Overview
The User Account and Authentication Service (UAA):
- is an OAuth2 server that can be used for centralized identity management.
- owns the user accounts and authentication sources (SAML, LDAP)
- supports standard protocols such as SAML, LDAP and OpenID Connect to provide single sign-on and delegated authorization to web applications
- can be invoked via JSON APIs
- provides a basic login/approval UI for web client apps
- supports APIs for user account management for an external web UI
- most of the APIs are defined by the specs for the OAuth2, OpenID Connect, and SCIM standards.
Authorization
Authorization Code Grant
Browser flow
$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost/app?code=kogo4xLLiU
Set-Cookie: X-Uaa-Csrf=pJICmsRVc4bwL6dQuN67E9;Max-Age=86400;HttpOnly
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
Api flow
$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=x9opoI' -i \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3OTE2ZGNmNjZlY2E0ODFhOTVjOGRmYmE5MWZiNWFkNSIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTA1MTY2OTkzLCJyZXZfc2lnIjoiNzdiZWY1YTkiLCJpYXQiOjE1MDUxNjY5OTMsImV4cCI6MTUwNTIxMDE5MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.e6HXa5x1jsx3lW-cx6jx95b8Rtc4m0xu-GSMfOmlqtM'
GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=x9opoI HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3OTE2ZGNmNjZlY2E0ODFhOTVjOGRmYmE5MWZiNWFkNSIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTA1MTY2OTkzLCJyZXZfc2lnIjoiNzdiZWY1YTkiLCJpYXQiOjE1MDUxNjY5OTMsImV4cCI6MTUwNTIxMDE5MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.e6HXa5x1jsx3lW-cx6jx95b8Rtc4m0xu-GSMfOmlqtM
Host: localhost
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost/redirect/cf?code=uOJyyirc9T&state=x9opoI
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec |
client_id | String | Required | a unique string representing the registration information provided by the client |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
state | String | Required | any random string to be returned in the Location header as a query parameter, used to achieve per-request customization |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing uaa.user scope - the authentication for this user |
Implicit Grant
$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJiODhkZDg4NWM4NzU0YTVkYWFmNDk0ZjBmYzlkZjkxMCIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNjZiNDJiM2EtZmIzNi00OWI3LWE0OTAtYTZhNDFlMzJkMmRhIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI3ODJhYjRjZCIsImlhdCI6MTUwNTE2Njk5MywiZXhwIjoxNTA1MjEwMTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.zDE3nP28ZOuzCjkAI6ZTRn6GBnjGc0EeCXw9BZN328Q&expires_in=43199&jti=b88dd885c8754a5daaf494f0fc9df910
Set-Cookie: X-Uaa-Csrf=v3RBEExZp8oOovs5CN1J2I;Max-Age=86400;HttpOnly
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, token , i.e. an access token |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
Response Headers
Name | Description |
---|---|
Location |
Location as defined in the spec includes access_token in the reply fragment if successful |
Implicit Grant with prompt
$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#error=login_required
Set-Cookie: Current-User=;Max-Age=0
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, token , i.e. an access token |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
prompt | String | Optional | specifies whether to prompt for user authentication. Only value none is supported. |
Response Headers
Name | Description |
---|---|
Location |
Redirect url specified in the request parameters. |
OpenID Connect flow
OpenID Provider Configuration Request
An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.
$ curl 'http://localhost/.well-known/openid-configuration' -i \
-H 'Accept: application/json'
GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Content-Length: 1239
{
"issuer" : "http://localhost:8080/uaa/oauth/token",
"authorization_endpoint" : "http://localhost/oauth/authorize",
"token_endpoint" : "http://localhost/oauth/token",
"token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
"token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
"userinfo_endpoint" : "http://localhost/userinfo",
"jwks_uri" : "http://localhost/token_keys",
"scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
"response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
"subject_types_supported" : [ "public" ],
"id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
"id_token_encryption_alg_values_supported" : [ "none" ],
"claim_types_supported" : [ "normal" ],
"claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
"claims_parameter_supported" : false,
"service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
"ui_locales_supported" : [ "en-US" ]
}
Response Fields
Path | Type | Description |
---|---|---|
issuer |
String |
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. |
authorization_endpoint |
String |
URL of authorization endpoint. |
token_endpoint |
String |
URL of token endpoint. |
userinfo_endpoint |
String |
URL of the OP's UserInfo Endpoint. |
jwks_uri |
String |
URL of the OP's JSON Web Key Set document. |
scopes_supported |
Array |
JSON array containing a list of the OAuth 2.0 scope values that this server supports. |
subject_types_supported |
Array |
JSON array containing a list of the Subject Identifier types that this OP supports. |
token_endpoint_auth_methods_supported |
Array |
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. |
token_endpoint_auth_signing_alg_values_supported |
Array |
JSON array containing a list of the JWS signing algorithms. |
response_types_supported |
Array |
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. |
id_token_signing_alg_values_supported |
Array |
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. |
id_token_encryption_alg_values_supported |
Array |
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP. |
claim_types_supported |
Array |
JSON array containing a list of the Claim Types that the OpenID Provider supports. |
claims_supported |
Array |
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. |
claims_parameter_supported |
Boolean |
Boolean value specifying whether the OP supports use of the claims parameter. |
service_documentation |
String |
URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. |
ui_locales_supported |
Array |
Languages and scripts supported for the user interface. |
ID token
The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.
$ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiOGM2ZDU4MDNiZDljNDJjZDkwNGUxYzY4MTdiYjZkN2YiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.s8ah04AvxhwtOvbRp_lOl3FaO-9aoqXx4WG_mNG-rpU&expires_in=43199&jti=8c6d5803bd9c42cd904e1c6817bb6d7f
Set-Cookie: X-Uaa-Csrf=d55EAZmDx4KUeemYo9BXx2;Max-Age=86400;HttpOnly
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, id_token |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
Response Headers
Name | Description |
---|---|
Location |
Location as defined in the spec includes id_token in the reply fragment if successful |
ID token and Access token
The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.
$ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI3YTE3NDdiMjBmOTM0Mzg2YTlkYzUxNDYzMDhlOWZhMCIsInN1YiI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJ1c2VyX2lkIjoiNjZiNDJiM2EtZmIzNi00OWI3LWE0OTAtYTZhNDFlMzJkMmRhIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiI3ODJhYjRjZCIsImlhdCI6MTUwNTE2Njk5NCwiZXhwIjoxNTA1MjEwMTk0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFwcCIsIm9wZW5pZCJdfQ.ofy7JBYUWvC28fX0WCHkCt88iyudEg3hjij8r3e2eRU&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiN2ExNzQ3YjIwZjkzNDM4NmE5ZGM1MTQ2MzA4ZTlmYTAiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.dhYcFShfCttq6rbeZ0m2FElq2F77xKhvRvJTOFw1FMo&expires_in=43199&jti=7a1747b20f934386a9dc5146308e9fa0
Set-Cookie: X-Uaa-Csrf=NgVkNeQ73Pq7EoT32ABtof;Max-Age=86400;HttpOnly
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, token id_token , indicating both an access token and an ID token. |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
Response Headers
Name | Description |
---|---|
Location |
Location as defined in the spec includes access_token and id_token in the reply fragment if successful |
Hybrid flow
The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.
$ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2NmI0MmIzYS1mYjM2LTQ5YjctYTQ5MC1hNmE0MWUzMmQyZGEiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiXSwiemlkIjoidWFhIiwidXNlcl9pZCI6IjY2YjQyYjNhLWZiMzYtNDliNy1hNDkwLWE2YTQxZTMyZDJkYSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAxOTQsImlhdCI6MTUwNTE2Njk5NCwianRpIjoiNGQ3MDMwOGRiMzcxNGM5ODg4NGNkZGQ0ZTBmZGMzZTIiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJyZXZfc2lnIjoiNzgyYWI0Y2QiLCJjaWQiOiJhcHAifQ.g9gvkGhdkO1etRMi4wJyuxoYitMUNXGOD-yxTfmPRTQ&code=5SMXPzUcXa&expires_in=43199&jti=4d70308db3714c98884cddd4e0fdc3e2
Set-Cookie: X-Uaa-Csrf=atPuicXOCnKBF8ZE654EUp;Max-Age=86400;HttpOnly
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Space-delimited list of response types. Here, id_token code , indicating a request for an ID token and an authorization code. |
client_id | String | Required | a unique string representing the registration information provided by the client |
scope | String | Optional | requested scopes, space-delimited |
redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
Response Headers
Name | Description |
---|---|
Location |
Location as defined in the spec includes code and id_token in the reply fragment if successful |
Token
The /oauth/token
endpoint requires client authentication to be accessed. Client Authentication can be passed as
as part of the request authorization header, using basic authentication, or as part of the request parameters, using the client_id
and client_secret
parameter
names.
Authorization Code Grant
$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=hfbg0ax079&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=token&code=hfbg0ax079&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 250
{
"access_token" : "070b35231966488ab07f11822c6ef162",
"token_type" : "bearer",
"refresh_token" : "cd98b3dea6044470b0a6dfccc0e370ee-r",
"expires_in" : 43199,
"scope" : "openid oauth.approvals",
"jti" : "070b35231966488ab07f11822c6ef162"
}
Request Headers
Name | Description |
---|---|
Authorization |
Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | The type of token that should be issued. |
client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
redirect_uri | String | Required if provided on authorization request | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) |
code | String | Required | the authorization code, obtained from /oauth/authorize, issued for the user |
grant_type | String | Required | the type of authentication being used to obtain the token, in this case authorization_code |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token for the user to whom the authorization code was issued |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
an OAuth refresh token for refresh grants |
jti |
String |
a globally unique identifier for this token |
Client Credentials Grant
Without Authorization
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&grant_type=client_credentials&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 306
{
"access_token" : "134ab46c781248a1a26a063ece5c8cc3",
"token_type" : "bearer",
"expires_in" : 43199,
"scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
"jti" : "134ab46c781248a1a26a063ece5c8cc3"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
grant_type | String | Required | the type of authentication being used to obtain the token, in this case client_credentials |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
response_type | String | Optional | The type of token that should be issued. |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
jti |
String |
a globally unique identifier for this token |
With Authorization
$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'grant_type=client_credentials&response_type=token&token_format=opaque'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Host: localhost
grant_type=client_credentials&response_type=token&token_format=opaque
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 306
{
"access_token" : "a88d3c499bc3408289ab1c7a762034c3",
"token_type" : "bearer",
"expires_in" : 43199,
"scope" : "clients.read emails.write scim.userids password.write idps.write notifications.write oauth.login scim.write critical_notifications.write",
"jti" : "a88d3c499bc3408289ab1c7a762034c3"
}
Request Header
Name | Description |
---|---|
Authorization |
Base64 encoded client details in the format: Basic client_id:client_secret |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
grant_type | String | Required | the type of authentication being used to obtain the token, in this case client_credentials |
response_type | String | Optional | The type of token that should be issued. |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
jti |
String |
a globally unique identifier for this token |
Password Grant
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=HbyjjR%40test.org&password=secr3T&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=app&client_secret=appclientsecret&grant_type=password&username=HbyjjR%40test.org&password=secr3T&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 307
{
"access_token" : "1cc25eb1ad744d71b3eec15158eda19e",
"token_type" : "bearer",
"refresh_token" : "1aec7d1494d045e5982d310a2783793d-r",
"expires_in" : 43199,
"scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
"jti" : "1cc25eb1ad744d71b3eec15158eda19e"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | The type of token that should be issued. |
client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
grant_type | String | Required | the type of authentication being used to obtain the token, in this case password |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
username | String | Required | the username for the user trying to get a token |
password | String | Required | the password for the user trying to get a token |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
an OAuth refresh token for refresh grants |
jti |
String |
a globally unique identifier for this token |
One-time Passcode
$ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'grant_type=password&passcode=eazJensqoZ&token_format=opaque&response_type=token'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
grant_type=password&passcode=eazJensqoZ&token_format=opaque&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 307
{
"access_token" : "270a230796d5460fbc1fbd923985bc85",
"token_type" : "bearer",
"refresh_token" : "e4150b6ccc734447939648fcf04d5222-r",
"expires_in" : 43199,
"scope" : "cloud_controller.write scim.userids openid cloud_controller.read password.write",
"jti" : "270a230796d5460fbc1fbd923985bc85"
}
Request Header
Name | Description |
---|---|
Authorization |
Base64 encoded client details in the format: Basic client_id:client_secret |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | The type of token that should be issued. |
grant_type | String | Required | the type of authentication being used to obtain the token, in this case password |
passcode | String | Required | the one-time passcode for the user which can be retrieved by going to /passcode |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
an OAuth refresh token for refresh grants |
jti |
String |
a globally unique identifier for this token |
User Token Grant
A user_token
grant, is a flow that allows the generation of a refresh_token for another client.
The requesting client, must have grant_type=user_token
and the bearer token for this request must have uaa.user
and be a token that represents an authenticated user.
The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.
The refresh_token
that results from this grant, is opaque, and can only be exchanged by the client it was intended for.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Bearer fa33c32f3e824f7dbd47c614b5e914be' \
-H 'Accept: application/json' \
-d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer fa33c32f3e824f7dbd47c614b5e914be
Accept: application/json
Host: localhost
client_id=app&grant_type=user_token&scope=openid&token_format=jwt&response_type=token
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 206
{
"access_token" : null,
"token_type" : "bearer",
"refresh_token" : "d556eb563f5e41fea43f46c7542da529-r",
"expires_in" : 43199,
"scope" : "openid",
"jti" : "d556eb563f5e41fea43f46c7542da529-r"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | Response type of the grant, should be set to token |
client_id | String | Optional | The client ID of the receiving client, this client must have refresh_token grant type |
grant_type | String | Required | The type of token grant requested, in this case user_token |
token_format | String | Optional | This parameter is ignored. The refresh_token will always be opaque |
scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
Null |
Always null |
token_type |
String |
The type of the access token issued, always bearer |
expires_in |
Number |
Number of seconds of lifetime for an access_token, when retrieved |
scope |
String |
Space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
An OAuth refresh token for refresh grants |
jti |
String |
A globally unique identifier for this refresh token |
SAML2 Bearer Grant
The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in
RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer
.
In addition the requesting client must either allow the IDP in allowedproviders
or omit the property so that any trusted IDP is allowed.
The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.
This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world.
The endpoint of the bearer assertion is /oauth/token
so the Recipient attribute in
the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token.
$ curl 'http://89t55s.localhost:8080/uaa/oauth/token/alias/89t55s.cloudfoundry-saml-login' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Host: 89t55s.localhost' \
-d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientWXDpU1&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCIgSXNzdWVJbnN0YW50PSIyMDE3LTA5LTExVDIxOjU3OjI2LjU3N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPjg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjdKdjdIMXdyYS85ZVRvenlZVGJ6ZXM1UEFEVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-SE9UNlJVaDR0dUcvVXdUL0dneHZNcjZZbmlvSXNPNUpmQ1FyV1RTWUNBMWdJczJrZUVQWTRRTG9DMVkzZlZqQ3dQT1lmK2creS9LNjZaczR0Y3JnK0NZNDQ2Szl2TXZsd1VYaUE3VFI2Y0F2RC9DNURaK21yMlU5Tmhodnh4My8vNnQwMVAwYlBPcEUvVDNCQU11cjNRQzRocWVGbENhNUhMQ2F5NjU1cDE0PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiIFJlY2lwaWVudD0iaHR0cDovLzg5dDU1cy5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MjYuNTgwWiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT44OXQ1NXMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzoyNi41NzhaIiBTZXNzaW9uSW5kZXg9ImE0ODVlNjhpNTVnZjBmYjgyM2YwZjdqZ2lmajA3MyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-NTQwNzQyNzAtYjM4YS00ZTcyLThjYTEtOTY1OGM3Y2UwZWI0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid'
POST /uaa/oauth/token/alias/89t55s.cloudfoundry-saml-login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: 89t55s.localhost
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientWXDpU1&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCIgSXNzdWVJbnN0YW50PSIyMDE3LTA5LTExVDIxOjU3OjI2LjU3N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPjg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTI4MWVjNWRqNWRqNGVnYzI2YzJiYzMyaGRnYzFpOCI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjdKdjdIMXdyYS85ZVRvenlZVGJ6ZXM1UEFEVT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-SE9UNlJVaDR0dUcvVXdUL0dneHZNcjZZbmlvSXNPNUpmQ1FyV1RTWUNBMWdJczJrZUVQWTRRTG9DMVkzZlZqQ3dQT1lmK2creS9LNjZaczR0Y3JnK0NZNDQ2Szl2TXZsd1VYaUE3VFI2Y0F2RC9DNURaK21yMlU5Tmhodnh4My8vNnQwMVAwYlBPcEUvVDNCQU11cjNRQzRocWVGbENhNUhMQ2F5NjU1cDE0PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiIFJlY2lwaWVudD0iaHR0cDovLzg5dDU1cy5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MjYuNTgwWiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIyOjU3OjI2LjU5NFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT44OXQ1NXMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzoyNi41NzhaIiBTZXNzaW9uSW5kZXg9ImE0ODVlNjhpNTVnZjBmYjgyM2YwZjdqZ2lmajA3MyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-NTQwNzQyNzAtYjM4YS00ZTcyLThjYTEtOTY1OGM3Y2UwZWI0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Disposition: inline;filename=f.txt
Content-Type: application/json;charset=UTF-8
Content-Length: 1796
{
"access_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIxMTdhODQ2ODc0OWM0NzFmYTJjNDIyY2ZkYjg0YmU4ZCIsInN1YiI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50V1hEcFUxIiwiY2lkIjoidGVzdGNsaWVudFdYRHBVMSIsImF6cCI6InRlc3RjbGllbnRXWERwVTEiLCJncmFudF90eXBlIjoidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6c2FtbDItYmVhcmVyIiwidXNlcl9pZCI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsIm9yaWdpbiI6Ijg5dDU1cy5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwiZW1haWwiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlckB1bmtub3duLm9yZyIsInJldl9zaWciOiJkYjIyNWJjOSIsImlhdCI6MTUwNTE2NzA0NywiZXhwIjoxNTA1MTY3NjQ3LCJpc3MiOiJodHRwOi8vODl0NTVzLmxvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6Ijg5dDU1cyIsImF1ZCI6W119.wi5LAs3CM7tWQwXrokjT-IxQXTClxzRDQk1IC4Og6UA",
"token_type" : "bearer",
"refresh_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJhMGIyZWNhN2M5NGY0YmE0YWExZGZjZTA3N2Q1Mzc1NS1yIiwic3ViIjoiZGZhYjFmNWQtMmFmMS00MWJlLTkwZWMtMDkyZDI4ZThjMTNiIiwic2NvcGUiOlsib3BlbmlkIl0sImlhdCI6MTUwNTE2NzA0NywiZXhwIjoxNTA3NzU5MDQ3LCJjaWQiOiJ0ZXN0Y2xpZW50V1hEcFUxIiwiY2xpZW50X2lkIjoidGVzdGNsaWVudFdYRHBVMSIsImlzcyI6Imh0dHA6Ly84OXQ1NXMubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoiODl0NTVzIiwiZ3JhbnRfdHlwZSI6InVybjppZXRmOnBhcmFtczpvYXV0aDpncmFudC10eXBlOnNhbWwyLWJlYXJlciIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwib3JpZ2luIjoiODl0NTVzLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIiwidXNlcl9pZCI6ImRmYWIxZjVkLTJhZjEtNDFiZS05MGVjLTA5MmQyOGU4YzEzYiIsInJldl9zaWciOiJkYjIyNWJjOSIsImF1ZCI6W119.pc6aKJiJuRwM3KyCy-_yKW-8iuUfNQZw-iXXLdCdT08",
"expires_in" : 599,
"scope" : "openid",
"jti" : "117a8468749c471fa2c422cfdb84be8d"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
client_id | String | Optional | The client ID of the receiving client, this client must have urn:ietf:params:oauth:grant-type:saml2-bearer grant type |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
grant_type | String | Required | The type of token grant requested, in this case urn:ietf:params:oauth:grant-type:saml2-bearer |
assertion | String | Required | An XML based SAML 2.0 bearer assertion, which is Base64URl encoded. |
scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
Always null |
token_type |
String |
The type of the access token issued, always bearer |
expires_in |
Number |
Number of seconds of lifetime for an access_token, when retrieved |
scope |
String |
Space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
An OAuth refresh token for refresh grants |
jti |
String |
A globally unique identifier for this refresh token |
JWT Bearer Token Grant
The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in
RFC 7523. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
.
In addition the requesting client must either allow the IDP in allowedproviders
or omit the property so that any trusted IDP is allowed.
The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the
UAA database. If multiple providers exists that have the same issuer, the grant will fail.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=errz2u87jzpj&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIyODIzNDZjYS00MTZhLTQ3MzQtYTQ1YS0yMDg4ODRmYmI3MjkiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG0iLCJvcmlnaW4iOiJ1YWEiLCJhbXIiOlsicHdkIl0sImlzcyI6Imh0dHA6Ly9idWtwYmNwb2ljaHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiMkdmYzZ2ejd3d2tJIiwiYXVkIjpbIjJHZmM2dno3d3drSSJdLCJ6aWQiOiJidWtwYmNwb2ljaHgiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMjgyMzQ2Y2EtNDE2YS00NzM0LWE0NWEtMjA4ODg0ZmJiNzI5IiwiYXpwIjoiMkdmYzZ2ejd3d2tJIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzAzMSwiZXhwIjoxNTA1MjEwMjMxLCJpYXQiOjE1MDUxNjcwMzEsImp0aSI6ImJiMjcyZThhYzQ2ZDQwZmU4ZGUyYmNhN2Y2NGFiNjQxIiwiZW1haWwiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJyZXZfc2lnIjoiNmVhYTZiMDUiLCJjaWQiOiIyR2ZjNnZ6N3d3a0kifQ.25uUWW8VgT16nrYNk7v0uq_Y-qqChAq2TDS7TEY_JZU'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost
client_id=errz2u87jzpj&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIyODIzNDZjYS00MTZhLTQ3MzQtYTQ1YS0yMDg4ODRmYmI3MjkiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG0iLCJvcmlnaW4iOiJ1YWEiLCJhbXIiOlsicHdkIl0sImlzcyI6Imh0dHA6Ly9idWtwYmNwb2ljaHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiMkdmYzZ2ejd3d2tJIiwiYXVkIjpbIjJHZmM2dno3d3drSSJdLCJ6aWQiOiJidWtwYmNwb2ljaHgiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMjgyMzQ2Y2EtNDE2YS00NzM0LWE0NWEtMjA4ODg0ZmJiNzI5IiwiYXpwIjoiMkdmYzZ2ejd3d2tJIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzAzMSwiZXhwIjoxNTA1MjEwMjMxLCJpYXQiOjE1MDUxNjcwMzEsImp0aSI6ImJiMjcyZThhYzQ2ZDQwZmU4ZGUyYmNhN2Y2NGFiNjQxIiwiZW1haWwiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJyZXZfc2lnIjoiNmVhYTZiMDUiLCJjaWQiOiIyR2ZjNnZ6N3d3a0kifQ.25uUWW8VgT16nrYNk7v0uq_Y-qqChAq2TDS7TEY_JZU
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1050
{
"access_token" : "b81f70654ce64d7e9b98538b70b28525",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJmZjlhZTFlMi01NzYxLTQ3ODctOWNkNy1mY2M4ZTNmNjlhYTciLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJrMGR2bWdmOWtkZG1AdGVzdC5vcmciLCJvcmlnaW4iOiJkYzNDaUlRUjA2ekQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJjbGllbnRfaWQiOiJlcnJ6MnU4N2p6cGoiLCJhdWQiOlsiZXJyejJ1ODdqenBqIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwidXNlcl9pZCI6ImZmOWFlMWUyLTU3NjEtNDc4Ny05Y2Q3LWZjYzhlM2Y2OWFhNyIsImF6cCI6ImVycnoydTg3anpwaiIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE1MDUyMTAyMzIsImlhdCI6MTUwNTE2NzAzMiwianRpIjoiYjgxZjcwNjU0Y2U2NGQ3ZTliOTg1MzhiNzBiMjg1MjUiLCJlbWFpbCI6ImswZHZtZ2Y5a2RkbUB0ZXN0Lm9yZyIsInJldl9zaWciOiJkOTExMTVlNiIsImNpZCI6ImVycnoydTg3anpwaiJ9.dLGpDgjnWHggxWMNwrsQBue-XuBWvByATJeWn_4lVj8",
"expires_in" : 43199,
"scope" : "openid",
"jti" : "b81f70654ce64d7e9b98538b70b28525"
}
Request Headers
Name | Description |
---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
assertion | String | Required | JWT token identifying representing the user to be authenticated |
client_id | String | Required | Required, client with |
client_secret | String | Required | Required unless a basic authorization header is used |
grant_type | String | Required | Must be set to urn:ietf:params:oauth:grant-type:jwt-bearer |
scope | String | Optional | Optional parameter to limit the number of scopes in the scope claim of the access token |
response_type | String | Optional | May be set to token or token id_token or id_token |
token_format | String | Optional | May be set to opaque to retrieve revocable and non identifiable access token |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
Access token generated by this grant |
token_type |
String |
Will always be bearer |
id_token |
String |
If requested in response_type , the id_token for the shadow user |
scope |
String |
List of scopes present in the scope claim in the access token |
expires_in |
Number |
Number of seconds before this token expires from the time of issuance |
jti |
String |
The unique token ID |
Refresh Token
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=79c53f11d0c44fb79ef9596b917c3dbf-r'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=79c53f11d0c44fb79ef9596b917c3dbf-r
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 307
{
"access_token" : "b42f0bc2f384444e8de09a423f5abb57",
"token_type" : "bearer",
"refresh_token" : "79c53f11d0c44fb79ef9596b917c3dbf-r",
"expires_in" : 43199,
"scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
"jti" : "b42f0bc2f384444e8de09a423f5abb57"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
grant_type | String | Required | the type of authentication being used to obtain the token, in this case refresh_token |
client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
refresh_token | String | Required | the refresh_token that was returned along with the access token. |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token |
refresh_token |
String |
the refresh token |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
jti |
String |
a globally unique identifier for this token |
OpenID Connect
The token endpoint can provide an ID token as defined by OpenID Connect.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=h3IEdQSwvS&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&grant_type=authorization_code&response_type=id_token&code=h3IEdQSwvS&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1056
{
"access_token" : "69b60b44359b4f8a9d8439d30cf64744",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJlZDg3NDc0OC1iYTQzLTQ2MDctOGE2MC00NjRlZmYxZjVlNGUiLCJwcmV2aW91c19sb2dvbl90aW1lIjpudWxsLCJ1c2VyX25hbWUiOiJjOHpYUmhAdGVzdC5vcmciLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJjbGllbnRfaWQiOiJsb2dpbiIsImF1ZCI6WyJsb2dpbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6ImVkODc0NzQ4LWJhNDMtNDYwNy04YTYwLTQ2NGVmZjFmNWU0ZSIsImF6cCI6ImxvZ2luIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTUwNTE2NzA0NSwiZXhwIjoxNTA1MjEwMjQ1LCJpYXQiOjE1MDUxNjcwNDUsImp0aSI6IjY5YjYwYjQ0MzU5YjRmOGE5ZDg0MzlkMzBjZjY0NzQ0IiwiZW1haWwiOiJjOHpYUmhAdGVzdC5vcmciLCJyZXZfc2lnIjoiN2NkMTIxNjAiLCJjaWQiOiJsb2dpbiJ9.AoYIgmDTNSHHr-JAVYZxmZzUQ-s2YS2gR7wjCHoDO6U",
"refresh_token" : "05a60130301843648a7a7dfe5eae2174-r",
"expires_in" : 43199,
"scope" : "openid oauth.approvals",
"jti" : "69b60b44359b4f8a9d8439d30cf64744"
}
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
response_type | String | Required | the type of token that should be issued. possible values are id_token token and id_token . |
client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
redirect_uri | String | Required if provided on authorization request | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) |
code | String | Required | the authorization code, obtained from /oauth/authorize, issued for the user |
grant_type | String | Required | the type of authentication being used to obtain the token, in this case authorization_code |
client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
token_format | String | Optional | UAA 3.3.0 Can be set to 'opaque' to retrieve an opaque and revocable token. |
Response Fields
Path | Type | Description |
---|---|---|
access_token |
String |
the access token for the user to whom the authorization code was issued |
id_token |
String |
the OpenID Connect ID token for the user to whom the authorization code was issued |
token_type |
String |
the type of the access token issued, i.e. bearer |
expires_in |
Number |
number of seconds until token expiry |
scope |
String |
space-delimited list of scopes authorized by the user for this client |
refresh_token |
String |
an OAuth refresh token for refresh grants |
jti |
String |
a globally unique identifier for this token |
Revoke tokens
Revoke all tokens for a user
$ curl 'http://localhost/oauth/token/revoke/user/598c33c2-7380-410e-ab25-d8d990b9acef' -i \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyNmNhY2JkYTIwOWI0NWYyYjc0MWY0OTBlMjU0MDJlNCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJhOTE1YTM3YSIsImlhdCI6MTUwNTE2NzA0OCwiZXhwIjoxNTA1MjEwMjQ4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.5vc0u6Uag6MSWP6pdSiG43Oo7KhZnf4xq77B07JFe5A'
GET /oauth/token/revoke/user/598c33c2-7380-410e-ab25-d8d990b9acef HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyNmNhY2JkYTIwOWI0NWYyYjc0MWY0OTBlMjU0MDJlNCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJhOTE1YTM3YSIsImlhdCI6MTUwNTE2NzA0OCwiZXhwIjoxNTA1MjEwMjQ4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.5vc0u6Uag6MSWP6pdSiG43Oo7KhZnf4xq77B07JFe5A
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/user/{userId}
Parameter | Description |
---|---|
userId | The identifier for the user to revoke all tokens for |
Request Header
Name | Description |
---|---|
Authorization |
Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching user_id may also be used for self revocation. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Revoke all tokens for a client
$ curl 'http://localhost/oauth/token/revoke/client/1pvLNR' -i \
-H 'Authorization: Bearer b157945c522043619af9b08aea435472'
GET /oauth/token/revoke/client/1pvLNR HTTP/1.1
Authorization: Bearer b157945c522043619af9b08aea435472
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/client/{clientId}
Parameter | Description |
---|---|
clientId | The identifier for the client to revoke all tokens for |
Request Header
Name | Description |
---|---|
Authorization |
Bearer token with uaa.admin or tokens.revoke scope. Any token with the matching client_id may also be used for self revocation. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Revoke a single token
$ curl 'http://localhost/oauth/token/revoke/29ef79f017d0429c8f0ccbbe0b4afaf2' -i -X DELETE \
-H 'Authorization: Bearer cc42c0a963354f9e8742e38b50cf97a2'
DELETE /oauth/token/revoke/29ef79f017d0429c8f0ccbbe0b4afaf2 HTTP/1.1
Authorization: Bearer cc42c0a963354f9e8742e38b50cf97a2
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/{tokenId}
Parameter | Description |
---|---|
tokenId | The identifier for the token to be revoked. For JWT tokens use the jti claim in the token. |
Request Header
Name | Description |
---|---|
Authorization |
Bearer token with uaa.admin or tokens.revoke scope. You can use any token with matching token ID to revoke itself. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a `zones. |
List tokens
List all tokens for a user
The /oauth/token/list/user/{userId}
will return all the tokens that match the user_id in the path parameter.
This token requires the tokens.list
scope.
$ curl 'http://localhost/oauth/token/list/user/a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9' -i \
-H 'Authorization: Bearer 25bffbba007b484a9160da3399e36291' \
-H 'Accept: application/json'
GET /oauth/token/list/user/a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9 HTTP/1.1
Authorization: Bearer 25bffbba007b484a9160da3399e36291
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 631
[ {
"tokenId" : "c987f21d9b31482e97c2e007a87ace9a",
"clientId" : "PdUWi0",
"userId" : "a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9",
"format" : "OPAQUE",
"responseType" : "ACCESS_TOKEN",
"issuedAt" : 1505167050417,
"expiresAt" : 1505210250415,
"scope" : "[openid]",
"value" : null,
"zoneId" : "uaa"
}, {
"tokenId" : "3078b10bef494e14a930da09bdf23b8f-r",
"clientId" : "PdUWi0",
"userId" : "a2aee7c8-c203-4ed8-9ea2-b7e8efa2f5e9",
"format" : "OPAQUE",
"responseType" : "REFRESH_TOKEN",
"issuedAt" : 1505167050417,
"expiresAt" : 1507759050413,
"scope" : "[openid]",
"value" : null,
"zoneId" : "uaa"
} ]
Request Header
Name | Description |
---|---|
Authorization |
Bearer token containing the tokens.list scope. |
Accept |
Set to application/json |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Path Parameters
/oauth/token/list/user/{userId}
Parameter | Description |
---|---|
userId | The user ID to retrieve tokens for |
Response Fields
Path | Type | Description |
---|---|---|
[].zoneId |
String |
The zone ID for the token |
[].tokenId |
String |
The unique ID for the token |
[].clientId |
String |
Client ID for this token, will always match the client_id claim in the access token used for this call |
[].userId |
String |
User ID for this token, will always match the user_id claim in the access token used for this call |
[].format |
String |
What format was requested, OPAQUE or JWT |
[].expiresAt |
Number |
Epoch time - token expiration date |
[].issuedAt |
Number |
Epoch time - token issue date |
[].scope |
String |
Comma separated list of scopes this token holds, up to 1000 characters |
[].responseType |
String |
response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN |
[].value |
String |
Access token value will always be null |
List all tokens for a client
The /oauth/token/list/client/{clientId}
will return all the tokens that match the client_id in the path parameter.
This token requires the tokens.list
scope.
$ curl 'http://localhost/oauth/token/list/client/2TIzUM' -i \
-H 'Authorization: Bearer 2e8ab6185521425c9d044f3822986559' \
-H 'Accept: application/json'
GET /oauth/token/list/client/2TIzUM HTTP/1.1
Authorization: Bearer 2e8ab6185521425c9d044f3822986559
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 286
[ {
"tokenId" : "2e8ab6185521425c9d044f3822986559",
"clientId" : "2TIzUM",
"userId" : null,
"format" : "OPAQUE",
"responseType" : "ACCESS_TOKEN",
"issuedAt" : 1505167049500,
"expiresAt" : 1505210249498,
"scope" : "[tokens.list]",
"value" : null,
"zoneId" : "uaa"
} ]
Request Header
Name | Description |
---|---|
Authorization |
Bearer token containing the tokens.list scope. |
Accept |
Set to application/json |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Path Parameters
/oauth/token/list/client/{clientId}
Parameter | Description |
---|---|
clientId | The client ID to retrieve tokens for |
Response Fields
Path | Type | Description |
---|---|---|
[].zoneId |
String |
The zone ID for the token |
[].tokenId |
String |
The unique ID for the token |
[].clientId |
String |
Client ID for this token, will always match the client_id claim in the access token used for this call |
[].userId |
String |
User ID for this token, will always match the user_id claim in the access token used for this call |
[].format |
String |
What format was requested, OPAQUE or JWT |
[].expiresAt |
Number |
Epoch time - token expiration date |
[].issuedAt |
Number |
Epoch time - token issue date |
[].scope |
String |
Comma separated list of scopes this token holds, up to 1000 characters |
[].responseType |
String |
response type requested during the token request, possible values ID_TOKEN, ACCESS_TOKEN, REFRESH_TOKEN |
[].value |
String |
Access token value will always be null |
Check Token
$ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
-d 'token=53dbe3e05dcf4ff38d350bc74a7fc97b&scopes=password.write%2Cscim.userids'
POST /check_token HTTP/1.1
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
Content-Type: application/x-www-form-urlencoded
token=53dbe3e05dcf4ff38d350bc74a7fc97b&scopes=password.write%2Cscim.userids
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 687
{
"user_id" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
"user_name" : "marissa",
"email" : "marissa@test.org",
"client_id" : "app",
"exp" : 1505210194,
"scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
"jti" : "53dbe3e05dcf4ff38d350bc74a7fc97b",
"aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
"sub" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
"iss" : "http://localhost:8080/uaa/oauth/token",
"iat" : 1505166994,
"cid" : "app",
"grant_type" : "password",
"azp" : "app",
"auth_time" : 1505166994,
"zid" : "uaa",
"rev_sig" : "782ab4cd",
"origin" : "uaa",
"revocable" : true
}
Request Headers
Name | Description |
---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
token | String | Required | The token |
scopes | Array | Optional | String of comma-separated scopes, for checking presence of scopes on the token |
Response Fields
Path | Type | Description |
---|---|---|
user_id |
String |
Only applicable for user tokens |
user_name |
String |
Only applicable for user tokens |
email |
String |
Only applicable for user tokens |
client_id |
String |
A unique string representing the registration information provided by the client |
exp |
Number |
Expiration Time Claim |
authorities |
Array |
Only applicable for client tokens |
scope |
Array |
List of scopes authorized by the user for this client |
jti |
String |
JWT ID Claim |
aud |
Array |
Audience Claim |
sub |
String |
Subject Claim |
iss |
String |
Issuer Claim |
iat |
Number |
Issued At Claim |
cid |
String |
See client_id |
grant_type |
String |
The type of authentication being used to obtain the token, in this case password |
azp |
String |
Authorized party |
auth_time |
Number |
Only applicable for user tokens |
zid |
String |
Zone ID |
rev_sig |
String |
Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values. |
origin |
String |
Only applicable for user tokens |
revocable |
Boolean |
Set to true if this token is revocable |
Token Key(s)
Token Key
An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.
JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId
to use it to sign all new tokens. /check_token will continue to verify tokens signed with the previous signing key for as long as it is present in the keys
of the identity zone's token policy. Remove it to invalidate all those tokens.
Asymmetric
$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
ETag: "1505167050510"
Content-Type: application/json;charset=UTF-8
Content-Length: 921
{
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "testKey",
"alg" : "RS256",
"value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
"n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
}
Request Headers
Name | Description |
---|---|
Authorization |
No authorization is required for requesting public keys. |
If-None-Match |
See Ref: RFC 2616 |
Response Headers
Name | Description |
---|---|
ETag |
The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change. |
Response Fields
Path | Type | Description |
---|---|---|
kid |
String |
Key ID of key to be used for verification of the token. |
alg |
String |
Encryption algorithm |
value |
String |
Verifier key |
kty |
String |
Key type (RSA) |
use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
n |
String |
RSA key modulus |
e |
String |
RSA key public exponent |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Unregistered client or incorrect client secret |
Symmetric
$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
ETag: "1505167050485"
Content-Type: application/json;charset=UTF-8
Content-Length: 95
{
"kty" : "MAC",
"alg" : "HS256",
"value" : "key",
"use" : "sig",
"kid" : "testKey"
}
Request Headers
Name | Description |
---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
If-None-Match |
See Ref: RFC 2616 |
Response Fields
Path | Type | Description |
---|---|---|
kid |
String |
Key ID of key to be used for verification of the token. |
alg |
String |
Encryption algorithm |
value |
String |
Verifier key |
kty |
String |
Key type (MAC) |
use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Unregistered client or incorrect client secret |
403 | Forbidden - Not a resource server (missing uaa.resource scope) |
Token Keys
An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid
field, indicating which key should be used for verification of the token.
$ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_keys HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
ETag: "1505167050444"
Content-Type: application/json;charset=UTF-8
Content-Length: 956
{
"keys" : [ {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "testKey",
"alg" : "RS256",
"value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
"n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
} ]
}
Request Headers
Name | Description |
---|---|
Authorization |
No authorization is required for requesting public keys. |
If-None-Match |
See Ref: RFC 2616 |
Response Headers
Name | Description |
---|---|
ETag |
The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change. |
Response Fields
Path | Type | Description |
---|---|---|
keys.[].kid |
String |
Key ID of key to be used for verification of the token. |
keys.[].alg |
String |
Encryption algorithm |
keys.[].value |
String |
Verifier key |
keys.[].kty |
String |
Key type (RSA or MAC) |
keys.[].use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
keys.[].n |
String |
RSA key modulus |
keys.[].e |
String |
RSA key public exponent |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Unregistered client or incorrect client secret |
Identity Zones
The UAA supports multi tenancy. This is referred to as identity zones. An identity zones is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io
A zone contains a unique identifier as well as a unique subdomain:
{
"id":"testzone1",
"subdomain":"testzone1",
"name":"The Twiglet Zone[testzone1]",
"version":0,
"description":"Like the Twilight Zone but tastier[testzone1].",
"created":1426258488910,
"last_modified":1426258488910
}
The UAA by default creates a default zone. This zone will always be present, the ID will always be
uaa
, and the subdomain is blank:
{
"id": "uaa",
"subdomain": "",
"name": "uaa",
"version": 0,
"description": "The system zone for backwards compatibility",
"created": 946710000000,
"last_modified": 946710000000
}
Creating an identity zone
An identity zone is created using a POST
with an IdentityZone
object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain
field of the identity zone.
When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.
$ curl 'http://localhost/identity-zones' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 2181e5ba445b4157889b908db56424ee' \
-d '{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null,
"keys" : {
"exampleKeyId" : {
"signingKey" : "s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167030179,
"last_modified" : 1505167030179
}'
POST /identity-zones HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2181e5ba445b4157889b908db56424ee
Host: localhost
Content-Length: 6185
{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null,
"keys" : {
"exampleKeyId" : {
"signingKey" : "s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167030179,
"last_modified" : 1505167030179
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 4941
{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167030190,
"last_modified" : 1505167030190
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.write or zones.<zone id>.admin |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
id | String | Optional | Unique ID of the identity zone |
subdomain | String | Required | Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name | String | Required | Human-readable zone name |
description | String | Optional | Description of the zone |
version | Number | Optional | Reserved for future use of E-Tag versioning |
config.clientSecretPolicy.minLength | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength | Number | Required when clientSecretPolicy in the config is not null |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.tokenPolicy | Object | Optional | Various fields pertaining to the JWT access and refresh tokens. |
config.tokenPolicy.activeKeyId | String | Required if config.tokenPolicy.keys are set |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.keys.. | String | Optional | Keys which will be used to sign the token |
config.tokenPolicy.accessTokenValidity | Number | Optional | Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity | Number | Optional | Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable | Boolean | Optional | Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique | Boolean | Optional | If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat | String | Optional | The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.samlConfig.disableInResponseToCheck | Boolean | Optional | If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned | Boolean | Optional | If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned | Boolean | Optional | Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned | Boolean | Optional | Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned | Boolean | Optional | If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds | Number | Optional | The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
config.samlConfig.certificate | String | Deprecated | Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.privateKey | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key. |
config.samlConfig.privateKeyPassword | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
config.samlConfig.activeKeyId | String | Required if a list of keys defined in keys map |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.key | String | Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key. |
config.samlConfig.keys.*.passphrase | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
config.samlConfig.keys.*.certificate | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
config.links.logout.redirectUrl | String | Optional | Logout redirect url |
config.links.homeRedirect | String | Optional | Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName | String | Optional | Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter | Boolean | Optional | Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist | Array | Optional | List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled | Boolean | Optional | Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup | Null | Optional | Where users are directed upon clicking the account creation link |
config.links.selfService.passwd | Null | Optional | Where users are directed upon clicking the password reset link |
config.prompts[] | Array | Optional | List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name | String | Optional | Name of field |
config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
config.idpDiscoveryEnabled | Boolean | Optional | IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled | Boolean | Optional | This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName | String | Optional | This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo | String | Optional | This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo | String | Optional | This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText | String | Optional | This text appears on the footer of all UAA pages |
config.branding.footerLinks.* | Array | Optional | These links (Map |
config.branding.banner.text | String | Optional | This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo | String | Optional | This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link | String | Optional | The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor | String | Optional | Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor | String | Optional | Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.xhrConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.defaultConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups | Array | Optional | Default groups each user in the zone inherits. |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
Array |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
Error Codes
Error Code | Description |
---|---|
400 | Bad Request |
401 | Unauthorized - Invalid token |
403 | Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.) |
422 | Unprocessable Entity - Invalid zone details |
Sequential example of creating a zone and creating an admin client in that zone:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"
uaac token client get admin -s adminsecret
uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
uaac target http://testzone1.localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac token decode
Retrieving an identity zone
$ curl 'http://localhost/identity-zones/twiglet-get' -i \
-H 'Authorization: Bearer f053b6ed711a4132bfc483274098078f'
GET /identity-zones/twiglet-get HTTP/1.1
Authorization: Bearer f053b6ed711a4132bfc483274098078f
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 4878
{
"id" : "twiglet-get",
"subdomain" : "twiglet-get",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1505167030055,
"last_modified" : 1505167030055
}
Path Parameters
/identity-zones/{id}
Parameter | Description |
---|---|
id | Unique ID of the identity zone to retrieve |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.read or zones.write or zones.<zone id>.admin or zones.<zone id>.read |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
Array |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
Error Codes
Error Code | Description |
---|---|
400 | Bad Request |
401 | Unauthorized - Invalid token |
403 | Forbidden - Insufficient scope |
404 | Not Found - Zone does not exist |
Retrieving all identity zones
$ curl 'http://localhost/identity-zones' -i \
-H 'Authorization: Bearer c36061fceed84e70b595141ff26892bc'
GET /identity-zones HTTP/1.1
Authorization: Bearer c36061fceed84e70b595141ff26892bc
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 22879
[ {
"id" : "f4296xqx",
"subdomain" : "f4296xqx",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"keys" : { },
"disableInResponseToCheck" : false
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167025749,
"last_modified" : 1505167025749
}, {
"id" : "fa8ky4wx",
"subdomain" : "fa8ky4wx",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"keys" : { },
"disableInResponseToCheck" : false
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167023550,
"last_modified" : 1505167023550
}, {
"id" : "mwvq7whq",
"subdomain" : "mwvq7whq",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"keys" : { },
"disableInResponseToCheck" : false
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1505167026797,
"last_modified" : 1505167026797
}, {
"id" : "twiglet-get-1",
"subdomain" : "twiglet-get-1",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1505167029371,
"last_modified" : 1505167029371
}, {
"id" : "twiglet-get-2",
"subdomain" : "twiglet-get-2",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1505167029462,
"last_modified" : 1505167029462
}, {
"id" : "uaa",
"subdomain" : "",
"config" : {
"clientSecretPolicy" : {
"minLength" : 0,
"maxLength" : 255,
"requireUpperCaseCharacter" : 0,
"requireLowerCaseCharacter" : 0,
"requireDigit" : 0,
"requireSpecialCharacter" : 0
},
"tokenPolicy" : {
"accessTokenValidity" : 43200,
"refreshTokenValidity" : 2592000,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
}
},
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code ( Get one at http://localhost:8080/uaa/passcode )"
} ],
"idpDiscoveryEnabled" : false,
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "scim.me", "cloud_controller.read", "cloud_controller.write", "cloud_controller_service_permissions.read", "password.write", "scim.userids", "uaa.user", "approvals.me", "oauth.approvals", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "uaa",
"version" : 1,
"description" : "The system zone for backwards compatibility",
"created" : 946684800000,
"last_modified" : 1505166985550
} ]
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.read or zones.<zone id>.admin |
Response Fields
Path | Type | Description |
---|---|---|
[].id |
String |
Unique ID of the identity zone |
[].subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
[].name |
String |
Human-readable zone name |
[].description |
String |
Description of the zone |
[].version |
Number |
Reserved for future use of E-Tag versioning |
[].config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
[].config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
[].config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
[].config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
[].config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
[].config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
[].config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
[].config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
[]config.samlConfig.disableInResponseToCheck |
Boolean |
If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
[].config.samlConfig.assertionSigned |
Boolean |
If true , the SAML provider will sign all assertions |
[].config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
[].config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
[].config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true , the authentication request from the partner service provider must be signed. |
[].config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
[].config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
[].config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
[].config.samlConfig.keys.* |
Object |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.links.logout.redirectUrl |
String |
Logout redirect url |
[].config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
[].config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
[].config.links.logout.disableRedirectParameter |
Boolean |
Whether or not to allow the redirect parameter on logout |
[].config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
[].config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
[].config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
[].config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
[].config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
[].config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
[].config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
[].config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
[].config.branding.footerLinks |
Object |
These links (Map |
[].config.prompts[] |
Object |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
[].config.prompts[].name |
String |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
[].config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
[].config.prompts[].text |
String |
Actual text displayed on prompt for field |
[].config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
[].config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
[].config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
[].config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
[].config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
[].config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
[].config.branding.footerLinks.* |
String |
These links (Map |
[].config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
[].config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
[].config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
[].config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
[].config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
[].config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
[].config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
[].config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
[].config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
[].config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
[].config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
[].config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
[].config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
[].config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
[].config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
[].config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
[].config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
[].config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
[].config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
[].config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
[].config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
[].config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
Error Codes
Error Code | Description |
---|---|
400 | Bad Request |
401 | Unauthorized - Invalid token |
403 | Forbidden - Insufficient scope |
Updating an Identity Zone
$ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer bc859574dd0d4462a79f43a8d2f4d9b5' \
-d '{
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null,
"keys" : {
"updatedKeyId" : {
"signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Updated Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1505167029908,
"last_modified" : 1505167029908
}'
PUT /identity-zones/twiglet-update HTTP/1.1
Content-Type: application/json
Authorization: Bearer bc859574dd0d4462a79f43a8d2f4d9b5
Host: localhost
Content-Length: 6178
{
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null,
"keys" : {
"updatedKeyId" : {
"signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Updated Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1505167029908,
"last_modified" : 1505167029908
}
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 4953
{
"id" : "twiglet-update",
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Updated Twiglet Zone",
"version" : 1,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1505167029850,
"last_modified" : 1505167029924
}
Path Parameters
/identity-zones/{id}
Parameter | Description |
---|---|
id | Unique ID of the identity zone to update |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.write or zones.<zone id>.admin |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
subdomain | String | Required | Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name | String | Required | Human-readable zone name |
description | String | Optional | Description of the zone |
version | Number | Optional | Reserved for future use of E-Tag versioning |
config.tokenPolicy.activeKeyId | String | Required if config.tokenPolicy.keys are set |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.keys.. | String | Optional | Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained. |
config.tokenPolicy.accessTokenValidity | Number | Optional | Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity | Number | Optional | Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable | Boolean | Optional | Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique | Boolean | Optional | If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat | String | Optional | The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.clientSecretPolicy.minLength | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength | Number | Required when clientSecretPolicy in the config is not null |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck | Boolean | Optional | If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned | Boolean | Optional | If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned | Boolean | Optional | Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned | Boolean | Optional | Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned | Boolean | Optional | If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds | Number | Optional | The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
config.samlConfig.certificate | String | Deprecated | Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.privateKey | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key. |
config.samlConfig.privateKeyPassword | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
config.samlConfig.activeKeyId | String | Required if a list of keys defined in keys map |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.key | String | Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key. |
config.samlConfig.keys.*.passphrase | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
config.samlConfig.keys.*.certificate | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl | String | Optional | Logout redirect url |
config.links.homeRedirect | String | Optional | Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName | String | Optional | Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter | Boolean | Optional | Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist | Array | Optional | List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled | Boolean | Optional | Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup | Null | Optional | Where users are directed upon clicking the account creation link |
config.links.selfService.passwd | Null | Optional | Where users are directed upon clicking the password reset link |
config.prompts[] | Array | Optional | List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name | String | Optional | Name of field |
config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
config.idpDiscoveryEnabled | Boolean | Optional | IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled | Boolean | Optional | This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName | String | Optional | This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo | String | Optional | This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo | String | Optional | This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText | String | Optional | This text appears on the footer of all UAA pages |
config.branding.footerLinks.* | Array | Optional | These links (Map |
config.branding.banner.text | String | Optional | This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo | String | Optional | This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link | String | Optional | The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor | String | Optional | Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor | String | Optional | Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.xhrConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.defaultConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups | Array | Optional | Default groups each user in the zone inherits. |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
Array |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
Error Codes
Error Code | Description |
---|---|
400 | Bad Request |
401 | Unauthorized - Invalid token |
403 | Forbidden - Insufficient scope (zone admins can only update own zone) |
404 | Not Found - Update to nonexistent zone |
422 | Unprocessable Entity - Invalid zone details |
Deleting an Identity Zone
$ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 5f49c70da4dc44b1987f3e328c9a8c28'
DELETE /identity-zones/twiglet-delete HTTP/1.1
Content-Type: application/json
Authorization: Bearer 5f49c70da4dc44b1987f3e328c9a8c28
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 4884
{
"id" : "twiglet-delete",
"subdomain" : "twiglet-delete",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "One Time Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
}
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1505167029669,
"last_modified" : 1505167029669
}
Path Parameters
/identity-zones/{id}
Parameter | Description |
---|---|
id | Unique ID of the identity zone to delete |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.write |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false . |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt , opaque . Defaults to jwt . |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true , this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true , the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true , all assertions received by the SAML provider must be signed. Defaults to true . |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true , the service provider will sign all outgoing authentication requests. Defaults to true . |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true , the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home . |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
Array |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header . Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
Error Codes
Error Code | Description |
---|---|
400 | Bad Request |
401 | Unauthorized - Invalid token |
403 | Forbidden - Insufficient scope (zone admins can only delete their own zone) |
404 | Not Found - Zone does not exist |
Identity Providers
Create
SAML
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b' \
-d '{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAML",
"name" : "SAML name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b
Host: localhost
Content-Length: 2718
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAML",
"name" : "SAML name",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 2967
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"idpEntityAlias" : "SAML",
"zoneId" : "uaa",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"id" : "4b5a303a-8403-49df-aaf4-2cba263870d2",
"originKey" : "SAML",
"name" : "SAML name",
"version" : 0,
"created" : 1505167022958,
"last_modified" : 1505167022958,
"active" : true,
"identityZoneId" : "uaa"
}
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b' \
-d '{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 486cc9e72e5d4921bfd6b4d48475e61b
Host: localhost
Content-Length: 791
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1051
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "http://simplesamlphp.cfapps.io/saml2/idp/metadata.php",
"idpEntityAlias" : "SAMLMetadataUrl",
"zoneId" : "uaa",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"id" : "a0bb291a-bdb3-4abb-bcf4-e64e762bc7cd",
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"version" : 0,
"created" : 1505167023288,
"last_modified" : 1505167023288,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | saml |
originKey | String | Required | A unique alias for the SAML provider |
config.skipSslValidation | Boolean | Optional (defaults to false ) |
Set to true, to skip SSL validation when fetching metadata. |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
config.metaDataLocation | String | Required | SAML Metadata - either an XML string or a URL that will deliver XML content |
config.nameID | String | Optional | The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". |
config.assertionConsumerIndex | Number | Optional | SAML assertion consumer index, default is 0 |
config.metadataTrustCheck | Boolean | Optional | Should metadata be validated, defaults to false |
config.showSamlLink | Boolean | Optional | Should the SAML login link be displayed on the login page, defaults to false |
config.linkText | String | Required if the showSamlLink is set to true |
The link text for the SAML IDP on the login page |
config.groupMappingMode | String | Optional (defaults to "EXPLICITLY_MAPPED" ) |
Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes. |
config.iconUrl | String | Optional | Reserved for future use |
config.socketFactoryClassName | Null | Optional | Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively |
config.authnContext | Array | Optional | List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion. |
config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion. |
Response Fields
Path | Type | Description |
---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
saml |
originKey |
String |
A unique alias for the SAML provider |
config.skipSslValidation |
Boolean |
Set to true, to skip SSL validation when fetching metadata. |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
config.metaDataLocation |
String |
SAML Metadata - either an XML string or a URL that will deliver XML content |
config.nameID |
String |
The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". |
config.assertionConsumerIndex |
Number |
SAML assertion consumer index, default is 0 |
config.metadataTrustCheck |
Boolean |
Should metadata be validated, defaults to false |
config.showSamlLink |
Boolean |
Should the SAML login link be displayed on the login page, defaults to false |
config.linkText |
String |
The link text for the SAML IDP on the login page |
config.groupMappingMode |
String |
Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes. |
config.iconUrl |
String |
Reserved for future use |
config.socketFactoryClassName |
Null |
Either "org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory" or"org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory" depending on if the metaDataLocation of type URL is HTTP or HTTPS, respectively |
config.authnContext |
Array |
List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested. |
config.addShadowUserOnLogin |
Boolean |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings |
Object |
Map external attribute to UAA recognized mappings. |
config.attributeMappings.given_name |
String |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name |
String |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.email |
String |
Map email to the attribute for email in the provider assertion. |
config.attributeMappings.phone_number |
String |
Map phone_number to the attribute for phone number in the provider assertion. |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
config.additionalConfiguration |
Object |
(Unused.) |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
config.idpEntityAlias |
String |
This will be set to originKey |
config.zoneId |
String |
This will be set to the ID of the zone where the provider is being created |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
LDAP
LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are
- Bind authentication - the UAA uses the user's credentials to construct a DN and attempt a BIND operation to the LDAP server
- Search and Bind authentication - We take the username and password, search for the user DN, and attempt a bind operation to the LDAP server
- Search and Compare authentication - We take the username and password, search for the user DN and the user password, and perform a comparison of the provided password with the LDAP password
Group integration also supports different strategies
- No group integration - LDAP is only used for authentication
- Map a group to a UAA scope - using external group mappings
- LDAP groups contain scopes - an entry in the LDAP record contains UAA scope names
LDAP Simple Bind
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: mwvq7whq' \
-H 'Authorization: Bearer 11639d61631b49e1b1b4026aac1ab75a' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: mwvq7whq
Authorization: Bearer 11639d61631b49e1b1b4026aac1ab75a
Host: localhost
Content-Length: 1156
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1357
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"id" : "744d6255-746a-494f-a70a-31fd72170e56",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1505167027153,
"last_modified" : 1505167027153,
"active" : true,
"identityZoneId" : "mwvq7whq"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Missing or invalid token |
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
LDAP Search and Bind
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: fa8ky4wx' \
-H 'Authorization: Bearer 76fa0a920db54d9c83b8b0e89371d18f' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: fa8ky4wx
Authorization: Bearer 76fa0a920db54d9c83b8b0e89371d18f
Host: localhost
Content-Length: 1261
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1426
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"id" : "0490a99f-a490-4871-aa0f-1a9f991b216a",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1505167023979,
"last_modified" : 1505167023979,
"active" : true,
"identityZoneId" : "fa8ky4wx"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Missing or invalid token |
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
LDAP Search and Compare
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: f4296xqx' \
-H 'Authorization: Bearer ecc2a3a511094e938ed9dc8f9bcfbbda' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: f4296xqx
Authorization: Bearer ecc2a3a511094e938ed9dc8f9bcfbbda
Host: localhost
Content-Length: 1338
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 1503
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"id" : "422ab151-fb60-4373-ac9e-c2fa94238124",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1505167026066,
"last_modified" : 1505167026066,
"active" : true,
"identityZoneId" : "f4296xqx"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | ldap |
originKey | String | Required | Origin key must be ldap for an LDAP provider |
config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml , ldap/ldap-search-and-bind.xml , ldap/ldap-search-and-compare.xml |
config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml , ldap/ldap-groups-as-scopes.xml , ldap/ldap-groups-map-to-scopes.xml |
config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
config.bindPassword | String | Required | Used with search-and-bind and search-and-compare . Password for the LDAP ID that performs a search of the LDAP tree for user information. |
config.mailAttributeName | String | Optional (defaults to "mail" ) |
The name of the LDAP attribute that contains the user's email address |
config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false ) |
Set to true if you wish to override an LDAP user email address with a generated one |
config.skipSSLVerification | Boolean | Optional (defaults to false ) |
Skips validation of the LDAP cert if set to true. |
config.tlsConfiguration | String | Optional (defaults to "none" ) |
Sets the StartTLS options, valid values are none , simple or external |
config.referral | String | Optional (defaults to "follow" ) |
Configures the UAA LDAP referral behavior. The following values are possible:
|
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.first_name | String | Optional (defaults to "givenname" ) |
Map given_name to the attribute for given name in the provider assertion. |
config.attributeMappings.family_name | String | Optional (defaults to "sn" ) |
Map family_name to the attribute for family name in the provider assertion. |
config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber" ) |
Map phone_number to the attribute for phone number in the provider assertion. |
Error Codes
Error Code | Description |
---|---|
401 | Unauthorized - Missing or invalid token |
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
OAuth/OIDC
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 190d267783634124b0befbfac0690719' \
-d '{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code"
},
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 190d267783634124b0befbfac0690719
Host: localhost
Content-Length: 672
{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code"
},
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 896
{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"checkTokenUrl" : null
},
"id" : "617096ca-3e2a-4431-b537-ea256af5fe56",
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"version" : 0,
"created" : 1505167025485,
"last_modified" : 1505167025485,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | "oauth2.0" |
originKey | String | Required | A unique alias for a OAuth provider |
config.authUrl | String | Required | The OAuth 2.0 authorization endpoint URL |
config.tokenUrl | String | Required | The OAuth 2.0 token endpoint URL |
config.tokenKeyUrl | String | Optional | The URL of the token key endpoint which renders a verification key for validating token signatures |
config.tokenKey | String | Optional | A verification key for validating token signatures, set to null if a tokenKeyUrl is provided. |
config.showLinkText | Boolean | Optional (defaults to true ) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
config.linkText | String | Optional | Text to use for the login link to the provider |
config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
config.scopes | Array | Optional | What scopes to request on a call to the external OAuth provider |
config.checkTokenUrl | Object | Optional | Reserved for future OAuth use. |
config.responseType | String | Optional (defaults to "code" ) |
Response type for the authorize request, will be sent to OAuth server, defaults to code |
config.clientAuthInBody | Boolean | Optional (defaults to false ) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings.external_groups | Object | Optional | Map external_groups to the attribute for groups in the provider assertion. |
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.user_name | String | Optional (defaults to "preferred_username" ) |
Map user_name to the attribute for username in the provider assertion. |
config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | "oauth2.0" |
originKey | String | Required | A unique alias for a OAuth provider |
config.authUrl | String | Required | The OAuth 2.0 authorization endpoint URL |
config.tokenUrl | String | Required | The OAuth 2.0 token endpoint URL |
config.tokenKeyUrl | String | Optional | The URL of the token key endpoint which renders a verification key for validating token signatures |
config.tokenKey | String | Optional | A verification key for validating token signatures, set to null if a tokenKeyUrl is provided. |
config.showLinkText | Boolean | Optional (defaults to true ) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
config.linkText | String | Optional | Text to use for the login link to the provider |
config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
config.scopes | Array | Optional | What scopes to request on a call to the external OAuth provider |
config.checkTokenUrl | Object | Optional | Reserved for future OAuth use. |
config.responseType | String | Optional (defaults to "code" ) |
Response type for the authorize request, will be sent to OAuth server, defaults to code |
config.clientAuthInBody | Boolean | Optional (defaults to false ) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings.external_groups | Object | Optional | Map external_groups to the attribute for groups in the provider assertion. |
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.user_name | String | Optional (defaults to "preferred_username" ) |
Map user_name to the attribute for username in the provider assertion. |
config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 2fce740ca8fc4711b8625d639c6d2989' \
-d '{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
},
"originKey" : "my-oidc-provider-xbnvae",
"name" : "UAA Provider",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2fce740ca8fc4711b8625d639c6d2989
Host: localhost
Content-Length: 752
{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
},
"originKey" : "my-oidc-provider-xbnvae",
"name" : "UAA Provider",
"active" : true
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 948
{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration"
},
"id" : "9bf47951-8b29-44b7-80f7-a40851b370ab",
"originKey" : "my-oidc-provider-xbnvae",
"name" : "UAA Provider",
"version" : 0,
"created" : 1505167025584,
"last_modified" : 1505167025584,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | "oidc1.0" |
originKey | String | Required | A unique alias for the OIDC 1.0 provider |
config.discoveryUrl | String | Optional | The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit |
config.authUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenKeyUrl | String | Required unless discoveryUrl is set. |
The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenKey | String | Required unless discoveryUrl is set. |
A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.showLinkText | Boolean | Optional (defaults to true ) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
config.linkText | String | Optional | Text to use for the login link to the provider |
config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
config.scopes | Array | Optional | What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid , roles , or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively. |
config.checkTokenUrl | Object | Optional | Reserved for future OAuth/OIDC use. |
config.clientAuthInBody | Boolean | Optional (defaults to false ) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
config.userInfoUrl | Object | Optional | Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.responseType | String | Optional (defaults to "code" ) |
Response type for the authorize request, defaults to code , but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings.external_groups | Object | Optional | Map external_groups to the attribute for groups in the provider assertion. |
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.user_name | String | Optional (defaults to "preferred_username" ) |
Map user_name to the attribute for username in the provider assertion. |
config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | "oidc1.0" |
originKey | String | Required | A unique alias for the OIDC 1.0 provider |
config.discoveryUrl | String | Optional | The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit |
config.authUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenKeyUrl | String | Required unless discoveryUrl is set. |
The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.tokenKey | String | Required unless discoveryUrl is set. |
A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.showLinkText | Boolean | Optional (defaults to true ) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
config.linkText | String | Optional | Text to use for the login link to the provider |
config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
config.scopes | Array | Optional | What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid , roles , or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively. |
config.checkTokenUrl | Object | Optional | Reserved for future OAuth/OIDC use. |
config.clientAuthInBody | Boolean | Optional (defaults to false ) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
config.userInfoUrl | Object | Optional | Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
config.responseType | String | Optional (defaults to "code" ) |
Response type for the authorize request, defaults to code , but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Determines whether or not shadow users must be created before login by an administrator. |
config.attributeMappings.external_groups | Object | Optional | Map external_groups to the attribute for groups in the provider assertion. |
config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
config.attributeMappings.user_name | String | Optional (defaults to "preferred_username" ) |
Map user_name to the attribute for username in the provider assertion. |
config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
409 | Conflict - Provider with same origin and zone id exists |
422 | Unprocessable Entity - Invalid configuration |
500 | Internal Server Error |
Retrieve All
$ curl 'http://localhost/identity-providers?rawConfig=false' -i \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer ed8ab702660c40d5a5647f371c454235'
GET /identity-providers?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer ed8ab702660c40d5a5647f371c454235
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 6643
[ {
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/SAML\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAML\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "4b5a303a-8403-49df-aaf4-2cba263870d2",
"originKey" : "SAML",
"name" : "SAML name",
"version" : 0,
"created" : 1505167022958,
"last_modified" : 1505167022958,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"http://simplesamlphp.cfapps.io/saml2/idp/metadata.php\",\"idpEntityAlias\":\"SAMLMetadataUrl\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:transient\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "a0bb291a-bdb3-4abb-bcf4-e64e762bc7cd",
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"version" : 0,
"created" : 1505167023288,
"last_modified" : 1505167023288,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "keystone",
"config" : "null",
"id" : "51540be0-3270-429a-9134-db60329d634a",
"originKey" : "keystone",
"name" : "keystone",
"version" : 1,
"created" : 946684800000,
"last_modified" : 1505166984322,
"active" : false,
"identityZoneId" : "uaa"
}, {
"type" : "ldap",
"config" : "null",
"id" : "fc717f18-0b79-455d-8262-8a43939bd88e",
"originKey" : "ldap",
"name" : "ldap",
"version" : 1,
"created" : 946684800000,
"last_modified" : 1505166985239,
"active" : false,
"identityZoneId" : "uaa"
}, {
"type" : "login-server",
"config" : "null",
"id" : "c83bd372-e36b-44f9-8fbf-1d21cf33b0c9",
"originKey" : "login-server",
"name" : "login-server",
"version" : 1,
"created" : 946684800000,
"last_modified" : 1505166985249,
"active" : false,
"identityZoneId" : "uaa"
}, {
"type" : "oauth2.0",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"checkTokenUrl\":null}",
"id" : "617096ca-3e2a-4431-b537-ea256af5fe56",
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"version" : 0,
"created" : 1505167025485,
"last_modified" : 1505167025485,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "oidc1.0",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":null,\"tokenUrl\":null,\"tokenKeyUrl\":null,\"tokenKey\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userInfoUrl\":null,\"discoveryUrl\":\"https://accounts.google.com/.well-known/openid-configuration\"}",
"id" : "9bf47951-8b29-44b7-80f7-a40851b370ab",
"originKey" : "my-oidc-provider-xbnvae",
"name" : "UAA Provider",
"version" : 0,
"created" : 1505167025584,
"last_modified" : 1505167025584,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "uaa",
"config" : "null",
"id" : "307698a3-e2bb-418b-aa0f-c66242d72bc7",
"originKey" : "uaa",
"name" : "uaa",
"version" : 3,
"created" : 946684800000,
"last_modified" : 1505167025683,
"active" : true,
"identityZoneId" : "uaa"
} ]
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
Path | Type | Description |
---|---|---|
[].type |
String |
Type of the identity provider. |
[].originKey |
String |
Unique identifier for the identity provider. |
[].name |
String |
Human-readable name for this provider |
[].config |
String |
Json config for the Identity Provider |
[].version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
[].active |
Boolean |
Defaults to true. |
[].id |
String |
Unique identifier for this provider - GUID generated by the UAA |
[].identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
[].created |
Number |
UAA sets the creation date |
[].last_modified |
Number |
UAA sets the modification date |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
Retrieve
$ curl 'http://localhost/identity-providers/2db99319-37d6-47dd-a55c-9a0cbd1a091c?rawConfig=false' -i \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer d39c9d6d94fd4bda914981e6a9e07ff2'
GET /identity-providers/2db99319-37d6-47dd-a55c-9a0cbd1a091c?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer d39c9d6d94fd4bda914981e6a9e07ff2
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 2976
{
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-get\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-get\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-get\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "2db99319-37d6-47dd-a55c-9a0cbd1a091c",
"originKey" : "saml-for-get",
"name" : "saml-for-get name",
"version" : 0,
"created" : 1505167025317,
"last_modified" : 1505167025317,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
Parameter | Description |
---|---|
id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
Path | Type | Description |
---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
Type of the identity provider. |
originKey |
String |
Unique identifier for the identity provider. |
config |
String |
Various configuration properties for the identity provider. |
config.additionalConfiguration |
Object |
(Unused.) |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
Update
$ curl 'http://localhost/identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7?rawConfig=true' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer d53f5bc01c5c477a95c8eaad14f7b8d5' \
-d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}'
PUT /identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer d53f5bc01c5c477a95c8eaad14f7b8d5
Host: localhost
Content-Length: 280
{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 559
{
"type" : "uaa",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"passwordPolicy" : null,
"lockoutPolicy" : {
"lockoutPeriodSeconds" : 8,
"lockoutAfterFailures" : 8,
"countFailuresWithin" : 8
},
"disableInternalUserManagement" : false
},
"id" : "307698a3-e2bb-418b-aa0f-c66242d72bc7",
"originKey" : "uaa",
"name" : "uaa",
"version" : 4,
"created" : 946684800000,
"last_modified" : 1505167026715,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
Parameter | Description |
---|---|
id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request and Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human-readable name for this provider |
config.providerDescription | String | Optional | Human readable name/description of this provider |
config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active | Boolean | Optional | Defaults to true. |
config.addShadowUserOnLogin | Boolean | Optional (defaults to true ) |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes | Boolean | Optional (defaults to true ) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type | String | Required | uaa |
originKey | String | Required | A unique identifier for the IDP. Cannot be updated. |
version | Number | Required | Version of the identity provider data. Clients can use this to protect against conflicting updates |
config.passwordPolicy.minLength | Number | Required when passwordPolicy in the config is not null |
Minimum number of characters required for password to be considered valid (defaults to 0). |
config.passwordPolicy.maxLength | Number | Required when passwordPolicy in the config is not null |
Maximum number of characters required for password to be considered valid (defaults to 255). |
config.passwordPolicy.requireUpperCaseCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of uppercase characters required for password to be considered valid (defaults to 0). |
config.passwordPolicy.requireLowerCaseCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of lowercase characters required for password to be considered valid (defaults to 0). |
config.passwordPolicy.requireDigit | Number | Required when passwordPolicy in the config is not null |
Minimum number of digits required for password to be considered valid (defaults to 0). |
config.passwordPolicy.requireSpecialCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of special characters required for password to be considered valid (defaults to 0). |
config.passwordPolicy.expireInMonths | Number | Required when passwordPolicy in the config is not null |
Number of months after which current password expires (defaults to 0). |
config.passwordPolicy.passwordNewerThan | Number | Required when passwordPolicy in the config is not null |
This timestamp value can be used to force change password for every user. If the user's passwordLastModified is older than this value, the password is expired (defaults to null). |
config.lockoutPolicy.lockoutPeriodSeconds | Number | Required when LockoutPolicy in the config is not null |
Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600). |
config.lockoutPolicy.lockoutAfterFailures | Number | Required when LockoutPolicy in the config is not null |
Number of allowed failures before account is locked (defaults to 5). |
config.lockoutPolicy.countFailuresWithin | Number | Required when LockoutPolicy in the config is not null |
Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300). |
config.disableInternalUserManagement | Boolean | Optional | When set to true, user management is disabled for this provider, defaults to false |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
422 | Unprocessable Entity - Invalid config |
Delete
$ curl 'http://localhost/identity-providers/4f7c01cc-613d-445a-8966-e17b59a9254b' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 6d6004b998084e5a8e69c8ba3a8a7d16'
DELETE /identity-providers/4f7c01cc-613d-445a-8966-e17b59a9254b HTTP/1.1
Content-Type: application/json
Authorization: Bearer 6d6004b998084e5a8e69c8ba3a8a7d16
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 2991
{
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-delete\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-delete\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-delete\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "4f7c01cc-613d-445a-8966-e17b59a9254b",
"originKey" : "saml-for-delete",
"name" : "saml-for-delete name",
"version" : 0,
"created" : 1505167026640,
"last_modified" : 1505167026640,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
Parameter | Description |
---|---|
id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
rawConfig | Boolean | Optional (defaults to false ) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
Path | Type | Description |
---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Whether users should be allowed to authenticate from LDAP without having a user pre-populated in the users database |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
Type of the identity provider. |
originKey |
String |
Unique identifier for the identity provider. |
config |
String |
Various configuration properties for the identity provider. |
config.additionalConfiguration |
Object |
(Unused.) |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
422 | Unprocessable Entity |
Force password change for Users
$ curl 'http://localhost/identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7/status' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer a07e3b0e4d664fa8ba6aa8b1612d81d1' \
-d '{"requirePasswordChange":true}'
PATCH /identity-providers/307698a3-e2bb-418b-aa0f-c66242d72bc7/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer a07e3b0e4d664fa8ba6aa8b1612d81d1
Host: localhost
Content-Length: 30
{"requirePasswordChange":true}
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 36
{
"requirePasswordChange" : true
}
Path Parameters
/identity-providers/{id}/status
Parameter | Description |
---|---|
id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone id>.admin or uaa.admin scope against the default UAA zone. |
Request and Response Fields
Path | Type | Constraints | Description |
---|---|---|---|
requirePasswordChange | Boolean | Required | Set to true in order to force password change for all users. The passwordNewerThan property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user's passwordLastModified is older than this value, the password is expired. |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
422 | Unprocessable Entity - Invalid config |
Service Providers
UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.
Obtaining the UAA SAML IdP metadata:
In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.
GET http://localhost:8080/uaa/saml/idp/metadata
Initiate IDP Login Flow
When the UAA is an IdP, you can initiate the login flow to the Service Provider, SP, by using the initiate
endpoint
This is a browser flow.
$ curl 'http://jsgfpz64rt3ugwik2yvtexsz.localhost/saml/idp/initiate?sp=Az6GPLYqtC.cloudfoundry-saml-login' -i
GET /saml/idp/initiate?sp=Az6GPLYqtC.cloudfoundry-saml-login HTTP/1.1
Host: jsgfpz64rt3ugwik2yvtexsz.localhost
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="http://Az6GPLYqtC.localhost:8080/uaa/saml/SSO/alias/Az6GPLYqtC.cloudfoundry-saml-login" method="post">
<div>
<input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cDovL0F6NkdQTFlxdEMubG9jYWxob3N0OjgwODAvdWFhL3NhbWwvU1NPL2FsaWFzL0F6NkdQTFlxdEMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW4iIElEPSJhZGIyMjc1ZmFhZTdoaTM0MTJnZzkwamQyajlpaWQiIElzc3VlSW5zdGFudD0iMjAxNy0wOS0xMVQyMTo1NzozMS4xMjZaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmpzZ2ZwejY0cnQzdWd3aWsyeXZ0ZXhzei5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJhMTM2aTkxMmdkMmRjNGkzMWQ3MmliYmQ0aTRpOTVkIiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXI+anNnZnB6NjRydDN1Z3dpazJ5dnRleHN6LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNhMTM2aTkxMmdkMmRjNGkzMWQ3MmliYmQ0aTRpOTVkIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJ4cyIvPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+UndGVUIxQktsTUxlWTRIaTA3cytGWDFQVDA0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tbVNSVkp5Q2Q1TWcxZEZlSHVwRHkzd3dXZzBRaE9zOHlWVDB1TmIyR1kvVmpxQ2owYnlMMFlNRFhZdnBUWENNTkhWQ01EeHFLa2F5dWtzaThlUlFvUU1tQkM3YzdIY3ZrMW9XaWhBUUt3ZXg5Z3JLVDBCZzRMMWEzUWRJenpmME9SWERaVUdaVGZ5QWN4Z0NFM0dNNEhPZGJzQzduMnpvWjlac01sOUZBckE9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEU1RDQ0FyS2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUVFGQURCOE1Rc3dDUVlEVlFRR0V3SmhkekVPTUF3R0ExVUVDQk1GCllYSjFZbUV4RGpBTUJnTlZCQW9UQldGeWRXSmhNUTR3REFZRFZRUUhFd1ZoY25WaVlURU9NQXdHQTFVRUN4TUZZWEoxWW1FeERqQU0KQmdOVkJBTVRCV0Z5ZFdKaE1SMHdHd1lKS29aSWh2Y05BUWtCRmc1aGNuVmlZVUJoY25WaVlTNWhjakFlRncweE5URXhNakF5TWpJMgpNamRhRncweE5qRXhNVGt5TWpJMk1qZGFNSHd4Q3pBSkJnTlZCQVlUQW1GM01RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFCkNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXgKSFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeU1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQgpnUURIdEM1Z1VYeEJLcEVxWlRMa052RndOR25OSWtnZ05Pd09RVk5icE8wV1ZISWl2aWc1TDM5V3FTOXUwaG5BK083TUNBL0tsckFSCjRiWGFlVlZod2ZVUFlCS0lwYWFUV0ZRUjVjVFIxVUZaSkwvT0Y5dkFmcE93em5vRDY2RERDblFWcGJDanREWVdYK3g2aW14bjhIQ1kKeGhNb2w2Wm5UYlNzRlc2VlpqRk1qUUlEQVFBQm80SGFNSUhYTUIwR0ExVWREZ1FXQkJUeDBsRHpqSC9pT0JuT1NRYVNFV1FMeDFzeQpHRENCcHdZRFZSMGpCSUdmTUlHY2dCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3lHS0dCZ0tSK01Id3hDekFKQmdOVkJBWVRBbUYzCk1RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFQ2hNRllYSjFZbUV4RGpBTUJnTlZCQWNUQldGeWRXSmhNUTR3REFZRFZRUUwKRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXhIVEFiQmdrcWhraUc5dzBCQ1FFV0RtRnlkV0poUUdGeWRXSmhMbUZ5Z2dFQQpNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUVCUUFEZ1lFQVl2QkowSE9aYmJIQ2xYbUdVakdzK0dTK3hDMUZPL2FtCjJzdUNTWXFOQjlkeU1YZk9XaUoxK1RMSmsrby9ZWnQ4dnV4Q0tkY1pZZ2w0bC9MNlB4Sjk4MlNSaGM4M1pXMmRrQVpJNE0wL1VkM28KZVBlODRrOGptM0E3RXZINXdpNWh2Q2tLUnB1UkJ3bjNFaStqQ1JvdXhUYnpLUHN1Q1ZCKzFzTnl4TVRYemYwPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+bWFyaXNzYTwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0xMVQyMTo1NzozMS4xMTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9BejZHUExZcXRDLmxvY2FsaG9zdDo4MDgwL3VhYS9zYW1sL1NTTy9hbGlhcy9BejZHUExZcXRDLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgTm90T25PckFmdGVyPSIyMDE3LTA5LTExVDIxOjU3OjMxLjExNFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5BejZHUExZcXRDLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMTFUMjE6NTc6MzEuMTE0WiIgU2Vzc2lvbkluZGV4PSJhMjhpZmIzY2VpZmE3OWYzMWQxOWIzZGc0MDhmOGE1Ij48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYXV0aG9yaXRpZXMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWEudXNlcjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2FAdGVzdC5vcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iaWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xNjAyN2NjNi1jNWZmLTQ1OTItYjMzZS0zMzQxMDg4ZDM2ODI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2E8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ib3JpZ2luIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InpvbmVJZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmpzZ2ZwejY0cnQzdWd3aWsyeXZ0ZXhzejwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+"/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>
Request Parameters
Parameter | Type | Constraints | Description |
---|---|---|---|
sp | String | required | The entity ID of a configured and active the service provider. |
Error Codes
Error Code | Description |
---|---|
400 | If IDP initiated login is not enabled, the SP parameter is incorrect or SP is disabled. |
List
$ curl 'http://localhost/saml/service-providers' -i \
-H 'Authorization: Bearer 35739635e0184f7abd5ea42d33c31592'
GET /saml/service-providers HTTP/1.1
Authorization: Bearer 35739635e0184f7abd5ea42d33c31592
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 7162
[ {
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"P0oCQb3J8u.cloudfoundry-saml-login\\\" entityID=\\\"P0oCQb3J8u.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#P0oCQb3J8u.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SingleLogout/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SingleLogout/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SSO/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://P0oCQb3J8u.localhost:8080/uaa/saml/SSO/alias/P0oCQb3J8u.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
"id" : "fb740fc3-80a5-482f-800b-693699330742",
"entityId" : "P0oCQb3J8u.cloudfoundry-saml-login",
"name" : "P0oCQb3J8u",
"version" : 0,
"created" : 1505167051249,
"lastModified" : 1505167051249,
"active" : true,
"identityZoneId" : "uaa"
} ]
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing sps.read |
X-Identity-Zone-Id |
If using a `zones. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Response Fields
Path | Type | Description |
---|---|---|
[].id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
[].name |
String |
Human readable name for the SAML SP. |
[].entityId |
String |
The entity id of the SAML SP. |
[].active |
Boolean |
Defaults to true. |
[].created |
Number |
UAA sets this to the UTC creation date. |
[].identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
[].lastModified |
Number |
UAA sets this to the UTC last date of modification. |
[].version |
Number |
Version of the identity provider data. Clients can use this. |
[].config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
[].config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
[].config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
Get
$ curl 'http://localhost/saml/service-providers/cadf4a2c-ef80-47c3-9a40-eedad20da3f0' -i \
-H 'Authorization: Bearer 757c8934ed2e4fb79fb85c9489a00c2a'
GET /saml/service-providers/cadf4a2c-ef80-47c3-9a40-eedad20da3f0 HTTP/1.1
Authorization: Bearer 757c8934ed2e4fb79fb85c9489a00c2a
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 7158
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"yAKNCosKAw.cloudfoundry-saml-login\\\" entityID=\\\"yAKNCosKAw.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#yAKNCosKAw.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SingleLogout/alias/yAKNCosKAw.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SingleLogout/alias/yAKNCosKAw.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SSO/alias/yAKNCosKAw.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://yAKNCosKAw.localhost:8080/uaa/saml/SSO/alias/yAKNCosKAw.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
"id" : "cadf4a2c-ef80-47c3-9a40-eedad20da3f0",
"entityId" : "yAKNCosKAw.cloudfoundry-saml-login",
"name" : "yAKNCosKAw",
"version" : 0,
"created" : 1505167051316,
"lastModified" : 1505167051316,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing sps.read |
X-Identity-Zone-Id |
If using a `zones. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Path Parameters
/saml/service-providers/{id}
Parameter | Description |
---|---|
id | Unique ID of the service provider |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
Create
$ curl 'http://localhost/saml/service-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 1c8f5ad49d174a1581df6f0798012680' \
-d '{
"name" : "NepFPaws3k",
"entityId" : "NepFPaws3k.cloudfoundry-saml-login",
"active" : true,
"config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
}'
POST /saml/service-providers HTTP/1.1
Content-Type: application/json
Authorization: Bearer 1c8f5ad49d174a1581df6f0798012680
Host: localhost
Content-Length: 6961
{
"name" : "NepFPaws3k",
"entityId" : "NepFPaws3k.cloudfoundry-saml-login",
"active" : true,
"config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
}
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 7158
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\" entityID=\\\"NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#NepFPaws3k.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SingleLogout/alias/NepFPaws3k.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://NepFPaws3k.localhost:8080/uaa/saml/SSO/alias/NepFPaws3k.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
"id" : "54b50bb9-8e49-48aa-8a9d-55d9cc72bca6",
"entityId" : "NepFPaws3k.cloudfoundry-saml-login",
"name" : "NepFPaws3k",
"version" : 0,
"created" : 1505167051443,
"lastModified" : 1505167051443,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a `zones. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human readable name for the SAML SP. |
entityId | String | Optional | If provided, it should match the entityId in the SP metadata. |
active | Boolean | Optional | Defaults to true |
config | String | Required | Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation | String | Required | The SAML SP Metadata - either an XML string or a URL that |
config.attributeMappings.given_name | String | Optional | Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name | String | Optional | Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number | String | Optional | Map phone_number value within UAA to a specified assertion in the SAML response. |
config.metadataTrustCheck | Boolean | Optional | Determines whether UAA should validate the SAML SP metadata. |
config.enableIdpInitiatedSso | Boolean | Optional | When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
422 | Unprocessable Entity |
409 | Conflict - A provider with the same entity id and zone id exists. |
Update
$ curl 'http://localhost/saml/service-providers/f4f69e65-959b-40dc-8c14-2254fc4acf68' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 06cc120355e748c1bebab5ecd92e894e' \
-d '{
"name" : "Xf1FlIUeJq",
"entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
"active" : true,
"config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
}'
PUT /saml/service-providers/f4f69e65-959b-40dc-8c14-2254fc4acf68 HTTP/1.1
Content-Type: application/json
Authorization: Bearer 06cc120355e748c1bebab5ecd92e894e
Host: localhost
Content-Length: 6961
{
"name" : "Xf1FlIUeJq",
"entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
"active" : true,
"config" : "{\"enableIdpInitiatedSso\" : true,\"metaDataLocation\" : \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"metadataTrustCheck\" : true ,\"attributeMappings\" : { \"given_name\" : \"firstname\", \"family_name\" : \"lastname\", \"phone_number\" : \"phone\" }}"
}
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 7158
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\" entityID=\\\"Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Xf1FlIUeJq.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SingleLogout/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Xf1FlIUeJq.localhost:8080/uaa/saml/SSO/alias/Xf1FlIUeJq.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
"id" : "f4f69e65-959b-40dc-8c14-2254fc4acf68",
"entityId" : "Xf1FlIUeJq.cloudfoundry-saml-login",
"name" : "Xf1FlIUeJq",
"version" : 1,
"created" : 1505167051495,
"lastModified" : 1505167051515,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a `zones. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Request Fields
Path | Type | Constraints | Description |
---|---|---|---|
name | String | Required | Human readable name for the SAML SP. |
entityId | String | Optional | If provided, it should match the entityId in the SP metadata. |
active | Boolean | Optional | Defaults to true |
config | String | Required | Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation | String | Required | The SAML SP Metadata - either an XML string or a URL that |
config.attributeMappings.given_name | String | Optional | Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name | String | Optional | Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number | String | Optional | Map phone_number value within UAA to a specified assertion in the SAML response. |
config.metadataTrustCheck | Boolean | Optional | Determines whether UAA should validate the SAML SP metadata. |
config.enableIdpInitiatedSso | Boolean | Optional | When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Path Parameters
/saml/service-providers/{id}
Parameter | Description |
---|---|
id | Unique ID of the service provider |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
422 | Unprocessable Entity |
409 | Conflict - A provider with the same entity id and zone id exists. |
Delete
$ curl 'http://localhost/saml/service-providers/7cb18031-c31c-4f12-a136-c33637593f39' -i -X DELETE \
-H 'Authorization: Bearer f12828b1c3364d62a01d05c1f0af0e31' \
-H 'Accept: application/json'
DELETE /saml/service-providers/7cb18031-c31c-4f12-a136-c33637593f39 HTTP/1.1
Authorization: Bearer f12828b1c3364d62a01d05c1f0af0e31
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 7158
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"0ZW2ol42OF.cloudfoundry-saml-login\\\" entityID=\\\"0ZW2ol42OF.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#0ZW2ol42OF.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SingleLogout/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SingleLogout/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SSO/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://0ZW2ol42OF.localhost:8080/uaa/saml/SSO/alias/0ZW2ol42OF.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\"},\"enableIdpInitiatedSso\":true}",
"id" : "7cb18031-c31c-4f12-a136-c33637593f39",
"entityId" : "0ZW2ol42OF.cloudfoundry-saml-login",
"name" : "0ZW2ol42OF",
"version" : 0,
"created" : 1505167051383,
"lastModified" : 1505167051383,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
Name | Description |
---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a `zones. |
X-Identity-Zone-Subdomain |
If using a `zones. |
Path Parameters
/saml/service-providers/{id}
Parameter | Description |
---|---|
id | Unique ID of the service provider |
Response Fields
Path | Type | Description |
---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
Error Codes
Error Code | Description |
---|---|
403 | Forbidden - Insufficient scope |
Users
Users can be queried, created and updated via the /Users
endpoint.
Get
$ curl 'http://localhost/Users/55bfad71-5975-49ab-bb19-50eeadae7bf5' -i \
-H 'Accept: application/json' \
-H 'Authorization: Bearer fc3421d795984787985758291c1aaa26' \
-H 'Content-Type: application/json' \
-H 'If-Match: 0'
GET /Users/55bfad71-5975-49ab-bb19-50eeadae7bf5 HTTP/1.1
Accept: application/json
Authorization: Bearer fc3421d795984787985758291c1aaa26
Content-Type: application/json
If-Match: 0
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
ETag: "0"
Content-Type: application/json;charset=UTF-8
Content-Length: 2880
{
"id" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2017-09-11T21:57:21.570Z",
"lastModified" : "2017-09-11T21:57:21.570Z"
},
"userName" : "kBQmO4@test.org",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "kBQmO4@test.org",
"primary" : false
} ],
"groups" : [ {
"value" : "98f8083b-03b3-4e5a-b0de-7ddf97b90211",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "78a2c166-6543-4db1-b929-13fd96f16f2c",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "e06c2906-1766-4285-a7c9-02c4c7268901",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "3cb91b1b-b577-4f2e-ba8f-b0a4bd96daa2",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "1f2b309b-d9fe-406f-afed-4e60b2c99c43",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "861f33ec-6ca8-4228-96a5-0bc2873630b2",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "15867bbc-a84d-40de-898c-b7b8f68f78bc",
"display" : "user_attributes",
"type" : "DIRECT"
}, {
"value" : "280a2ce1-7f78-41bb-98e0-ac1405974968",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "dd5e59ea-5f1a-47b6-88f8-7f93715931f0",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "cdac3ced-7ac9-4369-95bd-39d28232bc9a",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "109f0489-b31d-48be-b6c1-3722d639a34d",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "6fadb30a-100e-47b1-86e2-235c9f02863b",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "1cf19cb5-183c-4647-b2d8-42749775611c",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "e6f3b139-7072-4923-b575-51877732db87",
"display" : "approvals.me",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
"clientId" : "identity",
"scope" : "uaa.user",
"status" : "APPROVED",
"lastUpdatedAt" : "2017-09-11T21:57:51.662Z",
"expiresAt" : "2017-09-11T21:57:51.662Z"
}, {
"userId" : "55bfad71-5975-49ab-bb19-50eeadae7bf5",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2017-09-11T21:57:21.660Z",
"expiresAt" : "2017-09-11T21:57:31.660Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2017-09-11T21:57:21.000Z",
"previousLogonTime" : 1505167041663,
"lastLogonTime" : 1505167041664,
"schemas" :