].display String The group display name, also referred to as scope during authorization.
groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
approvals[].userId String The user id on the approval. Will be the same as the id field.
approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
approvals[].scope String The scope on the approval. Will be a group display value.
approvals[].status String The status of the approval. APPROVED or DENIED are the only valid values.
approvals[].lastUpdatedAt String Date this approval was last updated.
approvals[].expiresAt String Date this approval will expire.
active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean True, if this user has verified her/his email address.
origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
zoneId String The zone this user belongs to. 'uaa’ is the default zone.
passwordLastModified String The timestamp this user’s password was last changed.
lastLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
previousLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
externalId String External user ID if authenticated through external identity provider.
meta String SCIM object meta data.
meta.version Number Object version.
meta.lastModified String Object last modified date.
meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.read is required to retrieve a user)
404 User id not found

Example using uaac to get users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user get testuser

List

$ curl 'http://localhost/Users?filter=id+eq+%223fb5a479-144b-4d55-9999-3656df0ef6b5%22+or+email+eq+%22DZW99K%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -H 'Accept: application/json' -H 'Authorization: Bearer 76315913d63f4cf8812a23fcd289ba19'
GET /Users?filter=id+eq+%223fb5a479-144b-4d55-9999-3656df0ef6b5%22+or+email+eq+%22DZW99K%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
Accept: application/json
Authorization: Bearer 76315913d63f4cf8812a23fcd289ba19
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2963

{
  "resources" : [ {
    "id" : "3fb5a479-144b-4d55-9999-3656df0ef6b5",
    "externalId" : "test-user",
    "meta" : {
      "version" : 0,
      "created" : "2017-02-28T23:54:48.163Z",
      "lastModified" : "2017-02-28T23:54:48.163Z"
    },
    "userName" : "DZW99K@test.org",
    "name" : {
      "familyName" : "family name",
      "givenName" : "given name"
    },
    "emails" : [ {
      "value" : "DZW99K@test.org",
      "primary" : false
    } ],
    "groups" : [ {
      "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
      "display" : "cloud_controller.write",
      "type" : "DIRECT"
    }, {
      "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
      "display" : "user_attributes",
      "type" : "DIRECT"
    }, {
      "value" : "32429404-4e05-47cf-8cda-96668903217e",
      "display" : "uaa.user",
      "type" : "DIRECT"
    }, {
      "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
      "display" : "roles",
      "type" : "DIRECT"
    }, {
      "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
      "display" : "scim.me",
      "type" : "DIRECT"
    }, {
      "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
      "display" : "profile",
      "type" : "DIRECT"
    }, {
      "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
      "display" : "cloud_controller_service_permissions.read",
      "type" : "DIRECT"
    }, {
      "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
      "display" : "approvals.me",
      "type" : "DIRECT"
    }, {
      "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
      "display" : "openid",
      "type" : "DIRECT"
    }, {
      "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
      "display" : "password.write",
      "type" : "DIRECT"
    }, {
      "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
      "display" : "scim.userids",
      "type" : "DIRECT"
    }, {
      "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
      "display" : "cloud_controller.read",
      "type" : "DIRECT"
    }, {
      "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
      "display" : "uaa.offline_token",
      "type" : "DIRECT"
    }, {
      "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
      "display" : "oauth.approvals",
      "type" : "DIRECT"
    } ],
    "approvals" : [ {
      "userId" : "3fb5a479-144b-4d55-9999-3656df0ef6b5",
      "clientId" : "client id",
      "scope" : "scim.read",
      "status" : "APPROVED",
      "lastUpdatedAt" : "2017-02-28T23:54:48.174Z",
      "expiresAt" : "2017-02-28T23:54:58.174Z"
    } ],
    "phoneNumbers" : [ {
      "value" : "5555555555"
    } ],
    "active" : true,
    "verified" : true,
    "origin" : "uaa",
    "zoneId" : "uaa",
    "passwordLastModified" : "2017-02-28T23:54:48.000Z",
    "previousLogonTime" : 1488326088177,
    "lastLogonTime" : 1488326088178,
    "schemas" : [ "urn:scim:schemas:core:1.0" ]
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 50,
  "totalResults" : 1,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.read or uaa.admin required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter Type Constraints Description
filter String Optional SCIM filter for searching
sortBy String Optional (defaults to created) Sorting field name, like email or id
sortOrder String Optional (defaults to ascending) Sort order, ascending/descending
startIndex Number Optional (defaults to 1) The starting index of the search results when paginated. Index starts with 1.
count Number Optional (defaults to 100) Max number of results to be returned

Response Fields

Path Type Description
startIndex Number The starting index of the search results when paginated. Index starts with 1.
itemsPerPage Number The maximum number of items returned per request.
totalResults Number Number of results in result set.
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
resources Array A list of SCIM user objects retrieved by the search.
resources[].id String Unique user identifier.
resources[].userName String User name of the user, typically an email address.
resources[].name Object A map with the user’s first name and last name.
resources[].name.familyName String The user’s last name.
resources[].name.givenName String The user’s first name.
resources[].phoneNumbers Array The user’s phone numbers.
resources[].phoneNumbers[].value String The phone number.
resources[].emails Array The user’s email addresses.
resources[].emails[].value String The email address.
resources[].emails[].primary Boolean Set to true if this is the user’s primary email address.
resources[].groups Array A list of groups the user belongs to.
resources[].groups[].value String Unique group identifier
resources[].groups[].display String The group display name, also referred to as scope during authorization.
resources[].groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
resources[].approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
resources[].approvals[].userId String The user id on the approval. Will be the same as the id field.
resources[].approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
resources[].approvals[].scope String The scope on the approval. Will be a group display value.
resources[].approvals[].status String The status of the approval. APPROVED or DENIED are the only valid values.
resources[].approvals[].lastUpdatedAt String Date this approval was last updated.
resources[].approvals[].expiresAt String Date this approval will expire.
resources[].active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
resources[].lastLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
resources[].previoousLogonTime Number The unix epoch timestamp of 2nd to last successful user authentication. Default value of this field is null and is omitted from the response if null
resources[].verified Boolean True, if this user has verified her/his email address.
resources[].origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
resources[].zoneId String The zone this user belongs to. 'uaa’ is the default zone.
resources[].passwordLastModified String The timestamp this user’s password was last changed.
resources[].externalId String External user ID if authenticated through external identity provider.
resources[].meta String SCIM object meta data.
resources[].meta.version Number Object version.
resources[].meta.lastModified String Object last modified date.
resources[].meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.read is required to search users)

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac users

Create

$ curl 'http://localhost/Users' -i -X POST -H 'Accept: application/json' -H 'Authorization: Bearer bc5a86e4bef14e8eb22c61cec3553b70' -H 'Content-Type: application/json' -d '{
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:48.604Z"
  },
  "userName" : "YEseDv@test.org",
  "name" : {
    "formatted" : "given name family name",
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "YEseDv@test.org",
    "primary" : true
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "",
  "password" : "secret",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
POST /Users HTTP/1.1
Accept: application/json
Authorization: Bearer bc5a86e4bef14e8eb22c61cec3553b70
Content-Type: application/json
Host: localhost
Content-Length: 537

{
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:48.604Z"
  },
  "userName" : "YEseDv@test.org",
  "name" : {
    "formatted" : "given name family name",
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "YEseDv@test.org",
    "primary" : true
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "",
  "password" : "secret",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 201 Created
ETag: "0"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2327

{
  "id" : "a3b15235-c525-464a-b67e-c87b39b5f8fe",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:48.713Z",
    "lastModified" : "2017-02-28T23:54:48.713Z"
  },
  "userName" : "YEseDv@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "YEseDv@test.org",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "32429404-4e05-47cf-8cda-96668903217e",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
    "display" : "roles",
    "type" : "DIRECT"
  }, {
    "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  } ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:48.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.write or uaa.admin required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
userName String Required User name of the user, typically an email address.
password String Required User’s password.
name Object Required A map with the user’s first name and last name.
name.familyName String Required The user’s last name.
name.givenName String Required The user’s first name.
phoneNumbers Array Optional The user’s phone numbers.
phoneNumbers[].value String Optional The phone number.
emails Array Required The user’s email addresses.
emails[].value String Required The email address.
emails[].primary Boolean Required Set to true if this is the user’s primary email address.
active Boolean Optional (defaults to true) If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean Optional (defaults to false) True, if this user has verified her/his email address.
origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
externalId String Optional External user ID if authenticated through external identity provider.

Response Fields

Path Type Description
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
id String Unique user identifier.
userName String User name of the user, typically an email address.
name Object A map with the user’s first name and last name.
name.familyName String The user’s last name.
name.givenName String The user’s first name.
phoneNumbers Array The user’s phone numbers.
phoneNumbers[].value String The phone number.
emails Array The user’s email addresses.
emails[].value String The email address.
emails[].primary Boolean Set to true if this is the user’s primary email address.
groups Array A list of groups the user belongs to.
groups[].value String Unique group identifier
groups[].display String The group display name, also referred to as scope during authorization.
groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean True, if this user has verified her/his email address.
origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
zoneId String The zone this user belongs to. 'uaa’ is the default zone.
passwordLastModified String The timestamp this user’s password was last changed.
externalId String External user ID if authenticated through external identity provider.
meta String SCIM object meta data.
meta.version Number Object version.
meta.lastModified String Object last modified date.
meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write is required to create a user)
409 Username already exists

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user add testuser --given_name About --family_name Schmidt --emails testuser@test.org --password secret

Update

$ curl 'http://localhost/Users/fdb8c9c1-19ca-4e59-8507-013fef21eb9f' -i -X PUT -H 'Accept: application/json' -H 'Authorization: Bearer 8485326f9e0443bdba48fdf441a9a9f5' -H 'Content-Type: application/json' -H 'If-Match: 0' -d '{
  "id" : "fdb8c9c1-19ca-4e59-8507-013fef21eb9f",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:48.375Z",
    "lastModified" : "2017-02-28T23:54:48.375Z"
  },
  "userName" : "VxrPcy@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "VxrPcy@test.org",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:48.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
PUT /Users/fdb8c9c1-19ca-4e59-8507-013fef21eb9f HTTP/1.1
Accept: application/json
Authorization: Bearer 8485326f9e0443bdba48fdf441a9a9f5
Content-Type: application/json
If-Match: 0
Host: localhost
Content-Length: 684

{
  "id" : "fdb8c9c1-19ca-4e59-8507-013fef21eb9f",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:48.375Z",
    "lastModified" : "2017-02-28T23:54:48.375Z"
  },
  "userName" : "VxrPcy@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "VxrPcy@test.org",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:48.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804

{
  "id" : "fdb8c9c1-19ca-4e59-8507-013fef21eb9f",
  "externalId" : "test-user",
  "meta" : {
    "version" : 1,
    "created" : "2017-02-28T23:54:48.375Z",
    "lastModified" : "2017-02-28T23:54:48.410Z"
  },
  "userName" : "VxrPcy@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "VxrPcy@test.org",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "32429404-4e05-47cf-8cda-96668903217e",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
    "display" : "roles",
    "type" : "DIRECT"
  }, {
    "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "fdb8c9c1-19ca-4e59-8507-013fef21eb9f",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:54:48.384Z",
    "expiresAt" : "2017-02-28T23:54:58.384Z"
  }, {
    "userId" : "fdb8c9c1-19ca-4e59-8507-013fef21eb9f",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "DENIED",
    "lastUpdatedAt" : "2017-02-28T23:55:18.386Z",
    "expiresAt" : "2017-02-28T23:55:18.386Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:48.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.write or uaa.admin required
If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
userName String Required User name of the user, typically an email address.
name Object Required A map with the user’s first name and last name.
name.familyName String Required The user’s last name.
name.givenName String Required The user’s first name.
phoneNumbers Array Optional The user’s phone numbers.
phoneNumbers[].value String Optional The phone number.
emails Array Required The user’s email addresses.
emails[].value String Required The email address.
emails[].primary Boolean Required Set to true if this is the user’s primary email address.
active Boolean Optional (defaults to true) If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean Optional (defaults to false) True, if this user has verified her/his email address.
origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
externalId String Optional External user ID if authenticated through external identity provider.

Response Fields

Path Type Description
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
id String Unique user identifier.
userName String User name of the user, typically an email address.
name Object A map with the user’s first name and last name.
name.familyName String The user’s last name.
name.givenName String The user’s first name.
phoneNumbers Array The user’s phone numbers.
phoneNumbers[].value String The phone number.
emails Array The user’s email addresses.
emails[].value String The email address.
emails[].primary Boolean Set to true if this is the user’s primary email address.
groups Array A list of groups the user belongs to.
groups[].value String Unique group identifier
groups[].display String The group display name, also referred to as scope during authorization.
groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
approvals[].userId String The user id on the approval. Will be the same as the id field.
approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
approvals[].scope String The scope on the approval. Will be a group display value.
approvals[].status String The status of the approval. APPROVED or DENIED are the only valid values.
approvals[].lastUpdatedAt String Date this approval was last updated.
approvals[].expiresAt String Date this approval will expire.
active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean True, if this user has verified her/his email address.
origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
zoneId String The zone this user belongs to. 'uaa’ is the default zone.
passwordLastModified String The timestamp this user’s password was last changed.
lastLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
previousLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
externalId String External user ID if authenticated through external identity provider.
meta String SCIM object meta data.
meta.version Number Object version.
meta.lastModified String Object last modified date.
meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write is required to update a user)
404 User id not found

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212

Patch

$ curl 'http://localhost/Users/40905bb4-972b-4031-a14a-2eb34c21e3a3' -i -X PATCH -H 'Accept: application/json' -H 'Authorization: Bearer c48a4728cb7b4791b284b4491ca6600e' -H 'Content-Type: application/json' -H 'If-Match: 0' -d '{
  "id" : "40905bb4-972b-4031-a14a-2eb34c21e3a3",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:49.424Z",
    "lastModified" : "2017-02-28T23:54:49.424Z"
  },
  "userName" : "ktbkom@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "ktbkom@test.org",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:49.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
PATCH /Users/40905bb4-972b-4031-a14a-2eb34c21e3a3 HTTP/1.1
Accept: application/json
Authorization: Bearer c48a4728cb7b4791b284b4491ca6600e
Content-Type: application/json
If-Match: 0
Host: localhost
Content-Length: 684

{
  "id" : "40905bb4-972b-4031-a14a-2eb34c21e3a3",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:49.424Z",
    "lastModified" : "2017-02-28T23:54:49.424Z"
  },
  "userName" : "ktbkom@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "ktbkom@test.org",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:49.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804

{
  "id" : "40905bb4-972b-4031-a14a-2eb34c21e3a3",
  "externalId" : "test-user",
  "meta" : {
    "version" : 1,
    "created" : "2017-02-28T23:54:49.424Z",
    "lastModified" : "2017-02-28T23:54:49.467Z"
  },
  "userName" : "ktbkom@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "ktbkom@test.org",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "32429404-4e05-47cf-8cda-96668903217e",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
    "display" : "roles",
    "type" : "DIRECT"
  }, {
    "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "40905bb4-972b-4031-a14a-2eb34c21e3a3",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:54:49.437Z",
    "expiresAt" : "2017-02-28T23:54:59.437Z"
  }, {
    "userId" : "40905bb4-972b-4031-a14a-2eb34c21e3a3",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "DENIED",
    "lastUpdatedAt" : "2017-02-28T23:55:19.442Z",
    "expiresAt" : "2017-02-28T23:55:19.442Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:49.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.write or uaa.admin required
If-Match The version of the SCIM object to be updated. Wildabccard (*) accepted.

Request Fields

Path Type Constraints Description
userName String Required User name of the user, typically an email address.
name Object Required A map with the user’s first name and last name.
name.familyName String Required The user’s last name.
name.givenName String Required The user’s first name.
phoneNumbers Array Optional The user’s phone numbers.
phoneNumbers[].value String Optional The phone number.
emails Array Required The user’s email addresses.
emails[].value String Required The email address.
emails[].primary Boolean Required Set to true if this is the user’s primary email address.
active Boolean Optional (defaults to true) If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean Optional (defaults to false) True, if this user has verified her/his email address.
origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
externalId String Optional External user ID if authenticated through external identity provider.
meta.attributes Array Optional Names of attributes that shall be deleted

Response Fields

Path Type Description
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
id String Unique user identifier.
userName String User name of the user, typically an email address.
name Object A map with the user’s first name and last name.
name.familyName String The user’s last name.
name.givenName String The user’s first name.
phoneNumbers Array The user’s phone numbers.
phoneNumbers[].value String The phone number.
emails Array The user’s email addresses.
emails[].value String The email address.
emails[].primary Boolean Set to true if this is the user’s primary email address.
groups Array A list of groups the user belongs to.
groups[].value String Unique group identifier
groups[].display String The group display name, also referred to as scope during authorization.
groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
approvals[].userId String The user id on the approval. Will be the same as the id field.
approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
approvals[].scope String The scope on the approval. Will be a group display value.
approvals[].status String The status of the approval. APPROVED or DENIED are the only valid values.
approvals[].lastUpdatedAt String Date this approval was last updated.
approvals[].expiresAt String Date this approval will expire.
active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean True, if this user has verified her/his email address.
origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
zoneId String The zone this user belongs to. 'uaa’ is the default zone.
passwordLastModified String The timestamp this user’s password was last changed.
lastLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
previousLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
externalId String External user ID if authenticated through external identity provider.
meta String SCIM object meta data.
meta.version Number Object version.
meta.lastModified String Object last modified date.
meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write is required to update a user)
404 User id not found

Example using uaac to patch users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212

Delete

$ curl 'http://localhost/Users/a3ce1373-33e9-4368-87e2-ce35843b11c6' -i -X DELETE -H 'Accept: application/json' -H 'Authorization: Bearer 0ec39cdccb184929a4d501386f1c1e7e' -H 'Content-Type: application/json' -H 'If-Match: 0'
DELETE /Users/a3ce1373-33e9-4368-87e2-ce35843b11c6 HTTP/1.1
Accept: application/json
Authorization: Bearer 0ec39cdccb184929a4d501386f1c1e7e
Content-Type: application/json
If-Match: 0
Host: localhost

HTTP/1.1 200 OK
ETag: "0"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2806

{
  "id" : "a3ce1373-33e9-4368-87e2-ce35843b11c6",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:46.996Z",
    "lastModified" : "2017-02-28T23:54:46.996Z"
  },
  "userName" : "VXAEY6@test.org",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "VXAEY6@test.org",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "013ecaad-f846-41a0-a40e-73db7d62354d",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "f551f2c7-8991-4eb8-a26e-13051632c7aa",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "32429404-4e05-47cf-8cda-96668903217e",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "e411f78c-f92d-4412-b694-278b5bc453b9",
    "display" : "roles",
    "type" : "DIRECT"
  }, {
    "value" : "03157dea-eae0-4698-ab67-05c10b7a6e65",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "021024d8-f0c0-4640-b467-cb7f40b93fe9",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "85d50f0f-8d2b-4cb2-a4a4-54c10683bcdd",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "a6af6719-83ce-43c3-9b3c-a84b7e99fd75",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "069bb5c9-e8b6-4f67-984e-392cfbf5cfae",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "acf808fe-1149-44d5-81a4-d786d3350f40",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "0897cbc2-d4c5-4798-ad10-d1b93985c406",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "e7ea2322-3d9f-4400-9e66-d62b6dc90578",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "6ec66be0-74eb-4709-a03b-3ba5bd7b2bd2",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "4e0e2fb7-2877-4bb5-920a-357619263995",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "a3ce1373-33e9-4368-87e2-ce35843b11c6",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:54:47.004Z",
    "expiresAt" : "2017-02-28T23:54:57.005Z"
  }, {
    "userId" : "a3ce1373-33e9-4368-87e2-ce35843b11c6",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2017-02-28T23:55:17.007Z",
    "expiresAt" : "2017-02-28T23:55:17.007Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:46.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Access token with scim.write or uaa.admin required
If-Match The version of the SCIM object to be deleted. Optional.
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path Type Description
schemas Array SCIM Schemas used, currently always set to [ “urn:scim:schemas:core:1.0” ]
id String Unique user identifier.
userName String User name of the user, typically an email address.
name Object A map with the user’s first name and last name.
name.familyName String The user’s last name.
name.givenName String The user’s first name.
phoneNumbers Array The user’s phone numbers.
phoneNumbers[].value String The phone number.
emails Array The user’s email addresses.
emails[].value String The email address.
emails[].primary Boolean Set to true if this is the user’s primary email address.
groups Array A list of groups the user belongs to.
groups[].value String Unique group identifier
groups[].display String The group display name, also referred to as scope during authorization.
groups[].type String Membership type - DIRECT means the user is directly associated with the group. INDIRECT means that the membership has been inherited from nested groups.
approvals Array A list of approvals for this user. Approvals are user’s explicit approval or rejection for an application.
approvals[].userId String The user id on the approval. Will be the same as the id field.
approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
approvals[].scope String The scope on the approval. Will be a group display value.
approvals[].status String The status of the approval. APPROVED or DENIED are the only valid values.
approvals[].lastUpdatedAt String Date this approval was last updated.
approvals[].expiresAt String Date this approval will expire.
active Boolean If this user is active. False is a soft delete. The user will not be able to log in.
verified Boolean True, if this user has verified her/his email address.
origin String The alias of the identity provider that authenticated this user. 'uaa’ is an internal UAA user.
zoneId String The zone this user belongs to. 'uaa’ is the default zone.
passwordLastModified String The timestamp this user’s password was last changed.
lastLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
previousLogonTime Number The unix epoch timestamp of when the user last authenticated. Default value of this field is null and is omitted from the response if null
externalId String External user ID if authenticated through external identity provider.
meta String SCIM object meta data.
meta.version Number Object version.
meta.lastModified String Object last modified date.
meta.created String Object created date.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write is required to delete a user)
404 User id not found

Example using uaac to delete users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user delete testuser

User Info

An OAuth2 protected resource and an OpenID Connect endpoint. Given an appropriate access_token, returns information about a user. Defined fields include various standard user profile fields. The response may include other user information such as group membership.

$ curl 'http://localhost/userinfo' -i -H 'Authorization: Bearer 47c02e9184f04143ab4272c894625d8e'
GET /userinfo HTTP/1.1
Authorization: Bearer 47c02e9184f04143ab4272c894625d8e
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 384

{
  "user_id" : "3587ef54-6361-44d2-b8a1-4937674aa2b5",
  "sub" : "3587ef54-6361-44d2-b8a1-4937674aa2b5",
  "user_name" : "yH9Avc@test.org",
  "given_name" : "PasswordResetUserFirst",
  "family_name" : "PasswordResetUserLast",
  "email" : "yH9Avc@test.org",
  "phone_number" : "+15558880000",
  "previous_logon_time" : null,
  "name" : "PasswordResetUserFirst PasswordResetUserLast"
}

Request Headers

Name Description
Authorization Access token with openid required. If the user_attributes scope is in the token, the response object will contain custom attributes, if mapped to the external identity provider.

Response Fields

Path Type Description
sub String Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
user_id String Unique user identifier.
email String The user’s email address.
user_name String User name of the user, typically an email address.
given_name String The user’s first name.
family_name String The user’s last name.
name String A map with the user’s first name and last name.
phone_number String The user’s phone number.
previous_logon_time Null The unix epoch timestamp of 2nd to last successful user authentication.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (openid is required to get the user info)

Example using uaac to view user info:

uaac target http://localhost:8080/uaa

uaac token authcode get admin -s adminsecret

uaac curl -X GET /userinfo -k

Change user password

$ curl 'http://localhost/Users/56bacee6-0216-43b6-9f58-ecfd270a6360/password' -i -X PUT -H 'Accept: application/json' -H 'Authorization: Bearer 7f021b0109a24905bdb1f93c2967ab21' -H 'Content-Type: application/json' -H 'If-Match: 0' -d '{
  "oldPassword" : "secret",
  "password" : "newsecret"
}'
PUT /Users/56bacee6-0216-43b6-9f58-ecfd270a6360/password HTTP/1.1
Accept: application/json
Authorization: Bearer 7f021b0109a24905bdb1f93c2967ab21
Content-Type: application/json
If-Match: 0
Host: localhost
Content-Length: 58

{
  "oldPassword" : "secret",
  "password" : "newsecret"
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 55

{
  "status" : "ok",
  "message" : "password updated"
}

Request Headers

Name Description
Authorization Access token with password.write or uaa.admin required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
oldPassword String Required Old password.
password String Required New password.

Response Fields

Path Type Description
status String Will be 'ok’ if password changed successfully.
message String Will be 'password updated’ if password changed successfully.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or missing fields
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write or a token containing the user id is required to create a user)
404 User id not found

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token owner get cf testuser -s "" -p "secret"

uaac password change -o secret -p newsecret

Unlock Account

$ curl 'http://localhost/Users/db0eb894-c6fc-4882-85e9-4221f8574d97/status' -i -X PATCH -H 'Authorization: Bearer cf4cb724083f40be96657945a0abd311' -H 'Accept: application/json' -H 'Content-Type: application/json' -d '{
  "locked" : false
}'
PATCH /Users/db0eb894-c6fc-4882-85e9-4221f8574d97/status HTTP/1.1
Authorization: Bearer cf4cb724083f40be96657945a0abd311
Accept: application/json
Content-Type: application/json
Host: localhost
Content-Length: 22

{
  "locked" : false
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 22

{
  "locked" : false
}

Path Parameters

/Users/{userId}/status

Parameter Description
userId Unique user identifier.

Request Headers

Name Description
Authorization Access token with scim.write, uaa.account_status.write, or uaa.admin required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
locked Boolean Optional Set to false in order to unlock the user when they have been locked out according to the password lock-out policy. Setting to true will produce an error, as the user cannot be locked out via the API.

Response Fields

Path Type Description
locked Boolean The locked value given in the request.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or illegal value
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write or uaa.account_status.write)
404 User id not found

Force user password to expire

$ curl 'http://localhost/Users/9022f2cf-2663-479e-82e6-d2ccc348a1e4/status' -i -X PATCH -H 'Authorization: Bearer c9f7e1ad98f4493ab9e784f7fc7561cd' -H 'Accept: application/json' -H 'Content-Type: application/json' -d '{
  "passwordChangeRequired" : true
}'
PATCH /Users/9022f2cf-2663-479e-82e6-d2ccc348a1e4/status HTTP/1.1
Authorization: Bearer c9f7e1ad98f4493ab9e784f7fc7561cd
Accept: application/json
Content-Type: application/json
Host: localhost
Content-Length: 37

{
  "passwordChangeRequired" : true
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 37

{
  "passwordChangeRequired" : true
}

Path Parameters

/Users/{userId}/status

Parameter Description
userId Unique user identifier.

Request Headers

Name Description
Authorization Access token with scim.write, uaa.account_status.write, or uaa.admin required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
passwordChangeRequired Boolean Optional Set to true in order to force internal user���s password to expire

Response Fields

Path Type Description
passwordChangeRequired Boolean The passwordChangeRequired value given in the request.

Error Codes

Error Code Description
400 Bad Request - invalid JSON format or illegal value
401 Unauthorized - Invalid token
403 Forbidden - Insufficient scope (scim.write or uaa.account_status.write)
404 User id not found
$ curl 'http://localhost/Users/3f086fcd-0302-4344-a20d-9981e01ab19b/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp' -i -H 'Authorization: Bearer 5705b92f4e8d4ce18732327e2f29eece' -H 'Accept: application/json'
GET /Users/3f086fcd-0302-4344-a20d-9981e01ab19b/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp HTTP/1.1
Authorization: Bearer 5705b92f4e8d4ce18732327e2f29eece
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 68

{
  "verify_link" : "http://localhost/verify_user?code=j24OPoWM75"
}

Path Parameters

/Users/{userId}/verify-link

Parameter Description
userId The ID of the user to verify

Request Headers

Name Description
Authorization The bearer token, with a pre-amble of Bearer
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter Type Constraints Description
redirect_uri String Required Location where the user will be redirected after verifying by clicking the verification link

Response Fields

Path Type Description
verify_link String Location the user must visit and authenticate to verify

Error Codes

Error Code Description
403 Forbidden - Insufficient scope or internal user management disabled
404 Not Found - User not found

Verify user

$ curl 'http://localhost/Users/17d096d6-a6f1-455d-9e18-3c84d5a06d50/verify' -i -H 'Authorization: Bearer 4bcd955cfd8f41a290fe699e00b51fef' -H 'If-Match: 12' -H 'Accept: application/json'
GET /Users/17d096d6-a6f1-455d-9e18-3c84d5a06d50/verify HTTP/1.1
Authorization: Bearer 4bcd955cfd8f41a290fe699e00b51fef
If-Match: 12
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
ETag: "12"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 561

{
  "id" : "17d096d6-a6f1-455d-9e18-3c84d5a06d50",
  "meta" : {
    "version" : 12,
    "created" : "2017-02-28T23:54:46.824Z",
    "lastModified" : "2017-02-28T23:54:46.824Z"
  },
  "userName" : "billy_o@example.com",
  "name" : {
    "familyName" : "d'Orange",
    "givenName" : "William"
  },
  "emails" : [ {
    "value" : "billy_o@example.com",
    "primary" : false
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2017-02-28T23:54:46.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Users/{userId}/verify

Parameter Description
userId The ID of the user to verify

Request Headers

Name Description
Authorization The bearer token, with a pre-amble of Bearer
If-Match (Optional) The expected current version of the user, which will prevent update if the version does not match
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Error Codes

Error Code Description
400 Bad Request - Incorrect version supplied in If-Match header
403 Forbidden - Insufficient scope or internal user management disabled
404 Not Found - User not found

Lookup User IDs/Usernames

$ curl 'http://localhost/ids/Users?filter=userName+eq+%22bobugdg7r%40test.org%22+or+id+eq+%22414af7af-c73e-489c-85ef-94380d48896b%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true' -i -H 'Authorization: Bearer e8f9b8b7ed6b4a7e91f1924578de5a5e'
GET /ids/Users?filter=userName+eq+%22bobugdg7r%40test.org%22+or+id+eq+%22414af7af-c73e-489c-85ef-94380d48896b%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true HTTP/1.1
Authorization: Bearer e8f9b8b7ed6b4a7e91f1924578de5a5e
Host: localhost

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 373

{
  "resources" : [ {
    "origin" : "uaa",
    "id" : "414af7af-c73e-489c-85ef-94380d48896b",
    "userName" : "dwayneOfaTwF@test.org"
  }, {
    "origin" : "uaa",
    "id" : "a7f4dbaa-6992-4ec5-baa1-408d8acba46e",
    "userName" : "bobugdg7r@test.org"
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 10,
  "totalResults" : 2,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Bearer token with authorization for scim.userids scope

Request Parameters

Parameter Type Constraints Description
filter String Required SCIM filter for users over userName, id, and origin, using only the eq comparison operator
sortOrder String Optional (defaults to ascending) sort by username in ascending or descending order
startIndex Number Optional (defaults to 1) display paged results beginning at specified index
count Number Optional (defaults to 100) number of results to return per page
includeInactive Boolean Optional (defaults to false) include users from inactive identity providers

Response Fields

Path Type Description
totalResults Number The number of results which matched the filter
startIndex Number The index of the first item of this page of results
itemsPerPage Number The page size used in producing this page of results
schemas Array ["urn:scim:schemas:core:1.0"]
resources[].id String The globally unique identifier for this user
resources[].userName String The username
resources[].origin String The origin of the user, e.g. an identity provider alias

Error Codes

Error Code Description
400 Bad Request - Request was invalid or unparseable
403 Forbidden - Insufficient scope

Invite users

$ curl 'http://localhost/invite_users?client_id=rkiq8l&redirect_uri=example.com' -i -X POST -H 'Authorization: Bearer 859aca9dcc1749b5b9ebd74ed45168f2' -H 'Content-Type: application/json' -d '{
  "emails" : [ "user1@3veybs.com", "user2@3veybs.com" ]
}'
POST /invite_users?client_id=rkiq8l&redirect_uri=example.com HTTP/1.1
Authorization: Bearer 859aca9dcc1749b5b9ebd74ed45168f2
Content-Type: application/json
Host: localhost
Content-Length: 59

{
  "emails" : [ "user1@3veybs.com", "user2@3veybs.com" ]
}
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 578

{
  "new_invites" : [ {
    "email" : "user1@3veybs.com",
    "userId" : "cd670220-fca0-4ee1-8356-348805ad3f62",
    "origin" : "uaa",
    "success" : true,
    "errorCode" : null,
    "errorMessage" : null,
    "inviteLink" : "http://localhost/invitations/accept?code=uYzHcDxyt7"
  }, {
    "email" : "user2@3veybs.com",
    "userId" : "8314725a-53d2-47ee-9fc8-f40a38de02d9",
    "origin" : "uaa",
    "success" : true,
    "errorCode" : null,
    "errorMessage" : null,
    "inviteLink" : "http://localhost/invitations/accept?code=KCaJSnExwv"
  } ],
  "failed_invites" : [ ]
}

Request Headers

Name Description
Authorization Bearer token containing scim.invite
X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
emails Array Required User is invited by providing an email address. More than one email addresses can be provided.

Request Parameters

Parameter Type Constraints Description
client_id String Optional A unique string representing the registration information provided by the client
redirect_uri String Required The user will be redirected to this uri, when user accepts the invitation. The redirect_uri will be validated against allowed redirect_uri for the client.

Response Fields

Path Type Description
new_invites[].email String Primary email id of the invited user
new_invites[].userId String A unique string for the invited user
new_invites[].origin String Unique alias of the provider
new_invites[].success Boolean Flag to determine whether the invitation was sent successfully
new_invites[].errorCode String Error code in case of failure to send invitation
new_invites[].errorMessage String Error message in case of failure to send invitation
new_invites[].inviteLink String Invitation link to invite users
failed_invites String List of invites having exception in sending the invitation
Error Code Description
403 Forbidden - Insufficient scope

Groups

Create

$ curl 'http://localhost/Groups' -i -X POST -H 'Authorization: Bearer a8b6aca8f1f447f3a33a40a23073217b' -H 'Content-Type: application/json' -d '{
  "displayName" : "Cool Group Name",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ]
}'
POST /Groups HTTP/1.1
Authorization: Bearer a8b6aca8f1f447f3a33a40a23073217b
Content-Type: application/json
Host: localhost
Content-Length: 196

{
  "displayName" : "Cool Group Name",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ]
}
HTTP/1.1 201 Created
ETag: "0"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 441

{
  "id" : "c15356c8-8b93-4926-85c9-ff1946420fa4",
  "meta" : {
    "version" : 0,
    "created" : "2017-02-28T23:54:46.015Z",
    "lastModified" : "2017-02-28T23:54:46.015Z"
  },
  "displayName" : "Cool Group Name",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name Description
Authorization Bearer token with scope scim.write
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path Type Constraints Description
displayName String Required An identifier, unique within the identity zone
description String Optional Human readable description of the group, displayed e.g. when approving scopes
members Array Optional Members to be included in the group
members[].value String Required for each item in members The globally-unique ID of the member entity, either a user ID or another group ID
members[].type String Optional (defaults to "USER") Either "USER" or "GROUP"
members[].origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.

Response Fields

Path Type Description
id String The globally unique group ID
displayName String The identifier specified upon creation of the group, unique within the identity zone
description String Human readable description of the group, displayed e.g. when approving scopes
members Array Array of group members
members[].value String Globally unique identifier of the member, either a user ID or another group ID
members[].type String Either "USER" or "GROUP"
members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
zoneId String Identifier for the identity zone to which the group belongs
meta.version Number The version of the group entity
meta.created String The time the group was created
meta.lastModified String The time the group was last updated
schemas Array [ "urn:scim:schemas:core:1.0" ]
Error Code Description
400 Bad Request - Invalid member ID
403 Forbidden - Insufficient scope

Retrieve

$ curl 'http://localhost/Groups/c15356c8-8b93-4926-85c9-ff1946420fa4' -i -H 'Authorization: Bearer eedd68698c9649438e450845a1ff4964'
GET /Groups/c15356c8-8b93-4926-85c9-ff1946420fa4 HTTP/1.1
Authorization: Bearer eedd68698c9649438e450845a1ff4964
Host: localhost

HTTP/1.1 200 OK
ETag: "2"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "c15356c8-8b93-4926-85c9-ff1946420fa4",
  "meta" : {
    "version" : 2,
    "created" : "2017-02-28T23:54:46.015Z",
    "lastModified" : "2017-02-28T23:54:46.102Z"
  },
  "displayName" : "Cooler Group Name for Update",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/{groupId}

Parameter Description
groupId Globally unique identifier of the group to retrieve

Request Headers

Name Description
Authorization Bearer token with scope scim.read
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path Type Description
id String The globally unique group ID
displayName String The identifier specified upon creation of the group, unique within the identity zone
description String Human readable description of the group, displayed e.g. when approving scopes
members Array Array of group members
members[].value String Globally unique identifier of the member, either a user ID or another group ID
members[].type String Either "USER" or "GROUP"
members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
zoneId String Identifier for the identity zone to which the group belongs
meta.version Number The version of the group entity
meta.created String The time the group was created
meta.lastModified String The time the group was last updated
schemas Array [ "urn:scim:schemas:core:1.0" ]
Error Code Description
403 Forbidden - Insufficient scope

Update

$ curl 'http://localhost/Groups/c15356c8-8b93-4926-85c9-ff1946420fa4' -i -X PUT -H 'Authorization: Bearer a8b6aca8f1f447f3a33a40a23073217b' -H 'If-Match: 0' -H 'Content-Type: application/json' -d '{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ]
}'
PUT /Groups/c15356c8-8b93-4926-85c9-ff1946420fa4 HTTP/1.1
Authorization: Bearer a8b6aca8f1f447f3a33a40a23073217b
If-Match: 0
Content-Type: application/json
Host: localhost
Content-Length: 209

{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "7a77c0fc-0072-49ca-9cf7-b6fb1a4de51c"
  } ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "c15356c8-8b93-4926-85c9-ff1946420fa4",
  "meta" : {
    "version" :