NAV Navbar
  • Overview
  • Authorization
  • Token
  • Check Token
  • Token Key(s)
  • Identity Zones
  • Identity Providers
  • Service Providers
  • Users
  • Groups
  • Clients
  • Server Information
  • External Login Server
  • Overview

    The User Account and Authentication Service (UAA):

    Authorization

    Authorization Code Grant

    Browser flow

    $ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Strict-Transport-Security: max-age=31536000
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost/app?code=kogo4xLLiU
    Set-Cookie: X-Uaa-Csrf=pJICmsRVc4bwL6dQuN67E9;Max-Age=86400;HttpOnly
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

    Api flow

    $ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=x9opoI' -i \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3OTE2ZGNmNjZlY2E0ODFhOTVjOGRmYmE5MWZiNWFkNSIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTA1MTY2OTkzLCJyZXZfc2lnIjoiNzdiZWY1YTkiLCJpYXQiOjE1MDUxNjY5OTMsImV4cCI6MTUwNTIxMDE5MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.e6HXa5x1jsx3lW-cx6jx95b8Rtc4m0xu-GSMfOmlqtM'
    
    GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=x9opoI HTTP/1.1
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3OTE2ZGNmNjZlY2E0ODFhOTVjOGRmYmE5MWZiNWFkNSIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTA1MTY2OTkzLCJyZXZfc2lnIjoiNzdiZWY1YTkiLCJpYXQiOjE1MDUxNjY5OTMsImV4cCI6MTUwNTIxMDE5MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.e6HXa5x1jsx3lW-cx6jx95b8Rtc4m0xu-GSMfOmlqtM
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost/redirect/cf?code=uOJyyirc9T&state=x9opoI
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec
    client_id String Required a unique string representing the registration information provided by the client
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    state String Required any random string to be returned in the Location header as a query parameter, used to achieve per-request customization

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.user scope - the authentication for this user

    Implicit Grant

    $ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Strict-Transport-Security: max-age=31536000
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJiODhkZDg4NWM4NzU0YTVkYWFmNDk0ZjBmYzlkZjkxMCIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNjZiNDJiM2EtZmIzNi00OWI3LWE0OTAtYTZhNDFlMzJkMmRhIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI3ODJhYjRjZCIsImlhdCI6MTUwNTE2Njk5MywiZXhwIjoxNTA1MjEwMTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.zDE3nP28ZOuzCjkAI6ZTRn6GBnjGc0EeCXw9BZN328Q&expires_in=43199&jti=b88dd885c8754a5daaf494f0fc9df910
    Set-Cookie: X-Uaa-Csrf=v3RBEExZp8oOovs5CN1J2I;Max-Age=86400;HttpOnly
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token, i.e. an access token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

    Response Headers

    Name Description
    Location Location as defined in the spec includes access_token in the reply fragment if successful

    Implicit Grant with prompt

    $ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#error=login_required
    Set-Cookie: Current-User=;Max-Age=0
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token, i.e. an access token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    prompt String Optional specifies whether to prompt for user authentication. Only value none is supported.

    Response Headers

    Name Description
    Location Redirect url specified in the request parameters.

    OpenID Connect flow

    OpenID Provider Configuration Request

    An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.

    $ curl 'http://localhost/.well-known/openid-configuration' -i \
        -H 'Accept: application/json'
    
    GET /.well-known/openid-configuration HTTP/1.1
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1239
    
    {
      "issuer" : "http://localhost:8080/uaa/oauth/token",
      "authorization_endpoint" : "http://localhost/oauth/authorize",
      "token_endpoint" : "http://localhost/oauth/token",
      "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
      "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "userinfo_endpoint" : "http://localhost/userinfo",
      "jwks_uri" : "http://localhost/token_keys",
      "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
      "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
      "subject_types_supported" : [ "public" ],
      "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "id_token_encryption_alg_values_supported" : [ "none" ],
      "claim_types_supported" : [ "normal" ],
      "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
      "claims_parameter_supported" : false,
      "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
      "ui_locales_supported" : [ "en-US" ]
    }
    

    Response Fields

    Path Type Description
    issuer String URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
    authorization_endpoint String URL of authorization endpoint.
    token_endpoint String URL of token endpoint.
    userinfo_endpoint String URL of the OP's UserInfo Endpoint.
    jwks_uri String URL of the OP's JSON Web Key Set document.
    scopes_supported Array JSON array containing a list of the OAuth 2.0 scope values that this server supports.
    subject_types_supported Array JSON array containing a list of the Subject Identifier types that this OP supports.
    token_endpoint_auth_methods_supported Array JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
    token_endpoint_auth_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms.
    response_types_supported Array JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
    id_token_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
    id_token_encryption_alg_values_supported Array JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
    claim_types_supported Array JSON array containing a list of the Claim Types that the OpenID Provider supports.
    claims_supported Array JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
    claims_parameter_supported Boolean Boolean value specifying whether the OP supports use of the claims parameter.
    service_documentation String URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
    ui_locales_supported Array Languages and scripts supported for the user interface.

    ID token

    The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.

    $ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Strict-Transport-Security: max-age=31536000
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiOGM2ZDU4MDNiZDljNDJjZDkwNGUxYzY4MTdiYjZkN2YiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.s8ah04AvxhwtOvbRp_lOl3FaO-9aoqXx4WG_mNG-rpU&expires_in=43199&jti=8c6d5803bd9c42cd904e1c6817bb6d7f
    Set-Cookie: X-Uaa-Csrf=d55EAZmDx4KUeemYo9BXx2;Max-Age=86400;HttpOnly
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, id_token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

    Response Headers

    Name Description
    Location Location as defined in the spec includes id_token in the reply fragment if successful

    ID token and Access token

    The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.

    $ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Strict-Transport-Security: max-age=31536000
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3YTE3NDdiMjBmOTM0Mzg2YTlkYzUxNDYzMDhlOWZhMCIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNjZiNDJiM2EtZmIzNi00OWI3LWE0OTAtYTZhNDFlMzJkMmRhIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI3ODJhYjRjZCIsImlhdCI6MTUwNTE2Njk5NCwiZXhwIjoxNTA1MjEwMTk0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.ofy7JBYUWvC28fX0WCHkCt88iyudEg3hjij8r3e2eRU&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiN2ExNzQ3YjIwZjkzNDM4NmE5ZGM1MTQ2MzA4ZTlmYTAiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.dhYcFShfCttq6rbeZ0m2FElq2F77xKhvRvJTOFw1FMo&expires_in=43199&jti=7a1747b20f934386a9dc5146308e9fa0
    Set-Cookie: X-Uaa-Csrf=NgVkNeQ73Pq7EoT32ABtof;Max-Age=86400;HttpOnly
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token id_token, indicating both an access token and an ID token.
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

    Response Headers

    Name Description
    Location Location as defined in the spec includes access_token and id_token in the reply fragment if successful

    Hybrid flow

    The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.

    $ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Strict-Transport-Security: max-age=31536000
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiNGQ3MDMwOGRiMzcxNGM5ODg4NGNkZGQ0ZTBmZGMzZTIiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.g9gvkGhdkO1etRMi4wJyuxoYitMUNXGOD-yxTfmPRTQ&code=5SMXPzUcXa&expires_in=43199&jti=4d70308db3714c98884cddd4e0fdc3e2
    Set-Cookie: X-Uaa-Csrf=atPuicXOCnKBF8ZE654EUp;Max-Age=86400;HttpOnly
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, id_token code, indicating a request for an ID token and an authorization code.
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client

    Response Headers

    Name Description
    Location Location as defined in the spec includes code and id_token in the reply fragment if successful

    Token

    The /oauth/token endpoint requires client authentication to be accessed. Client Authentication can be passed as as part of the request authorization header, using basic authentication, or as part of the request parameters, using the client_id and client_secret parameter names.

    Authorization Code Grant

    $ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=hfbg0ax079&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=hfbg0ax079&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 250
    
    {
      "access_token" : "070b35231966488ab07f11822c6ef162",
      "token_type" : "bearer",
      "refresh_token" : "cd98b3dea6044470b0a6dfccc0e370ee-r",
      "expires_in" : 43199,
      "scope" : "openid oauth.approvals",
      "jti" : "070b35231966488ab07f11822c6ef162"
    }
    

    Request Headers

    Name Description
    Authorization Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters.

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required The type of token that should be issued.
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
    code String Required the authorization code, obtained from /oauth/authorize, issued for the user
    grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token for the user to whom the authorization code was issued
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    refresh_token String an OAuth refresh token for refresh grants
    jti String a globally unique identifier for this token

    Client Credentials Grant

    Without Authorization

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 306
    
    {
      "access_token" : "134ab46c781248a1a26a063ece5c8cc3",
      "token_type" : "bearer",
      "expires_in" : 43199,
      "scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
      "jti" : "134ab46c781248a1a26a063ece5c8cc3"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    response_type String Optional The type of token that should be issued.
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    jti String a globally unique identifier for this token

    With Authorization

    $ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'grant_type=client_credentials&response_type=token&token_format=opaque'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
    Host: localhost
    
    grant_type=client_credentials&response_type=token&token_format=opaque
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 306
    
    {
      "access_token" : "a88d3c499bc3408289ab1c7a762034c3",
      "token_type" : "bearer",
      "expires_in" : 43199,
      "scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
      "jti" : "a88d3c499bc3408289ab1c7a762034c3"
    }
    

    Request Header

    Name Description
    Authorization Base64 encoded client details in the format: Basic client_id:client_secret

    Request Parameters

    Parameter Type Constraints Description
    grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
    response_type String Optional The type of token that should be issued.
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    jti String a globally unique identifier for this token

    Password Grant

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=HbyjjR%40test.org&password=secr3T&token_format=opaque&response_type=token'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=app&client_secret=appclientsecret&grant_type=password&username=HbyjjR%40test.org&password=secr3T&token_format=opaque&response_type=token
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 307
    
    {
      "access_token" : "1cc25eb1ad744d71b3eec15158eda19e",
      "token_type" : "bearer",
      "refresh_token" : "1aec7d1494d045e5982d310a2783793d-r",
      "expires_in" : 43199,
      "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
      "jti" : "1cc25eb1ad744d71b3eec15158eda19e"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required The type of token that should be issued.
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required the type of authentication being used to obtain the token, in this case password
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    username String Required the username for the user trying to get a token
    password String Required the password for the user trying to get a token
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    refresh_token String an OAuth refresh token for refresh grants
    jti String a globally unique identifier for this token

    One-time Passcode

    $ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'grant_type=password&passcode=eazJensqoZ&token_format=opaque&response_type=token'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    Host: localhost
    
    grant_type=password&passcode=eazJensqoZ&token_format=opaque&response_type=token
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 307
    
    {
      "access_token" : "270a230796d5460fbc1fbd923985bc85",
      "token_type" : "bearer",
      "refresh_token" : "e4150b6ccc734447939648fcf04d5222-r",
      "expires_in" : 43199,
      "scope" : "cloud_controller.write scim.userids openid cloud_controller.read password.write",
      "jti" : "270a230796d5460fbc1fbd923985bc85"
    }
    

    Request Header

    Name Description
    Authorization Base64 encoded client details in the format: Basic client_id:client_secret

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required The type of token that should be issued.
    grant_type String Required the type of authentication being used to obtain the token, in this case password
    passcode String Required the one-time passcode for the user which can be retrieved by going to /passcode
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    refresh_token String an OAuth refresh token for refresh grants
    jti String a globally unique identifier for this token

    User Token Grant

    A user_token grant, is a flow that allows the generation of a refresh_token for another client. The requesting client, must have grant_type=user_token and the bearer token for this request must have uaa.user and be a token that represents an authenticated user.

    The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.

    The refresh_token that results from this grant, is opaque, and can only be exchanged by the client it was intended for.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Authorization: Bearer fa33c32f3e824f7dbd47c614b5e914be' \
        -H 'Accept: application/json' \
        -d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer fa33c32f3e824f7dbd47c614b5e914be
    Accept: application/json
    Host: localhost
    
    client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 206
    
    {
      "access_token" : null,
      "token_type" : "bearer",
      "refresh_token" : "d556eb563f5e41fea43f46c7542da529-r",
      "expires_in" : 43199,
      "scope" : "openid",
      "jti" : "d556eb563f5e41fea43f46c7542da529-r"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Response type of the grant, should be set to token
    client_id String Optional The client ID of the receiving client, this client must have refresh_token grant type
    grant_type String Required The type of token grant requested, in this case user_token
    token_format String Optional This parameter is ignored. The refresh_token will always be opaque
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

    Response Fields

    Path Type Description
    access_token Null Always null
    token_type String The type of the access token issued, always bearer
    expires_in Number Number of seconds of lifetime for an access_token, when retrieved
    scope String Space-delimited list of scopes authorized by the user for this client
    refresh_token String An OAuth refresh token for refresh grants
    jti String A globally unique identifier for this refresh token

    SAML2 Bearer Grant

    The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer. In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.

    This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world. The endpoint of the bearer assertion is /oauth/token so the Recipient attribute in the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token.

    $ curl 'http://89t55s.localhost:8080/uaa/oauth/token/alias/89t55s.cloudfoundry-saml-login' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -H 'Host: 89t55s.localhost' \
        -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientWXDpU1&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCIgSXNzdWVJbnN0YW50PSIyMDE3LTA5LTExVDIxOjU3OjI2LjU3N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPjg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjdKdjdIMXdyYS85ZVRvenlZVGJ6ZXM1UEFEVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-SE9UNlJVaDR0dUcvVXdUL0dneHZNcjZZbmlvSXNPNUpmQ1FyV1RTWUNBMWdJczJrZUVQWTRRTG9DMVkzZlZqQ3dQT1lmK2creS9LNjZaczR0Y3JnK0NZNDQ2Szl2TXZsd1VYaUE3VFI2Y0F2RC9DNURaK21yMlU5Tmhodnh4My8vNnQwMVAwYlBPcEUvVDNCQU11cjNRQzRocWVGbENhNUhMQ2F5NjU1cDE0PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiIFJlY2lwaWVudD0iaHR0cDovLzg5dDU1cy5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MjYuNTgwWiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT44OXQ1NXMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzoyNi41NzhaIiBTZXNzaW9uSW5kZXg9ImE0ODVlNjhpNTVnZjBmYjgyM2YwZjdqZ2lmajA3MyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-NTQwNzQyNzAtYjM4YS00ZTcyLThjYTEtOTY1OGM3Y2UwZWI0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid'
    
    POST /uaa/oauth/token/alias/89t55s.cloudfoundry-saml-login HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: 89t55s.localhost
    
    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientWXDpU1&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCIgSXNzdWVJbnN0YW50PSIyMDE3LTA5LTExVDIxOjU3OjI2LjU3N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPjg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjdKdjdIMXdyYS85ZVRvenlZVGJ6ZXM1UEFEVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-SE9UNlJVaDR0dUcvVXdUL0dneHZNcjZZbmlvSXNPNUpmQ1FyV1RTWUNBMWdJczJrZUVQWTRRTG9DMVkzZlZqQ3dQT1lmK2creS9LNjZaczR0Y3JnK0NZNDQ2Szl2TXZsd1VYaUE3VFI2Y0F2RC9DNURaK21yMlU5Tmhodnh4My8vNnQwMVAwYlBPcEUvVDNCQU11cjNRQzRocWVGbENhNUhMQ2F5NjU1cDE0PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiIFJlY2lwaWVudD0iaHR0cDovLzg5dDU1cy5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MjYuNTgwWiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT44OXQ1NXMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzoyNi41NzhaIiBTZXNzaW9uSW5kZXg9ImE0ODVlNjhpNTVnZjBmYjgyM2YwZjdqZ2lmajA3MyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-NTQwNzQyNzAtYjM4YS00ZTcyLThjYTEtOTY1OGM3Y2UwZWI0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Disposition: inline;filename=f.txt
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1796
    
    {
      "access_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIxMTdhODQ2ODc0OWM0NzFmYTJjNDIyY2ZkYjg0YmU4ZCIsInN1YiI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50V1hEcFUxIiwiY2lkIjoidGVzdGNsaWVudFdYRHBVMSIsImF6cCI6InRlc3RjbGllbnRXWERwVTEiLCJncmFudF90eXBlIjoidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6c2FtbDItYmVhcmVyIiwidXNlcl9pZCI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsIm9yaWdpbiI6Ijg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwiZW1haWwiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlckB1bmtub3duLm9yZyIsInJldl9zaWciOiJkYjIyNWJjOSIsImlhdCI6MTUwNTE2NzA0NywiZXhwIjoxNTA1MTY3NjQ3LCJpc3MiOiJodHRwOi8vODl0NTVzLmxvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6Ijg5dDU1cyIsImF1ZCI6W119.wi5LAs3CM7tWQwXrokjT-IxQXTClxzRDQk1IC4Og6UA",
      "token_type" : "bearer",
      "refresh_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJhMGIyZWNhN2M5NGY0YmE0YWExZGZjZTA3N2Q1Mzc1NS1yIiwic3ViIjoiZGZhYjFmNWQtMmFmMS00MWJlLTkwZWMtMDkyZDI4ZThjMTNiIiwic2NvcGUiOlsib3BlbmlkIl0sImlhdCI6MTUwNTE2NzA0NywiZXhwIjoxNTA3NzU5MDQ3LCJjaWQiOiJ0ZXN0Y2xpZW50V1hEcFUxIiwiY2xpZW50X2lkIjoidGVzdGNsaWVudFdYRHBVMSIsImlzcyI6Imh0dHA6Ly84OXQ1NXMubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoiODl0NTVzIiwiZ3JhbnRfdHlwZSI6InVybjppZXRmOnBhcmFtczpvYXV0aDpncmFudC10eXBlOnNhbWwyLWJlYXJlciIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwib3JpZ2luIjoiODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIiwidXNlcl9pZCI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsInJldl9zaWciOiJkYjIyNWJjOSIsImF1ZCI6W119.pc6aKJiJuRwM3KyCy-_yKW-8iuUfNQZw-iXXLdCdT08",
      "expires_in" : 599,
      "scope" : "openid",
      "jti" : "117a8468749c471fa2c422cfdb84be8d"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional The client ID of the receiving client, this client must have urn:ietf:params:oauth:grant-type:saml2-bearer grant type
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required The type of token grant requested, in this case urn:ietf:params:oauth:grant-type:saml2-bearer
    assertion String Required An XML based SAML 2.0 bearer assertion, which is Base64URl encoded.
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

    Response Fields

    Path Type Description
    access_token String Always null
    token_type String The type of the access token issued, always bearer
    expires_in Number Number of seconds of lifetime for an access_token, when retrieved
    scope String Space-delimited list of scopes authorized by the user for this client
    refresh_token String An OAuth refresh token for refresh grants
    jti String A globally unique identifier for this refresh token

    JWT Bearer Token Grant

    The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in RFC 7523. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the UAA database. If multiple providers exists that have the same issuer, the grant will fail.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Accept: application/json' \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -d 'client_id=errz2u87jzpj&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIyODIzNDZjYS00MTZhLTQ3MzQtYTQ1YS0yMDg4ODRmYmI3MjkiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG0iLCJvcmlnaW4iOiJ1YWEiLCJhbXIiOlsicHdkIl0sImlzcyI6Imh0dHA6Ly9idWtwYmNwb2ljaHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiMkdmYzZ2ejd3d2tJIiwiYXVkIjpbIjJHZmM2dno3d3drSSJdLCJ6aWQiOiJidWtwYmNwb2ljaHgiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMjgyMzQ2Y2EtNDE2YS00NzM0LWE0NWEtMjA4ODg0ZmJiNzI5IiwiYXpwIjoiMkdmYzZ2ejd3d2tJIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzAzMSwiZXhwIjoxNTA1MjEwMjMxLCJpYXQiOjE1MDUxNjcwMzEsImp0aSI6ImJiMjcyZThhYzQ2ZDQwZmU4ZGUyYmNhN2Y2NGFiNjQxIiwiZW1haWwiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJyZXZfc2lnIjoiNmVhYTZiMDUiLCJjaWQiOiIyR2ZjNnZ6N3d3a0kifQ.25uUWW8VgT16nrYNk7v0uq_Y-qqChAq2TDS7TEY_JZU'
    
    POST /oauth/token HTTP/1.1
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Host: localhost
    
    client_id=errz2u87jzpj&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIyODIzNDZjYS00MTZhLTQ3MzQtYTQ1YS0yMDg4ODRmYmI3MjkiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG0iLCJvcmlnaW4iOiJ1YWEiLCJhbXIiOlsicHdkIl0sImlzcyI6Imh0dHA6Ly9idWtwYmNwb2ljaHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiMkdmYzZ2ejd3d2tJIiwiYXVkIjpbIjJHZmM2dno3d3drSSJdLCJ6aWQiOiJidWtwYmNwb2ljaHgiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMjgyMzQ2Y2EtNDE2YS00NzM0LWE0NWEtMjA4ODg0ZmJiNzI5IiwiYXpwIjoiMkdmYzZ2ejd3d2tJIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzAzMSwiZXhwIjoxNTA1MjEwMjMxLCJpYXQiOjE1MDUxNjcwMzEsImp0aSI6ImJiMjcyZThhYzQ2ZDQwZmU4ZGUyYmNhN2Y2NGFiNjQxIiwiZW1haWwiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJyZXZfc2lnIjoiNmVhYTZiMDUiLCJjaWQiOiIyR2ZjNnZ6N3d3a0kifQ.25uUWW8VgT16nrYNk7v0uq_Y-qqChAq2TDS7TEY_JZU
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1050
    
    {
      "access_token" : "b81f70654ce64d7e9b98538b70b28525",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJmZjlhZTFlMi01NzYxLTQ3ODctOWNkNy1mY2M4ZTNmNjlhYTciLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJvcmlnaW4iOiJkYzNDaUlRUjA2ekQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJjbGllbnRfaWQiOiJlcnJ6MnU4N2p6cGoiLCJhdWQiOlsiZXJyejJ1ODdqenBqIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwidXNlcl9pZCI6ImZmOWFlMWUyLTU3NjEtNDc4Ny05Y2Q3LWZjYzhlM2Y2OWFhNyIsImF6cCI6ImVycnoydTg3anpwaiIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAyMzIsImlhdCI6MTUwNTE2NzAzMiwianRpIjoiYjgxZjcwNjU0Y2U2NGQ3ZTliOTg1MzhiNzBiMjg1MjUiLCJlbWFpbCI6ImswZHZtZ2Y5a2RkbUB0ZXN0Lm9yZyIsInJldl9zaWciOiJkOTExMTVlNiIsImNpZCI6ImVycnoydTg3anpwaiJ9.dLGpDgjnWHggxWMNwrsQBue-XuBWvByATJeWn_4lVj8",
      "expires_in" : 43199,
      "scope" : "openid",
      "jti" : "b81f70654ce64d7e9b98538b70b28525"
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

    Request Parameters

    Parameter Type Constraints Description
    assertion String Required JWT token identifying representing the user to be authenticated
    client_id String Required Required, client with
    client_secret String Required Required unless a basic authorization header is used
    grant_type String Required Must be set to urn:ietf:params:oauth:grant-type:jwt-bearer
    scope String Optional Optional parameter to limit the number of scopes in the scope claim of the access token
    response_type String Optional May be set to token or token id_token or id_token
    token_format String Optional May be set to opaque to retrieve revocable and non identifiable access token

    Response Fields

    Path Type Description
    access_token String Access token generated by this grant
    token_type String Will always be bearer
    id_token String If requested in response_type, the id_token for the shadow user
    scope String List of scopes present in the scope claim in the access token
    expires_in Number Number of seconds before this token expires from the time of issuance
    jti String The unique token ID

    Refresh Token

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=79c53f11d0c44fb79ef9596b917c3dbf-r'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=79c53f11d0c44fb79ef9596b917c3dbf-r
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 307
    
    {
      "access_token" : "b42f0bc2f384444e8de09a423f5abb57",
      "token_type" : "bearer",
      "refresh_token" : "79c53f11d0c44fb79ef9596b917c3dbf-r",
      "expires_in" : 43199,
      "scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
      "jti" : "b42f0bc2f384444e8de09a423f5abb57"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    grant_type String Required the type of authentication being used to obtain the token, in this case refresh_token
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    refresh_token String Required the refresh_token that was returned along with the access token.
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token
    refresh_token String the refresh token
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    jti String a globally unique identifier for this token

    OpenID Connect

    The token endpoint can provide an ID token as defined by OpenID Connect.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=h3IEdQSwvS&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=h3IEdQSwvS&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1056
    
    {
      "access_token" : "69b60b44359b4f8a9d8439d30cf64744",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJlZDg3NDc0OC1iYTQzLTQ2MDctOGE2MC00NjRlZmYxZjVlNGUiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJjOHpYUmhAdGVzdC5vcmciLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJjbGllbnRfaWQiOiJsb2dpbiIsImF1ZCI6WyJsb2dpbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6ImVkODc0NzQ4LWJhNDMtNDYwNy04YTYwLTQ2NGVmZjFmNWU0ZSIsImF6cCI6ImxvZ2luIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzA0NSwiZXhwIjoxNTA1MjEwMjQ1LCJpYXQiOjE1MDUxNjcwNDUsImp0aSI6IjY5YjYwYjQ0MzU5YjRmOGE5ZDg0MzlkMzBjZjY0NzQ0IiwiZW1haWwiOiJjOHpYUmhAdGVzdC5vcmciLCJyZXZfc2lnIjoiN2NkMTIxNjAiLCJjaWQiOiJsb2dpbiJ9.AoYIgmDTNSHHr-JAVYZxmZzUQ-s2YS2gR7wjCHoDO6U",
      "refresh_token" : "05a60130301843648a7a7dfe5eae2174-r",
      "expires_in" : 43199,
      "scope" : "openid oauth.approvals",
      "jti" : "69b60b44359b4f8a9d8439d30cf64744"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required the type of token that should be issued. possible values are id_token token and id_token.
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
    code String Required the authorization code, obtained from /oauth/authorize, issued for the user
    grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    token_format String Optional UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token.

    Response Fields

    Path Type Description
    access_token String the access token for the user to whom the authorization code was issued
    id_token String the OpenID Connect ID token for the user to whom the authorization code was issued
    token_type String the type of the access token issued, i.e. bearer
    expires_in Number number of seconds until token expiry
    scope String space-delimited list of scopes authorized by the user for this client
    refresh_token String an OAuth refresh token for refresh grants
    jti String a globally unique identifier for this token

    Revoke tokens

    Revoke all tokens for a user

    $ curl 'http://localhost/oauth/token/revoke/user/598c33c2-7380-410e-ab25-d8d990b9acef' -i \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyNmNhY2JkYTIwOWI0NWYyYjc0MWY0OTBlMjU0MDJlNCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJhOTE1YTM3YSIsImlhdCI6MTUwNTE2NzA0OCwiZXhwIjoxNTA1MjEwMjQ4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.5vc0u6Uag6MSWP6pdSiG43Oo7KhZnf4xq77B07JFe5A'
    
    GET /oauth/token/revoke/user/598c33c2-7380-410e-ab25-d8d990b9acef HTTP/1.1
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyNmNhY2JkYTIwOWI0NWYyYjc0MWY0OTBlMjU0MDJlNCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJhOTE1YTM3YSIsImlhdCI6MTUwNTE2NzA0OCwiZXhwIjoxNTA1MjEwMjQ4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.5vc0u6Uag6MSWP6pdSiG43Oo7KhZnf4xq77B07JFe5A
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/user/{userId}

    Parameter Description
    userId The identifier for the user to revoke all tokens for

    Request Header

    Name Description
    Authorization Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching user_id may also be used for self revocation.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Revoke all tokens for a client

    $ curl 'http://localhost/oauth/token/revoke/client/1pvLNR' -i \
        -H 'Authorization: Bearer b157945c522043619af9b08aea435472'
    
    GET /oauth/token/revoke/client/1pvLNR HTTP/1.1
    Authorization: Bearer b157945c522043619af9b08aea435472
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/client/{clientId}

    Parameter Description
    clientId The identifier for the client to revoke all tokens for

    Request Header

    Name Description
    Authorization Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching client_id may also be used for self revocation.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Revoke a single token

    $ curl 'http://localhost/oauth/token/revoke/29ef79f017d0429c8f0ccbbe0b4afaf2' -i -X DELETE \
        -H 'Authorization: Bearer cc42c0a963354f9e8742e38b50cf97a2'
    
    DELETE /oauth/token/revoke/29ef79f017d0429c8f0ccbbe0b4afaf2 HTTP/1.1
    Authorization: Bearer cc42c0a963354f9e8742e38b50cf97a2
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/{tokenId}

    Parameter Description
    tokenId The identifier for the token to be revoked. For JWT tokens use the jti claim in the token.

    Request Header

    Name Description
    Authorization Bearer token with uaa.admin or tokens.revoke scope. You can use any token with matching token ID to revoke itself.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    List tokens

    List all tokens for a user

    The /oauth/token/list/user/{userId} will return all the tokens that match the user_id in the path parameter. This token requires the tokens.list scope.

    $ curl 'http://localhost/oauth/token/list/user/a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9' -i \
        -H 'Authorization: Bearer 25bffbba007b484a9160da3399e36291' \
        -H 'Accept: application/json'
    
    GET /oauth/token/list/user/a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9 HTTP/1.1
    Authorization: Bearer 25bffbba007b484a9160da3399e36291
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 631
    
    [ {
      "tokenId" : "c987f21d9b31482e97c2e007a87ace9a",
      "clientId" : "PdUWi0",
      "userId" : "a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9",
      "format" : "OPAQUE",
      "responseType" : "ACCESS_TOKEN",
      "issuedAt" : 1505167050417,
      "expiresAt" : 1505210250415,
      "scope" : "[openid]",
      "value" : null,
      "zoneId" : "uaa"
    }, {
      "tokenId" : "3078b10bef494e14a930da09bdf23b8f-r",
      "clientId" : "PdUWi0",
      "userId" : "a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9",
      "format" : "OPAQUE",
      "responseType" : "REFRESH_TOKEN",
      "issuedAt" : 1505167050417,
      "expiresAt" : 1507759050413,
      "scope" : "[openid]",
      "value" : null,
      "zoneId" : "uaa"
    } ]
    

    Request Header

    Name Description
    Authorization Bearer token containing the tokens.list scope.
    Accept Set to application/json
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /oauth/token/list/user/{userId}

    Parameter Description
    userId The user ID to retrieve tokens for

    Response Fields

    Path Type Description
    [].zoneId String The zone ID for the token
    [].tokenId String The unique ID for the token
    [].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
    [].userId String User ID for this token, will always match the user_id claim in the access token used for this call
    [].format String What format was requested, OPAQUE or JWT
    [].expiresAt Number Epoch time - token expiration date
    [].issuedAt Number Epoch time - token issue date
    [].scope String Comma separated list of scopes this token holds, up to 1000 characters
    [].responseType String response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN
    [].value String Access token value will always be null

    List all tokens for a client

    The /oauth/token/list/client/{clientId} will return all the tokens that match the client_id in the path parameter. This token requires the tokens.list scope.

    $ curl 'http://localhost/oauth/token/list/client/2TIzUM' -i \
        -H 'Authorization: Bearer 2e8ab6185521425c9d044f3822986559' \
        -H 'Accept: application/json'
    
    GET /oauth/token/list/client/2TIzUM HTTP/1.1
    Authorization: Bearer 2e8ab6185521425c9d044f3822986559
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 286
    
    [ {
      "tokenId" : "2e8ab6185521425c9d044f3822986559",
      "clientId" : "2TIzUM",
      "userId" : null,
      "format" : "OPAQUE",
      "responseType" : "ACCESS_TOKEN",
      "issuedAt" : 1505167049500,
      "expiresAt" : 1505210249498,
      "scope" : "[tokens.list]",
      "value" : null,
      "zoneId" : "uaa"
    } ]
    

    Request Header

    Name Description
    Authorization Bearer token containing the tokens.list scope.
    Accept Set to application/json
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /oauth/token/list/client/{clientId}

    Parameter Description
    clientId The client ID to retrieve tokens for

    Response Fields

    Path Type Description
    [].zoneId String The zone ID for the token
    [].tokenId String The unique ID for the token
    [].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
    [].userId String User ID for this token, will always match the user_id claim in the access token used for this call
    [].format String What format was requested, OPAQUE or JWT
    [].expiresAt Number Epoch time - token expiration date
    [].issuedAt Number Epoch time - token issue date
    [].scope String Comma separated list of scopes this token holds, up to 1000 characters
    [].responseType String response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN
    [].value String Access token value will always be null

    Check Token

    $ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
        -d 'token=53dbe3e05dcf4ff38d350bc74a7fc97b&scopes=password.write%2Cscim.userids'
    
    POST /check_token HTTP/1.1
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    
    token=53dbe3e05dcf4ff38d350bc74a7fc97b&scopes=password.write%2Cscim.userids
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 687
    
    {
      "user_id" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
      "user_name" : "marissa",
      "email" : "marissa@test.org",
      "client_id" : "app",
      "exp" : 1505210194,
      "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
      "jti" : "53dbe3e05dcf4ff38d350bc74a7fc97b",
      "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
      "sub" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
      "iss" : "http://localhost:8080/uaa/oauth/token",
      "iat" : 1505166994,
      "cid" : "app",
      "grant_type" : "password",
      "azp" : "app",
      "auth_time" : 1505166994,
      "zid" : "uaa",
      "rev_sig" : "782ab4cd",
      "origin" : "uaa",
      "revocable" : true
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

    Request Parameters

    Parameter Type Constraints Description
    token String Required The token
    scopes Array Optional String of comma-separated scopes, for checking presence of scopes on the token

    Response Fields

    Path Type Description
    user_id String Only applicable for user tokens
    user_name String Only applicable for user tokens
    email String Only applicable for user tokens
    client_id String A unique string representing the registration information provided by the client
    exp Number Expiration Time Claim
    authorities Array Only applicable for client tokens
    scope Array List of scopes authorized by the user for this client
    jti String JWT ID Claim
    aud Array Audience Claim
    sub String Subject Claim
    iss String Issuer Claim
    iat Number Issued At Claim
    cid String See client_id
    grant_type String The type of authentication being used to obtain the token, in this case password
    azp String Authorized party
    auth_time Number Only applicable for user tokens
    zid String Zone ID
    rev_sig String Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
    origin String Only applicable for user tokens
    revocable Boolean Set to true if this token is revocable

    Token Key(s)

    Token Key

    An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.

    JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId to use it to sign all new tokens. /check_token will continue to verify tokens signed with the previous signing key for as long as it is present in the keys of the identity zone's token policy. Remove it to invalidate all those tokens.

    Asymmetric

    $ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_key HTTP/1.1
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    ETag: "1505167050510"
    Content-Type: application/json;charset=UTF-8
    Content-Length: 921
    
    {
      "kty" : "RSA",
      "e" : "AQAB",
      "use" : "sig",
      "kid" : "testKey",
      "alg" : "RS256",
      "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
      "n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
    }
    

    Request Headers

    Name Description
    Authorization No authorization is required for requesting public keys.
    If-None-Match See Ref: RFC 2616

    Response Headers

    Name Description
    ETag The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

    Response Fields

    Path Type Description
    kid String Key ID of key to be used for verification of the token.
    alg String Encryption algorithm
    value String Verifier key
    kty String Key type (RSA)
    use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")
    n String RSA key modulus
    e String RSA key public exponent

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret

    Symmetric

    $ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_key HTTP/1.1
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    ETag: "1505167050485"
    Content-Type: application/json;charset=UTF-8
    Content-Length: 95
    
    {
      "kty" : "MAC",
      "alg" : "HS256",
      "value" : "key",
      "use" : "sig",
      "kid" : "testKey"
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority
    If-None-Match See Ref: RFC 2616

    Response Fields

    Path Type Description
    kid String Key ID of key to be used for verification of the token.
    alg String Encryption algorithm
    value String Verifier key
    kty String Key type (MAC)
    use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret
    403 Forbidden - Not a resource server (missing uaa.resource scope)

    Token Keys

    An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid field, indicating which key should be used for verification of the token.

    $ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_keys HTTP/1.1
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    ETag: "1505167050444"
    Content-Type: application/json;charset=UTF-8
    Content-Length: 956
    
    {
      "keys" : [ {
        "kty" : "RSA",
        "e" : "AQAB",
        "use" : "sig",
        "kid" : "testKey",
        "alg" : "RS256",
        "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
        "n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
      } ]
    }
    

    Request Headers

    Name Description
    Authorization No authorization is required for requesting public keys.
    If-None-Match See Ref: RFC 2616

    Response Headers

    Name Description
    ETag The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

    Response Fields

    Path Type Description
    keys.[].kid String Key ID of key to be used for verification of the token.
    keys.[].alg String Encryption algorithm
    keys.[].value String Verifier key
    keys.[].kty String Key type (RSA or MAC)
    keys.[].use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")
    keys.[].n String RSA key modulus
    keys.[].e String RSA key public exponent

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret

    Identity Zones

    The UAA supports multi tenancy. This is referred to as identity zones. An identity zones is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io

    A zone contains a unique identifier as well as a unique subdomain:

    {
        "id":"testzone1",
        "subdomain":"testzone1",
        "name":"The Twiglet Zone[testzone1]",
        "version":0,
        "description":"Like the Twilight Zone but tastier[testzone1].",
        "created":1426258488910,
        "last_modified":1426258488910
    }
    

    The UAA by default creates a default zone. This zone will always be present, the ID will always be uaa, and the subdomain is blank:

    {
        "id": "uaa",
        "subdomain": "",
        "name": "uaa",
        "version": 0,
        "description": "The system zone for backwards compatibility",
        "created": 946710000000,
        "last_modified": 946710000000
    }
    

    Creating an identity zone

    An identity zone is created using a POST with an IdentityZone object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain field of the identity zone. When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.

    $ curl 'http://localhost/identity-zones' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 2181e5ba445b4157889b908db56424ee' \
        -d '{
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null,
          "keys" : {
            "exampleKeyId" : {
              "signingKey" : "s1gNiNg.K3y/t3XT"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167030179,
      "last_modified" : 1505167030179
    }'
    
    POST /identity-zones HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 2181e5ba445b4157889b908db56424ee
    Host: localhost
    Content-Length: 6185
    
    {
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null,
          "keys" : {
            "exampleKeyId" : {
              "signingKey" : "s1gNiNg.K3y/t3XT"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167030179,
      "last_modified" : 1505167030179
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 4941
    
    {
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167030190,
      "last_modified" : 1505167030190
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write or zones.<zone id>.admin

    Request Fields

    Path Type Constraints Description
    id String Optional Unique ID of the identity zone
    subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Required Human-readable zone name
    description String Optional Description of the zone
    version Number Optional Reserved for future use of E-Tag versioning
    config.clientSecretPolicy.minLength Number Required when clientSecretPolicy in the config is not null Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Required when clientSecretPolicy in the config is not null Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Required when clientSecretPolicy in the config is not null Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.tokenPolicy Object Optional Various fields pertaining to the JWT access and refresh tokens.
    config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
    config.tokenPolicy.keys.. String Optional Keys which will be used to sign the token
    config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.samlConfig.disableInResponseToCheck Boolean Optional If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.samlConfig.certificate String Deprecated Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.privateKey String Deprecated Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.privateKeyPassword String Deprecated Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.activeKeyId String Required if a list of keys defined in keys map The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.key String Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.keys.*.passphrase String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.keys.*.certificate String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.links.logout.redirectUrl String Optional Logout redirect url
    config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Optional Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array Optional List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Optional Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Optional Where users are directed upon clicking the password reset link
    config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean Optional This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String Optional This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String Optional This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String Optional The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Optional Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Optional Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Optional Default groups each user in the zone inherits.

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.)
    422 Unprocessable Entity - Invalid zone details

    Sequential example of creating a zone and creating an admin client in that zone:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"
    
    uaac token client get admin -s adminsecret
    
    uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
    
    uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
    
    uaac target http://testzone1.localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac token decode
    

    Retrieving an identity zone

    $ curl 'http://localhost/identity-zones/twiglet-get' -i \
        -H 'Authorization: Bearer f053b6ed711a4132bfc483274098078f'
    
    GET /identity-zones/twiglet-get HTTP/1.1
    Authorization: Bearer f053b6ed711a4132bfc483274098078f
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 4878
    
    {
      "id" : "twiglet-get",
      "subdomain" : "twiglet-get",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1505167030055,
      "last_modified" : 1505167030055
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to retrieve

    Request Headers

    Name Description
    Authorization Bearer token containing zones.read or zones.write or zones.<zone id>.admin or zones.<zone id>.read

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope
    404 Not Found - Zone does not exist

    Retrieving all identity zones

    $ curl 'http://localhost/identity-zones' -i \
        -H 'Authorization: Bearer c36061fceed84e70b595141ff26892bc'
    
    GET /identity-zones HTTP/1.1
    Authorization: Bearer c36061fceed84e70b595141ff26892bc
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 22879
    
    [ {
      "id" : "f4296xqx",
      "subdomain" : "f4296xqx",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "keys" : { },
          "disableInResponseToCheck" : false
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167025749,
      "last_modified" : 1505167025749
    }, {
      "id" : "fa8ky4wx",
      "subdomain" : "fa8ky4wx",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "keys" : { },
          "disableInResponseToCheck" : false
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167023550,
      "last_modified" : 1505167023550
    }, {
      "id" : "mwvq7whq",
      "subdomain" : "mwvq7whq",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "keys" : { },
          "disableInResponseToCheck" : false
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1505167026797,
      "last_modified" : 1505167026797
    }, {
      "id" : "twiglet-get-1",
      "subdomain" : "twiglet-get-1",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1505167029371,
      "last_modified" : 1505167029371
    }, {
      "id" : "twiglet-get-2",
      "subdomain" : "twiglet-get-2",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1505167029462,
      "last_modified" : 1505167029462
    }, {
      "id" : "uaa",
      "subdomain" : "",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : 0,
          "maxLength" : 255,
          "requireUpperCaseCharacter" : 0,
          "requireLowerCaseCharacter" : 0,
          "requireDigit" : 0,
          "requireSpecialCharacter" : 0
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 43200,
          "refreshTokenValidity" : 2592000,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
            }
          },
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code ( Get one at http://localhost:8080/uaa/passcode )"
        } ],
        "idpDiscoveryEnabled" : false,
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "scim.me", "cloud_controller.read", "cloud_controller.write", "cloud_controller_service_permissions.read", "password.write", "scim.userids", "uaa.user", "approvals.me", "oauth.approvals", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "uaa",
      "version" : 1,
      "description" : "The system zone for backwards compatibility",
      "created" : 946684800000,
      "last_modified" : 1505166985550
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.read or zones.<zone id>.admin

    Response Fields

    Path Type Description
    [].id String Unique ID of the identity zone
    [].subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    [].name String Human-readable zone name
    [].description String Description of the zone
    [].version Number Reserved for future use of E-Tag versioning
    [].config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    [].config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    [].config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    [].config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    [].config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    [].config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    [].config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    [].config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    []config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    [].config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    [].config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    [].config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    [].config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    [].config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    [].config.samlConfig.entityID String Unique ID of the SAML2 entity
    [].config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    [].config.samlConfig.keys.* Object Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.links.logout.redirectUrl String Logout redirect url
    [].config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    [].config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    [].config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
    [].config.links.logout.whitelist Array List of allowed whitelist redirects
    [].config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    [].config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    [].config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    [].config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    [].config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    [].config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    [].config.branding.footerLegalText String This text appears on the footer of all UAA pages
    [].config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    [].config.prompts[] Object List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    [].config.prompts[].name String List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    [].config.prompts[].type String What kind of field this is (e.g. text or password)
    [].config.prompts[].text String Actual text displayed on prompt for field
    [].config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    [].config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
    [].config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    [].config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    [].config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    [].config.branding.footerLegalText String This text appears on the footer of all UAA pages
    [].config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    [].config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    [].config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    [].config.branding.banner.link String The UAA login banner will be a link pointing to this url
    [].config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    [].config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    [].config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    [].config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    [].config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    [].config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    [].config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    [].config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    [].config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    [].config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    [].config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    [].config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    [].config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    [].config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    [].config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    [].config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    [].config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    [].config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    [].config.userConfig.defaultGroups Array Default groups each user in the zone inherits.

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope

    Updating an Identity Zone

    $ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer bc859574dd0d4462a79f43a8d2f4d9b5' \
        -d '{
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null,
          "keys" : {
            "updatedKeyId" : {
              "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1505167029908,
      "last_modified" : 1505167029908
    }'
    
    PUT /identity-zones/twiglet-update HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer bc859574dd0d4462a79f43a8d2f4d9b5
    Host: localhost
    Content-Length: 6178
    
    {
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null,
          "keys" : {
            "updatedKeyId" : {
              "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1505167029908,
      "last_modified" : 1505167029908
    }
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 4953
    
    {
      "id" : "twiglet-update",
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 1,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1505167029850,
      "last_modified" : 1505167029924
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to update

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write or zones.<zone id>.admin

    Request Fields

    Path Type Constraints Description
    subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Required Human-readable zone name
    description String Optional Description of the zone
    version Number Optional Reserved for future use of E-Tag versioning
    config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
    config.tokenPolicy.keys.. String Optional Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained.
    config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Required when clientSecretPolicy in the config is not null Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Required when clientSecretPolicy in the config is not null Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Required when clientSecretPolicy in the config is not null Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean Optional If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.samlConfig.certificate String Deprecated Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.privateKey String Deprecated Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.privateKeyPassword String Deprecated Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.activeKeyId String Required if a list of keys defined in keys map The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.key String Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.keys.*.passphrase String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.keys.*.certificate String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Optional Logout redirect url
    config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Optional Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array Optional List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Optional Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Optional Where users are directed upon clicking the password reset link
    config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean Optional This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String Optional This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String Optional This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String Optional The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Optional Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Optional Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Optional Default groups each user in the zone inherits.

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (zone admins can only update own zone)
    404 Not Found - Update to nonexistent zone
    422 Unprocessable Entity - Invalid zone details

    Deleting an Identity Zone

    $ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 5f49c70da4dc44b1987f3e328c9a8c28'
    
    DELETE /identity-zones/twiglet-delete HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 5f49c70da4dc44b1987f3e328c9a8c28
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 4884
    
    {
      "id" : "twiglet-delete",
      "subdomain" : "twiglet-delete",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "One Time Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        }
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1505167029669,
      "last_modified" : 1505167029669
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to delete

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag is required to enable account choosing functionality for IDP discovery page.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* Array These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (zone admins can only delete their own zone)
    404 Not Found - Zone does not exist

    Identity Providers

    Create

    SAML

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b' \
        -d '{
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAML",
      "name" : "SAML name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b
    Host: localhost
    Content-Length: 2718
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAML",
      "name" : "SAML name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 2967
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "idpEntityAlias" : "SAML",
        "zoneId" : "uaa",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "id" : "4b5a303a-8403-49df-aaf4-2cba263870d2",
      "originKey" : "SAML",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1505167022958,
      "last_modified" : 1505167022958,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    
    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b' \
        -d '{
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b
    Host: localhost
    Content-Length: 791
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1051
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
        "idpEntityAlias" : "SAMLMetadataUrl",
        "zoneId" : "uaa",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "id" : "a0bb291a-bdb3-4abb-bcf4-e64e762bc7cd",
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1505167023288,
      "last_modified" : 1505167023288,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required saml
    originKey String Required A unique alias for the SAML provider
    config.skipSslValidation Boolean Optional (defaults to false) Set to true, to skip SSL validation when fetching metadata.
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    config.metaDataLocation String Required SAML Metadata - either an XML string or a URL that will deliver XML content
    config.nameID String Optional The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
    config.assertionConsumerIndex Number Optional SAML assertion consumer index, default is 0
    config.metadataTrustCheck Boolean Optional Should metadata be validated, defaults to false
    config.showSamlLink Boolean Optional Should the SAML login link be displayed on the login page, defaults to false
    config.linkText String Required if the showSamlLink is set to true The link text for the SAML IDP on the login page
    config.groupMappingMode String Optional (defaults to "EXPLICITLY_MAPPED") Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
    config.iconUrl String Optional Reserved for future use
    config.socketFactoryClassName Null Optional Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively
    config.authnContext Array Optional List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String saml
    originKey String A unique alias for the SAML provider
    config.skipSslValidation Boolean Set to true, to skip SSL validation when fetching metadata.
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    config.metaDataLocation String SAML Metadata - either an XML string or a URL that will deliver XML content
    config.nameID String The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
    config.assertionConsumerIndex Number SAML assertion consumer index, default is 0
    config.metadataTrustCheck Boolean Should metadata be validated, defaults to false
    config.showSamlLink Boolean Should the SAML login link be displayed on the login page, defaults to false
    config.linkText String The link text for the SAML IDP on the login page
    config.groupMappingMode String Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
    config.iconUrl String Reserved for future use
    config.socketFactoryClassName Null Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively
    config.authnContext Array List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
    config.addShadowUserOnLogin Boolean Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings Object Map external attribute to UAA recognized mappings.
    config.attributeMappings.given_name String Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.email String Map email to the attribute for email in the provider assertion.
    config.attributeMappings.phone_number String Map phone_number to the attribute for phone number in the provider assertion.
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    config.additionalConfiguration Object (Unused.)
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date
    config.idpEntityAlias String This will be set to originKey
    config.zoneId String This will be set to the ID of the zone where the provider is being created

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP

    LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are

    Group integration also supports different strategies

    LDAP Simple Bind

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: mwvq7whq' \
        -H 'Authorization: Bearer 11639d61631b49e1b1b4026aac1ab75a' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: mwvq7whq
    Authorization: Bearer 11639d61631b49e1b1b4026aac1ab75a
    Host: localhost
    Content-Length: 1156
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1357
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "id" : "744d6255-746a-494f-a70a-31fd72170e56",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1505167027153,
      "last_modified" : 1505167027153,
      "active" : true,
      "identityZoneId" : "mwvq7whq"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP Search and Bind

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: fa8ky4wx' \
        -H 'Authorization: Bearer 76fa0a920db54d9c83b8b0e89371d18f' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: fa8ky4wx
    Authorization: Bearer 76fa0a920db54d9c83b8b0e89371d18f
    Host: localhost
    Content-Length: 1261
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1426
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "id" : "0490a99f-a490-4871-aa0f-1a9f991b216a",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1505167023979,
      "last_modified" : 1505167023979,
      "active" : true,
      "identityZoneId" : "fa8ky4wx"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP Search and Compare

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: f4296xqx' \
        -H 'Authorization: Bearer ecc2a3a511094e938ed9dc8f9bcfbbda' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: f4296xqx
    Authorization: Bearer ecc2a3a511094e938ed9dc8f9bcfbbda
    Host: localhost
    Content-Length: 1338
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 1503
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "id" : "422ab151-fb60-4373-ac9e-c2fa94238124",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1505167026066,
      "last_modified" : 1505167026066,
      "active" : true,
      "identityZoneId" : "f4296xqx"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    OAuth/OIDC

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 190d267783634124b0befbfac0690719' \
        -d '{
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code"
      },
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 190d267783634124b0befbfac0690719
    Host: localhost
    Content-Length: 672
    
    {
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code"
      },
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 896
    
    {
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "checkTokenUrl" : null
      },
      "id" : "617096ca-3e2a-4431-b537-ea256af5fe56",
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1505167025485,
      "last_modified" : 1505167025485,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oauth2.0"
    originKey String Required A unique alias for a OAuth provider
    config.authUrl String Required The OAuth 2.0 authorization endpoint URL
    config.tokenUrl String Required The OAuth 2.0 token endpoint URL
    config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
    config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth provider
    config.checkTokenUrl Object Optional Reserved for future OAuth use.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oauth2.0"
    originKey String Required A unique alias for a OAuth provider
    config.authUrl String Required The OAuth 2.0 authorization endpoint URL
    config.tokenUrl String Required The OAuth 2.0 token endpoint URL
    config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
    config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth provider
    config.checkTokenUrl Object Optional Reserved for future OAuth use.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error
    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 2fce740ca8fc4711b8625d639c6d2989' \
        -d '{
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userInfoUrl" : null,
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
      },
      "originKey" : "my-oidc-provider-xbnvae",
      "name" : "UAA Provider",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 2fce740ca8fc4711b8625d639c6d2989
    Host: localhost
    Content-Length: 752
    
    {
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userInfoUrl" : null,
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
      },
      "originKey" : "my-oidc-provider-xbnvae",
      "name" : "UAA Provider",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 948
    
    {
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userInfoUrl" : null,
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
      },
      "id" : "9bf47951-8b29-44b7-80f7-a40851b370ab",
      "originKey" : "my-oidc-provider-xbnvae",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1505167025584,
      "last_modified" : 1505167025584,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oidc1.0"
    originKey String Required A unique alias for the OIDC 1.0 provider
    config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
    config.authUrl String Required unless discoveryUrl is set. The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenUrl String Required unless discoveryUrl is set. The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKeyUrl String Required unless discoveryUrl is set. The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKey String Required unless discoveryUrl is set. A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
    config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oidc1.0"
    originKey String Required A unique alias for the OIDC 1.0 provider
    config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
    config.authUrl String Required unless discoveryUrl is set. The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenUrl String Required unless discoveryUrl is set. The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKeyUrl String Required unless discoveryUrl is set. The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKey String Required unless discoveryUrl is set. A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
    config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether or not shadow users must be created before login by an administrator.
    config.attributeMappings.external_groups Object Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "preferred_username") Map user_name to the attribute for username in the provider assertion.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.relyingPartySecret String Required The client secret of the relying party at the external OAuth provider

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    Retrieve All

    $ curl 'http://localhost/identity-providers?rawConfig=false' -i \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer ed8ab702660c40d5a5647f371c454235'
    
    GET /identity-providers?rawConfig=false HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer ed8ab702660c40d5a5647f371c454235
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 6643
    
    [ {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/SAML\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAML\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "4b5a303a-8403-49df-aaf4-2cba263870d2",
      "originKey" : "SAML",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1505167022958,
      "last_modified" : 1505167022958,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"http://simplesamlphp.cfapps.io/saml2/idp/metadata.php\",\"idpEntityAlias\":\"SAMLMetadataUrl\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:transient\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "a0bb291a-bdb3-4abb-bcf4-e64e762bc7cd",
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1505167023288,
      "last_modified" : 1505167023288,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "keystone",
      "config" : "null",
      "id" : "51540be0-3270-429a-9134-db60329d634a",
      "originKey" : "keystone",
      "name" : "keystone",
      "version" : 1,
      "created" : 946684800000,
      "last_modified" : 1505166984322,
      "active" : false,
      "identityZoneId" : "uaa"
    }, {
      "type" : "ldap",
      "config" : "null",
      "id" : "fc717f18-0b79-455d-8262-8a43939bd88e",
      "originKey" : "ldap",
      "name" : "ldap",
      "version" : 1,
      "created" : 946684800000,
      "last_modified" : 1505166985239,
      "active" : false,
      "identityZoneId" : "uaa"
    }, {
      "type" : "login-server",
      "config" : "null",
      "id" : "c83bd372-e36b-44f9-8fbf-1d21cf33b0c9",
      "originKey" : "login-server",
      "name" : "login-server",
      "version" : 1,
      "created" : 946684800000,
      "last_modified" : 1505166985249,
      "active" : false,
      "identityZoneId" : "uaa"
    }, {
      "type" : "oauth2.0",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"checkTokenUrl\":null}",
      "id" : "617096ca-3e2a-4431-b537-ea256af5fe56",
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1505167025485,
      "last_modified" : 1505167025485,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "oidc1.0",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":null,\"tokenUrl\":null,\"tokenKeyUrl\":null,\"tokenKey\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userInfoUrl\":null,\"discoveryUrl\":\"https://accounts.google.com/.well-known/openid-configuration\"}",
      "id" : "9bf47951-8b29-44b7-80f7-a40851b370ab",
      "originKey" : "my-oidc-provider-xbnvae",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1505167025584,
      "last_modified" : 1505167025584,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "uaa",
      "config" : "null",
      "id" : "307698a3-e2bb-418b-aa0f-c66242d72bc7",
      "originKey" : "uaa",
      "name" : "uaa",
      "version" : 3,
      "created" : 946684800000,
      "last_modified" : 1505167025683,
      "active" : true,
      "identityZoneId" : "uaa"
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    [].type String Type of the identity provider.
    [].originKey String Unique identifier for the identity provider.
    [].name String Human-readable name for this provider
    [].config String Json config for the Identity Provider
    [].version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    [].active Boolean Defaults to true.
    [].id String Unique identifier for this provider - GUID generated by the UAA
    [].identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    [].created Number UAA sets the creation date
    [].last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Retrieve

    $ curl 'http://localhost/identity-providers/2db99319-37d6-47dd-a55c-9a0cbd1a091c?rawConfig=false' -i \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer d39c9d6d94fd4bda914981e6a9e07ff2'
    
    GET /identity-providers/2db99319-37d6-47dd-a55c-9a0cbd1a091c?rawConfig=false HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer d39c9d6d94fd4bda914981e6a9e07ff2
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 2976
    
    {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-get\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-get\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-get\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "2db99319-37d6-47dd-a55c-9a0cbd1a091c",
      "originKey" : "saml-for-get",
      "name" : "saml-for-get name",
      "version" : 0,
      "created" : 1505167025317,
      "last_modified" : 1505167025317,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Type of the identity provider.
    originKey String Unique identifier for the identity provider.
    config String Various configuration properties for the identity provider.
    config.additionalConfiguration Object (Unused.)
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Update

    $ curl 'http://localhost/identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7?rawConfig=true' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer d53f5bc01c5c477a95c8eaad14f7b8d5' \
        -d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}'
    
    PUT /identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer d53f5bc01c5c477a95c8eaad14f7b8d5
    Host: localhost
    Content-Length: 280
    
    {"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 559
    
    {
      "type" : "uaa",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "passwordPolicy" : null,
        "lockoutPolicy" : {
          "lockoutPeriodSeconds" : 8,
          "lockoutAfterFailures" : 8,
          "countFailuresWithin" : 8
        },
        "disableInternalUserManagement" : false
      },
      "id" : "307698a3-e2bb-418b-aa0f-c66242d72bc7",
      "originKey" : "uaa",
      "name" : "uaa",
      "version" : 4,
      "created" : 946684800000,
      "last_modified" : 1505167026715,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request and Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required uaa
    originKey String Required A unique identifier for the IDP. Cannot be updated.
    version Number Required Version of the identity provider data. Clients can use this to protect against conflicting updates
    config.passwordPolicy.minLength Number Required when passwordPolicy in the config is not null Minimum number of characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.maxLength Number Required when passwordPolicy in the config is not null Maximum number of characters required for password to be considered valid (defaults to 255).
    config.passwordPolicy.requireUpperCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of uppercase characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireLowerCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of lowercase characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireDigit Number Required when passwordPolicy in the config is not null Minimum number of digits required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireSpecialCharacter Number Required when passwordPolicy in the config is not null Minimum number of special characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.expireInMonths Number Required when passwordPolicy in the config is not null Number of months after which current password expires (defaults to 0).
    config.passwordPolicy.passwordNewerThan Number Required when passwordPolicy in the config is not null This timestamp value can be used to force change password for every user. If the user's passwordLastModified is older than this value, the password is expired (defaults to null).
    config.lockoutPolicy.lockoutPeriodSeconds Number Required when LockoutPolicy in the config is not null Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
    config.lockoutPolicy.lockoutAfterFailures Number Required when LockoutPolicy in the config is not null Number of allowed failures before account is locked (defaults to 5).
    config.lockoutPolicy.countFailuresWithin Number Required when LockoutPolicy in the config is not null Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
    config.disableInternalUserManagement Boolean Optional When set to true, user management is disabled for this provider, defaults to false

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity - Invalid config

    Delete

    $ curl 'http://localhost/identity-providers/4f7c01cc-613d-445a-8966-e17b59a9254b' -i -X DELETE \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 6d6004b998084e5a8e69c8ba3a8a7d16'
    
    DELETE /identity-providers/4f7c01cc-613d-445a-8966-e17b59a9254b HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 6d6004b998084e5a8e69c8ba3a8a7d16
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 2991
    
    {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-delete\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-delete\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-delete\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "4f7c01cc-613d-445a-8966-e17b59a9254b",
      "originKey" : "saml-for-delete",
      "name" : "saml-for-delete name",
      "version" : 0,
      "created" : 1505167026640,
      "last_modified" : 1505167026640,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Type of the identity provider.
    originKey String Unique identifier for the identity provider.
    config String Various configuration properties for the identity provider.
    config.additionalConfiguration Object (Unused.)
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity

    Force password change for Users

    $ curl 'http://localhost/identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7/status' -i -X PATCH \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer a07e3b0e4d664fa8ba6aa8b1612d81d1' \
        -d '{"requirePasswordChange":true}'
    
    PATCH /identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7/status HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer a07e3b0e4d664fa8ba6aa8b1612d81d1
    Host: localhost
    Content-Length: 30
    
    {"requirePasswordChange":true}
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 36
    
    {
      "requirePasswordChange" : true
    }
    

    Path Parameters

    /identity-providers/{id}/status

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone.

    Request and Response Fields

    Path Type Constraints Description
    requirePasswordChange Boolean Required Set to true in order to force password change for all users. The passwordNewerThan property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user's passwordLastModified is older than this value, the password is expired.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity - Invalid config

    Service Providers

    UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.

    Obtaining the UAA SAML IdP metadata:

    In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.

    GET http://localhost:8080/uaa/saml/idp/metadata

    Initiate IDP Login Flow

    When the UAA is an IdP, you can initiate the login flow to the Service Provider, SP, by using the initiate endpoint This is a browser flow.

    $ curl 'http://jsgfpz64rt3ugwik2yvtexsz.localhost/saml/idp/initiate?sp=Az6GPLYqtC.cloudfoundry-saml-login' -i
    
    GET /saml/idp/initiate?sp=Az6GPLYqtC.cloudfoundry-saml-login HTTP/1.1
    Host: jsgfpz64rt3ugwik2yvtexsz.localhost
    
    
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
        <head>
            </head>
        <body onload="document.forms[0].submit()">
            <noscript>
                <p>
                    <strong>Note:</strong> Since your browser does not support JavaScript,
                    you must press the Continue button once to proceed.
                </p>
            </noscript>
    
            <form action="http&#x3a;&#x2f;&#x2f;Az6GPLYqtC.localhost&#x3a;8080&#x2f;uaa&#x2f;saml&#x2f;SSO&#x2f;alias&#x2f;Az6GPLYqtC.cloudfoundry-saml-login" method="post">
                <div>
    
    
                    <input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cDovL0F6NkdQTFlxdEMubG9jYWxob3N0OjgwODAvdWFhL3NhbWwvU1NPL2FsaWFzL0F6NkdQTFlxdEMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW4iIElEPSJhZGIyMjc1ZmFhZTdoaTM0MTJnZzkwamQyajlpaWQiIElzc3VlSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzozMS4xMjZaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmpzZ2ZwejY0cnQzdWd3aWsyeXZ0ZXhzei5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJhMTM2aTkxMmdkMmRjNGkzMWQ3MmliYmQ0aTRpOTVkIiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXI+anNnZnB6NjRydDN1Z3dpazJ5dnRleHN6LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNhMTM2aTkxMmdkMmRjNGkzMWQ3MmliYmQ0aTRpOTVkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJ4cyIvPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+UndGVUIxQktsTUxlWTRIaTA3cytGWDFQVDA0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tbVNSVkp5Q2Q1TWcxZEZlSHVwRHkzd3dXZzBRaE9zOHlWVDB1TmIyR1kvVmpxQ2owYnlMMFlNRFhZdnBUWENNTkhWQ01EeHFLa2F5dWtzaThlUlFvUU1tQkM3YzdIY3ZrMW9XaWhBUUt3ZXg5Z3JLVDBCZzRMMWEzUWRJenpmME9SWERaVUdaVGZ5QWN4Z0NFM0dNNEhPZGJzQzduMnpvWjlac01sOUZBckE9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEU1RDQ0FyS2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUVFGQURCOE1Rc3dDUVlEVlFRR0V3SmhkekVPTUF3R0ExVUVDQk1GCllYSjFZbUV4RGpBTUJnTlZCQW9UQldGeWRXSmhNUTR3REFZRFZRUUhFd1ZoY25WaVlURU9NQXdHQTFVRUN4TUZZWEoxWW1FeERqQU0KQmdOVkJBTVRCV0Z5ZFdKaE1SMHdHd1lKS29aSWh2Y05BUWtCRmc1aGNuVmlZVUJoY25WaVlTNWhjakFlRncweE5URXhNakF5TWpJMgpNamRhRncweE5qRXhNVGt5TWpJMk1qZGFNSHd4Q3pBSkJnTlZCQVlUQW1GM01RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFCkNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXgKSFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeU1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQgpnUURIdEM1Z1VYeEJLcEVxWlRMa052RndOR25OSWtnZ05Pd09RVk5icE8wV1ZISWl2aWc1TDM5V3FTOXUwaG5BK083TUNBL0tsckFSCjRiWGFlVlZod2ZVUFlCS0lwYWFUV0ZRUjVjVFIxVUZaSkwvT0Y5dkFmcE93em5vRDY2RERDblFWcGJDanREWVdYK3g2aW14bjhIQ1kKeGhNb2w2Wm5UYlNzRlc2VlpqRk1qUUlEQVFBQm80SGFNSUhYTUIwR0ExVWREZ1FXQkJUeDBsRHpqSC9pT0JuT1NRYVNFV1FMeDFzeQpHRENCcHdZRFZSMGpCSUdmTUlHY2dCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3lHS0dCZ0tSK01Id3hDekFKQmdOVkJBWVRBbUYzCk1RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFQ2hNRllYSjFZbUV4RGpBTUJnTlZCQWNUQldGeWRXSmhNUTR3REFZRFZRUUwKRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXhIVEFiQmdrcWhraUc5dzBCQ1FFV0RtRnlkV0poUUdGeWRXSmhMbUZ5Z2dFQQpNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUVCUUFEZ1lFQVl2QkowSE9aYmJIQ2xYbUdVakdzK0dTK3hDMUZPL2FtCjJzdUNTWXFOQjlkeU1YZk9XaUoxK1RMSmsrby9ZWnQ4dnV4Q0tkY1pZZ2w0bC9MNlB4Sjk4MlNSaGM4M1pXMmRrQVpJNE0wL1VkM28KZVBlODRrOGptM0E3RXZINXdpNWh2Q2tLUnB1UkJ3bjNFaStqQ1JvdXhUYnpLUHN1Q1ZCKzFzTnl4TVRYemYwPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+bWFyaXNzYTwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0xMVQyMTo1NzozMS4xMTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9BejZHUExZcXRDLmxvY2FsaG9zdDo4MDgwL3VhYS9zYW1sL1NTTy9hbGlhcy9BejZHUExZcXRDLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIxOjU3OjMxLjExNFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5BejZHUExZcXRDLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgU2Vzc2lvbkluZGV4PSJhMjhpZmIzY2VpZmE3OWYzMWQxOWIzZGc0MDhmOGE1Ij48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYXV0aG9yaXRpZXMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWEudXNlcjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2FAdGVzdC5vcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iaWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xNjAyN2NjNi1jNWZmLTQ1OTItYjMzZS0zMzQxMDg4ZDM2ODI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2E8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ib3JpZ2luIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InpvbmVJZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmpzZ2ZwejY0cnQzdWd3aWsyeXZ0ZXhzejwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+"/>                
                </div>
                <noscript>
                    <div>
                        <input type="submit" value="Continue"/>
                    </div>
                </noscript>
            </form>
                </body>
    </html>
    

    Request Parameters

    Parameter Type Constraints Description
    sp String required The entity ID of a configured and active the service provider.

    Error Codes

    Error Code Description
    400 If IDP initiated login is not enabled, the SP parameter is incorrect or SP is disabled.

    List

    $ curl 'http://localhost/saml/service-providers' -i \
        -H 'Authorization: Bearer 35739635e0184f7abd5ea42d33c31592'
    
    GET /saml/service-providers HTTP/1.1
    Authorization: Bearer 35739635e0184f7abd5ea42d33c31592
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 7162
    
    [ {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"P0oCQb3J8u.cloudfoundry-saml-login\\\" entityID=\\\"P0oCQb3J8u.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#P0oCQb3J8u.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SingleLogout/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SingleLogout/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SSO/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SSO/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
      "id" : "fb740fc3-80a5-482f-800b-693699330742",
      "entityId" : "P0oCQb3J8u.cloudfoundry-saml-login",
      "name" : "P0oCQb3J8u",
      "version" : 0,
      "created" : 1505167051249,
      "lastModified" : 1505167051249,
      "active" : true,
      "identityZoneId" : "uaa"
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.read
    X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    [].id String Unique identifier for this provider - GUID generated by the UAA.
    [].name String Human readable name for the SAML SP.
    [].entityId String The entity id of the SAML SP.
    [].active Boolean Defaults to true.
    [].created Number UAA sets this to the UTC creation date.
    [].identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    [].lastModified Number UAA sets this to the UTC last date of modification.
    [].version Number Version of the identity provider data. Clients can use this.
    [].config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    [].config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    [].config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Get

    $ curl 'http://localhost/saml/service-providers/cadf4a2c-ef80-47c3-9a40-eedad20da3f0' -i \
        -H 'Authorization: Bearer 757c8934ed2e4fb79fb85c9489a00c2a'
    
    GET /saml/service-providers/cadf4a2c-ef80-47c3-9a40-eedad20da3f0 HTTP/1.1
    Authorization: Bearer 757c8934ed2e4fb79fb85c9489a00c2a
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 7158
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"yAKNCosKAw.cloudfoundry-saml-login\\\" entityID=\\\"yAKNCosKAw.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#yAKNCosKAw.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SingleLogout/alias/yAKNCosKAw.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SingleLogout/alias/yAKNCosKAw.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SSO/alias/yAKNCosKAw.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SSO/alias/yAKNCosKAw.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
      "id" : "cadf4a2c-ef80-47c3-9a40-eedad20da3f0",
      "entityId" : "yAKNCosKAw.cloudfoundry-saml-login",
      "name" : "yAKNCosKAw",
      "version" : 0,
      "created" : 1505167051316,
      "lastModified" : 1505167051316,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.read
    X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Create

    $ curl 'http://localhost/saml/service-providers' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1c8f5ad49d174a1581df6f0798012680' \
        -d '{
      "name" : "NepFPaws3k",
      "entityId" : "NepFPaws3k.cloudfoundry-saml-login",
      "active" : true,
      "config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
    }'
    
    POST /saml/service-providers HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1c8f5ad49d174a1581df6f0798012680
    Host: localhost
    Content-Length: 6961
    
    {
      "name" : "NepFPaws3k",
      "entityId" : "NepFPaws3k.cloudfoundry-saml-login",
      "active" : true,
      "config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
    }
    
    HTTP/1.1 201 Created
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 7158
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
      "id" : "54b50bb9-8e49-48aa-8a9d-55d9cc72bca6",
      "entityId" : "NepFPaws3k.cloudfoundry-saml-login",
      "name" : "NepFPaws3k",
      "version" : 0,
      "created" : 1505167051443,
      "lastModified" : 1505167051443,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    name String Required Human readable name for the SAML SP.
    entityId String Optional If provided, it should match the entityId in the SP metadata.
    active Boolean Optional Defaults to true
    config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
    config.attributeMappings.given_name String Optional Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Optional Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Optional Map phone_number value within UAA to a specified assertion in the SAML response.
    config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.
    config.enableIdpInitiatedSso Boolean Optional When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity
    409 Conflict - A provider with the same entity id and zone id exists.

    Update

    $ curl 'http://localhost/saml/service-providers/f4f69e65-959b-40dc-8c14-2254fc4acf68' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 06cc120355e748c1bebab5ecd92e894e' \
        -d '{
      "name" : "Xf1FlIUeJq",
      "entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
      "active" : true,
      "config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
    }'
    
    PUT /saml/service-providers/f4f69e65-959b-40dc-8c14-2254fc4acf68 HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 06cc120355e748c1bebab5ecd92e894e
    Host: localhost
    Content-Length: 6961
    
    {
      "name" : "Xf1FlIUeJq",
      "entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
      "active" : true,
      "config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
    }
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 7158
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
      "id" : "f4f69e65-959b-40dc-8c14-2254fc4acf68",
      "entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
      "name" : "Xf1FlIUeJq",
      "version" : 1,
      "created" : 1505167051495,
      "lastModified" : 1505167051515,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    name String Required Human readable name for the SAML SP.
    entityId String Optional If provided, it should match the entityId in the SP metadata.
    active Boolean Optional Defaults to true
    config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
    config.attributeMappings.given_name String Optional Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Optional Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Optional Map phone_number value within UAA to a specified assertion in the SAML response.
    config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.
    config.enableIdpInitiatedSso Boolean Optional When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity
    409 Conflict - A provider with the same entity id and zone id exists.

    Delete

    $ curl 'http://localhost/saml/service-providers/7cb18031-c31c-4f12-a136-c33637593f39' -i -X DELETE \
        -H 'Authorization: Bearer f12828b1c3364d62a01d05c1f0af0e31' \
        -H 'Accept: application/json'
    
    DELETE /saml/service-providers/7cb18031-c31c-4f12-a136-c33637593f39 HTTP/1.1
    Authorization: Bearer f12828b1c3364d62a01d05c1f0af0e31
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Length: 7158
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"0ZW2ol42OF.cloudfoundry-saml-login\\\" entityID=\\\"0ZW2ol42OF.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#0ZW2ol42OF.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SingleLogout/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SingleLogout/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SSO/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SSO/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
      "id" : "7cb18031-c31c-4f12-a136-c33637593f39",
      "entityId" : "0ZW2ol42OF.cloudfoundry-saml-login",
      "name" : "0ZW2ol42OF",
      "version" : 0,
      "created" : 1505167051383,
      "lastModified" : 1505167051383,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a `zones..admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Users

    Users can be queried, created and updated via the /Users endpoint.

    Get

    $ curl 'http://localhost/Users/55bfad71-5975-49ab-bb19-50eeadae7bf5' -i \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer fc3421d795984787985758291c1aaa26' \
        -H 'Content-Type: application/json' \
        -H 'If-Match: 0'
    
    GET /Users/55bfad71-5975-49ab-bb19-50eeadae7bf5 HTTP/1.1
    Accept: application/json
    Authorization: Bearer fc3421d795984787985758291c1aaa26
    Content-Type: application/json
    If-Match: 0
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    ETag: "0"
    Content-Type: application/json;charset=UTF-8
    Content-Length: 2880
    
    {
      "id" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2017-09-11T21:57:21.570Z",
        "lastModified" : "2017-09-11T21:57:21.570Z"
      },
      "userName" : "kBQmO4@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "kBQmO4@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "98f8083b-03b3-4e5a-b0de-7ddf97b90211",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "78a2c166-6543-4db1-b929-13fd96f16f2c",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "e06c2906-1766-4285-a7c9-02c4c7268901",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "3cb91b1b-b577-4f2e-ba8f-b0a4bd96daa2",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "1f2b309b-d9fe-406f-afed-4e60b2c99c43",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "861f33ec-6ca8-4228-96a5-0bc2873630b2",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "15867bbc-a84d-40de-898c-b7b8f68f78bc",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "280a2ce1-7f78-41bb-98e0-ac1405974968",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "dd5e59ea-5f1a-47b6-88f8-7f93715931f0",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "cdac3ced-7ac9-4369-95bd-39d28232bc9a",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "109f0489-b31d-48be-b6c1-3722d639a34d",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "6fadb30a-100e-47b1-86e2-235c9f02863b",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "1cf19cb5-183c-4647-b2d8-42749775611c",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "e6f3b139-7072-4923-b575-51877732db87",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ {
        "userId" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
        "clientId" : "identity",
        "scope" : "uaa.user",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2017-09-11T21:57:51.662Z",
        "expiresAt" : "2017-09-11T21:57:51.662Z"
      }, {
        "userId" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
        "clientId" : "client id",
        "scope" : "scim.read",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2017-09-11T21:57:21.660Z",
        "expiresAt" : "2017-09-11T21:57:31.660Z"
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2017-09-11T21:57:21.000Z",
      "previousLogonTime" : 1505167041663,
      "lastLogonTime" : 1505167041664,
      "schemas" :