Overview
The User Account and Authentication Service (UAA):
- is an OAuth2 server that can be used for centralized identity management.
- owns the user accounts and authentication sources (SAML, LDAP)
- supports standard protocols such as SAML, LDAP and OpenID Connect to provide single sign-on and delegated authorization to web applications
- can be invoked via JSON APIs
- provides a basic login/approval UI for web client apps
- supports APIs for user account management for an external web UI
- most of the APIs are defined by the specs for the OAuth2, OpenID Connect, and SCIM standards.
Authorization
Authorization Code Grant
Browser flow
$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=KFksRWghLMg0cHCjHWwUsD; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Cache-Control: no-store
Content-Language: en
Location: http://localhost/app?code=WtFw2WFluZ
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. |
Api flow
$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=XOiOKE' -i -X GET \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJhNDU3OWY2NmQzZTU0Mjc2YTE2MDY0ZTE2ZGI3M2Q0YiIsInN1YiI6ImNlYzAxOGZjLWIzMjQtNGMzZi05YzdhLTM4YmEwYzkzOGJkOCIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiJjZWMwMThmYy1iMzI0LTRjM2YtOWM3YS0zOGJhMGM5MzhiZDgiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTk0MTcxMzk4LCJyZXZfc2lnIjoiNDA0YTMyN2MiLCJpYXQiOjE1OTQxNzEzOTgsImV4cCI6MTU5NDIxNDU5OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.7ytn0udWe3MIZq4sMZol6Ml8EWk8ass6bJLvww7_Az8'
GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&state=XOiOKE HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJhNDU3OWY2NmQzZTU0Mjc2YTE2MDY0ZTE2ZGI3M2Q0YiIsInN1YiI6ImNlYzAxOGZjLWIzMjQtNGMzZi05YzdhLTM4YmEwYzkzOGJkOCIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiJjZWMwMThmYy1iMzI0LTRjM2YtOWM3YS0zOGJhMGM5MzhiZDgiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNTk0MTcxMzk4LCJyZXZfc2lnIjoiNDA0YTMyN2MiLCJpYXQiOjE1OTQxNzEzOTgsImV4cCI6MTU5NDIxNDU5OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.7ytn0udWe3MIZq4sMZol6Ml8EWk8ass6bJLvww7_Az8
Host: localhost
HTTP/1.1 302 Found
Cache-Control: no-store
Content-Language: en
Location: http://localhost/redirect/cf?code=8BsTHUGmlY&state=XOiOKE
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| state | String | Required | any random string to be returned in the Location header as a query parameter, used to achieve per-request customization |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing uaa.user scope - the authentication for this user |
Implicit Grant
$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=JXFDEwy6ABZIlDg0IunLJw; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI4ZTYzZDBlZGVmZDg0MjViYWE4YWUwNThjMjUzYWIxZSIsInN1YiI6ImNlYzAxOGZjLWIzMjQtNGMzZi05YzdhLTM4YmEwYzkzOGJkOCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoiaW1wbGljaXQiLCJ1c2VyX2lkIjoiY2VjMDE4ZmMtYjMyNC00YzNmLTljN2EtMzhiYTBjOTM4YmQ4Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTU5NDE3MTM5OCwicmV2X3NpZyI6IjZkNjRlZmI2IiwiaWF0IjoxNTk0MTcxMzk4LCJleHAiOjE1OTQyMTQ1OTgsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.IhdsB8dKl98E_hOfFWOymx8cZw37iarA1-YA6nxhtcg&expires_in=43199&jti=8e63d0edefd8425baa8ae058c253ab1e
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, token, i.e. an access token |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. |
Response Headers
| Name | Description |
|---|---|
Location |
Location as defined in the spec includes access_token in the reply fragment if successful |
Implicit Grant with prompt
$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#error=login_required&session_state=4c4e7e8073151318d931c369baaf06485c73081ba09d2f37d6359a2afd1534d5.5433b122b6b6b91dfb221a42fb041fb08f913db728f9d4e4149b4f2d2c90c05d
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, token, i.e. an access token |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| prompt | String | Optional | specifies whether to prompt for user authentication. Only value none is supported. |
Response Headers
| Name | Description |
|---|---|
Location |
Redirect url specified in the request parameters. |
OpenID Connect flow
OpenID Provider Configuration Request
An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.
$ curl 'http://localhost/.well-known/openid-configuration' -i -X GET \
-H 'Accept: application/json'
GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1239
{
"issuer" : "http://localhost:8080/uaa/oauth/token",
"authorization_endpoint" : "http://localhost/oauth/authorize",
"token_endpoint" : "http://localhost/oauth/token",
"token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
"token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
"userinfo_endpoint" : "http://localhost/userinfo",
"jwks_uri" : "http://localhost/token_keys",
"scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
"response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
"subject_types_supported" : [ "public" ],
"id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
"id_token_encryption_alg_values_supported" : [ "none" ],
"claim_types_supported" : [ "normal" ],
"claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
"claims_parameter_supported" : false,
"service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
"ui_locales_supported" : [ "en-US" ]
}
Response Fields
| Path | Type | Description |
|---|---|---|
issuer |
String |
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. |
authorization_endpoint |
String |
URL of authorization endpoint. |
token_endpoint |
String |
URL of token endpoint. |
userinfo_endpoint |
String |
URL of the OP's UserInfo Endpoint. |
jwks_uri |
String |
URL of the OP's JSON Web Key Set document. |
scopes_supported |
Array |
JSON array containing a list of the OAuth 2.0 scope values that this server supports. |
subject_types_supported |
Array |
JSON array containing a list of the Subject Identifier types that this OP supports. |
token_endpoint_auth_methods_supported |
Array |
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. |
token_endpoint_auth_signing_alg_values_supported |
Array |
JSON array containing a list of the JWS signing algorithms. |
response_types_supported |
Array |
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. |
id_token_signing_alg_values_supported |
Array |
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. |
id_token_encryption_alg_values_supported |
Array |
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP. |
claim_types_supported |
Array |
JSON array containing a list of the Claim Types that the OpenID Provider supports. |
claims_supported |
Array |
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. |
claims_parameter_supported |
Boolean |
Boolean value specifying whether the OP supports use of the claims parameter. |
service_documentation |
String |
URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. |
ui_locales_supported |
Array |
Languages and scripts supported for the user interface. |
ID token
The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.
$ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=3X2vLVsSwaKQDv5ERpCYwu; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJjZWMwMThmYy1iMzI0LTRjM2YtOWM3YS0zOGJhMGM5MzhiZDgiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTgsImlhdCI6MTU5NDE3MTM5OCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjA2NDdlZjY5YjQwNzQ1ZTM5MjBmM2I3NzNlZDRhZjcyIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiNmQ2NGVmYjYiLCJ1c2VyX2lkIjoiY2VjMDE4ZmMtYjMyNC00YzNmLTljN2EtMzhiYTBjOTM4YmQ4IiwiYXV0aF90aW1lIjoxNTk0MTcxMzk4fQ.nq4sa0idQXlgLxS-leY6_zXgJY7shG1iT5PEwddtnEM&expires_in=43199&jti=0647ef69b40745e3920f3b773ed4af72
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, id_token |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. |
Response Headers
| Name | Description |
|---|---|
Location |
Location as defined in the spec includes id_token in the reply fragment if successful |
ID token and Access token
The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.
$ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=P5cICFEyhDB75RnhFs1riI; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI2YjY3NTBiMThiNzM0NDU5OTI1NTcxZjY3ZjczNGQyZiIsInN1YiI6ImNlYzAxOGZjLWIzMjQtNGMzZi05YzdhLTM4YmEwYzkzOGJkOCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoiaW1wbGljaXQiLCJ1c2VyX2lkIjoiY2VjMDE4ZmMtYjMyNC00YzNmLTljN2EtMzhiYTBjOTM4YmQ4Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTU5NDE3MTM5OCwicmV2X3NpZyI6IjZkNjRlZmI2IiwiaWF0IjoxNTk0MTcxMzk4LCJleHAiOjE1OTQyMTQ1OTgsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.nLYfRTwbFDP8AXIHacLQ1luLyy9ZJ1VdlZsv597d8UA&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJjZWMwMThmYy1iMzI0LTRjM2YtOWM3YS0zOGJhMGM5MzhiZDgiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTgsImlhdCI6MTU5NDE3MTM5OCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjZiNjc1MGIxOGI3MzQ0NTk5MjU1NzFmNjdmNzM0ZDJmIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiNmQ2NGVmYjYiLCJ1c2VyX2lkIjoiY2VjMDE4ZmMtYjMyNC00YzNmLTljN2EtMzhiYTBjOTM4YmQ4IiwiYXV0aF90aW1lIjoxNTk0MTcxMzk4fQ.zG5orecDov-U_UlpB32OC7SsBpZJolI17czwV-lNcjU&expires_in=43199&jti=6b6750b18b734459925571f67f734d2f
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, token id_token, indicating both an access token and an ID token. |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. |
Response Headers
| Name | Description |
|---|---|
Location |
Location as defined in the spec includes access_token and id_token in the reply fragment if successful |
Hybrid flow
The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.
$ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
-H 'Accept: application/x-www-form-urlencoded'
GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=Pm0gFKEN28V2dG3OgEY6Vo; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJjZWMwMThmYy1iMzI0LTRjM2YtOWM3YS0zOGJhMGM5MzhiZDgiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTgsImlhdCI6MTU5NDE3MTM5OCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjE1MzQwOTFhYmY5NzQwZTY4YTZmZTEyMTdjZWQyMmI5IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwicmV2X3NpZyI6IjZkNjRlZmI2IiwidXNlcl9pZCI6ImNlYzAxOGZjLWIzMjQtNGMzZi05YzdhLTM4YmEwYzkzOGJkOCIsImF1dGhfdGltZSI6MTU5NDE3MTM5OH0.POMyseCvh1V4wIBJWthZE_xRjbnQ9xK0jpOJ5YEI--0&code=q1GIc56G4m&expires_in=43199&jti=1534091abf9740e68a6fe1217ced22b9
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| response_type | String | Required | Space-delimited list of response types. Here, id_token code, indicating a request for an ID token and an authorization code. |
| client_id | String | Required | a unique string representing the registration information provided by the client |
| scope | String | Optional | requested scopes, space-delimited |
| redirect_uri | String | Optional | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. |
Response Headers
| Name | Description |
|---|---|
Location |
Location as defined in the spec includes code and id_token in the reply fragment if successful |
Token
The /oauth/token endpoint requires client authentication to be accessed. Client Authentication can be passed as
as part of the request authorization header, using basic authentication, or as part of the request parameters, using the client_id and client_secret parameter
names.
Authorization Code Grant
$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=3MsXRh8oQA&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=3MsXRh8oQA&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1088
{
"access_token" : "682b871e913742b1bbd54961cbbb30f5",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJkMWQ0MGNjMS0zNGMxLTQwMjEtOGYxMC1jMmMwYWYxMjI4NGYiLCJhdWQiOlsibG9naW4iXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTU5NDIxNDU5NywiaWF0IjoxNTk0MTcxMzk3LCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJlbWFpbCI6IlF4dzFuVkB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjY4MmI4NzFlOTEzNzQyYjFiYmQ1NDk2MWNiYmIzMGY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImxvZ2luIiwiY2lkIjoibG9naW4iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9uYW1lIjoiUXh3MW5WQHRlc3Qub3JnIiwicmV2X3NpZyI6Ijg3NGZmMzU5IiwidXNlcl9pZCI6ImQxZDQwY2MxLTM0YzEtNDAyMS04ZjEwLWMyYzBhZjEyMjg0ZiIsImF1dGhfdGltZSI6MTU5NDE3MTM5N30.ZnEjkfrngfiMKiqmqGx3XAccx03P7Y4Q0oEKk059Fzk",
"refresh_token" : "ab94a6e22d1c48a7a7ff3fb99299aed0-r",
"expires_in" : 43199,
"scope" : "openid oauth.approvals",
"jti" : "682b871e913742b1bbd54961cbbb30f5"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| redirect_uri | String | Required if provided on authorization request | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) |
| code | String | Required | the authorization code, obtained from /oauth/authorize, issued for the user |
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case authorization_code |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
Client Credentials Grant
Without Authorization
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&scope=scim.write&grant_type=client_credentials&token_format=opaque'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&scope=scim.write&grant_type=client_credentials&token_format=opaque
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 180
{
"access_token" : "b689fc39603a41e992cc39e6963e5c6f",
"token_type" : "bearer",
"expires_in" : 43199,
"scope" : "scim.write",
"jti" : "b689fc39603a41e992cc39e6963e5c6f"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case client_credentials |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized for this client. This list is derived from the authorities configured on the client. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
With Authorization
$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'grant_type=client_credentials&scope=scim.write&token_format=opaque'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Host: localhost
grant_type=client_credentials&scope=scim.write&token_format=opaque
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 180
{
"access_token" : "126ec512126b4f42a06f50bbe211ce02",
"token_type" : "bearer",
"expires_in" : 43199,
"scope" : "scim.write",
"jti" : "126ec512126b4f42a06f50bbe211ce02"
}
Request Header
| Name | Description |
|---|---|
Authorization |
Base64 encoded client details in the format: Basic client_id:client_secret |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case client_credentials |
| scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized for this client. This list is derived from the authorities configured on the client. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
Password Grant
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=naKwb9%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=app&client_secret=appclientsecret&grant_type=password&username=naKwb9%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1140
{
"access_token" : "d226c594197b4c5889d020c4843cf6e7",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMzFmZjllYS0yNTMyLTQwZGQtYTk1YS1iMDQ3ZTBmZTlkYjEiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTAsImlhdCI6MTU5NDE3MTM5MCwiYW1yIjpbInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiJuYUt3YjlAdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiJkMjI2YzU5NDE5N2I0YzU4ODlkMDIwYzQ4NDNjZjZlNyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJuYUt3YjlAdGVzdC5vcmciLCJyZXZfc2lnIjoiYzZmMjFlOTkiLCJ1c2VyX2lkIjoiMTMxZmY5ZWEtMjUzMi00MGRkLWE5NWEtYjA0N2UwZmU5ZGIxIiwiYXV0aF90aW1lIjoxNTk0MTcxMzkwfQ.tVi6TsMwt0DpGs1EEKlVUyczxrhb6kU5Lam3_C7tzdQ",
"refresh_token" : "dedfa8c7ab8d449680b0f0e360e1176b-r",
"expires_in" : 43199,
"scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
"jti" : "d226c594197b4c5889d020c4843cf6e7"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case password |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| username | String | Required | the username for the user trying to get a token |
| password | String | Required | the password for the user trying to get a token |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. Note that this identity provider must support the grant type password. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
Password Grant with MFA
A password grant can be completed when multi-factor authentication is enabled.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=WR3bzM%40test.org&password=secr3T&mfaCode=568667&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=app&client_secret=appclientsecret&grant_type=password&username=WR3bzM%40test.org&password=secr3T&mfaCode=568667&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1156
{
"access_token" : "c891b0358d8c41a782747d72b2cd474f",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJiZjRkNjU4NS1mYmI5LTQ5NzAtYTdhOS02YzlmOGRiMWU1N2MiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTYsImlhdCI6MTU5NDE3MTM5NiwiYW1yIjpbIm1mYSIsIm90cCIsInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiJXUjNiek1AdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiJjODkxYjAzNThkOGM0MWE3ODI3NDdkNzJiMmNkNDc0ZiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJXUjNiek1AdGVzdC5vcmciLCJyZXZfc2lnIjoiYmM0MmI2NjMiLCJ1c2VyX2lkIjoiYmY0ZDY1ODUtZmJiOS00OTcwLWE3YTktNmM5ZjhkYjFlNTdjIiwiYXV0aF90aW1lIjoxNTk0MTcxMzk1fQ.KkIkLItV_t6oZjVpfszmT1tZviUK3Oxnrt7biJ_CK1Y",
"refresh_token" : "e1151a3f70984445b6d7bf2ac659b425-r",
"expires_in" : 43199,
"scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
"jti" : "c891b0358d8c41a782747d72b2cd474f"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case password |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| username | String | Required | the username for the user trying to get a token |
| password | String | Required | the password for the user trying to get a token |
| mfaCode | Number | Required | A one time passcode from a registered multi-factor generator |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
| login_hint | String | Optional | UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. Note that this identity provider must support the grant type password. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
One-time Passcode
$ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'grant_type=password&passcode=2euejrvGvQ&token_format=opaque'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
grant_type=password&passcode=2euejrvGvQ&token_format=opaque
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1081
{
"access_token" : "9e5f78f4671741ee934d904aab63fca3",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIwZWNjYzdkYi1lOWE5LTQ5YWUtOTA2Ny1iYjM5NTIyYjNkYTYiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTAsImlhdCI6MTU5NDE3MTM5MCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjllNWY3OGY0NjcxNzQxZWU5MzRkOTA0YWFiNjNmY2EzIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiNmMxZWJkZDIiLCJ1c2VyX2lkIjoiMGVjY2M3ZGItZTlhOS00OWFlLTkwNjctYmIzOTUyMmIzZGE2In0.btNiP3rGae-TkoalY-IlMs3_6R2UwTHIFqUhdLyJS-s",
"refresh_token" : "e955c1929db24b329d9c5f35b27d00f7-r",
"expires_in" : 43199,
"scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
"jti" : "9e5f78f4671741ee934d904aab63fca3"
}
Request Header
| Name | Description |
|---|---|
Authorization |
Base64 encoded client details in the format: Basic client_id:client_secret |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case password |
| passcode | String | Required | the one-time passcode for the user which can be retrieved by going to /passcode |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
User Token Grant
A user_token grant, is a flow that allows the generation of a refresh_token for another client.
The requesting client, must have grant_type=user_token and the bearer token for this request must have uaa.user
and be a token that represents an authenticated user.
The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.
The refresh_token that results from this grant, is opaque, and can only be exchanged by the client it was intended for.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Bearer cb1af4eca259405196704827e72d7d39' \
-H 'Accept: application/json' \
-d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer cb1af4eca259405196704827e72d7d39
Accept: application/json
Host: localhost
client_id=app&grant_type=user_token&scope=openid&token_format=jwt
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 206
{
"access_token" : null,
"token_type" : "bearer",
"refresh_token" : "3d369d3c38cd44cea2d7f039da95c901-r",
"expires_in" : 43199,
"scope" : "openid",
"jti" : "3d369d3c38cd44cea2d7f039da95c901-r"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | The client ID of the receiving client, this client must have refresh_token grant type |
| grant_type | String | Required | The type of token grant requested, in this case user_token |
| token_format | String | Optional | This parameter is ignored. The refresh_token will always be opaque |
| scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
Null |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
SAML2 Bearer Grant
The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in
RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer.
In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed.
The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.
This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world.
The endpoint of the bearer assertion is /oauth/token/alias/<endityid> so the Recipient attribute in
the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token/alias/cloudfoundry-saml-login.
$ curl 'http://c1fao1.localhost:8080/uaa/oauth/token/alias/c1fao1.cloudfoundry-saml-login' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Host: c1fao1.localhost' \
-d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclient0Odvbn&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTNnODg1OTRmZ2NqZWVmajMwZGE5N2YxNzBjOWFmYyIgSXNzdWVJbnN0YW50PSIyMDIwLTA3LTA4VDAxOjIzOjEzLjA1N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPmMxZmFvMS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTNnODg1OTRmZ2NqZWVmajMwZGE5N2YxNzBjOWFmYyI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjI5elZNdlBacCtJa2x6WVZZVVoxUUhidXFGZz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-aDAwLysyNU5mU0U5cFdQYktOMitXeEg4Ym8zWFVEOEJvckllT1BtOS9GVlRJWGNsaUR5bnJFTGh3OUJTWXBWUHIzdnNjSWdCenFlcnJ5MWZDNnNEREh6RGZkeURXRGZXU2hpWDRlSkJnNWdQQWNpNC9rTko2Tk5hSFJDaVY1TmxXT1YvQlRoN0pOb1RMcHVzUENRRXNnQ25nZjdKVklGL0R0K1VOZVpEUjRrPTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA3LTA4VDAyOjIzOjEzLjA3M1oiIFJlY2lwaWVudD0iaHR0cDovL2MxZmFvMS5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvYzFmYW8xLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDctMDhUMDE6MjM6MTMuMDU4WiIgTm90T25PckFmdGVyPSIyMDIwLTA3LTA4VDAyOjIzOjEzLjA3M1oiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5jMWZhbzEuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wNy0wOFQwMToyMzoxMy4wNTdaIiBTZXNzaW9uSW5kZXg9ImFhMzNiNDJpYmRkNmk5OTQ1NWhhaTExMWJpZGk5YyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-YWJmNjEyNjAtMTdhNi00NjA5LTgxYTQtNTY5ODhmMjMyZjJmPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid'
POST /uaa/oauth/token/alias/c1fao1.cloudfoundry-saml-login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: c1fao1.localhost
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclient0Odvbn&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTNnODg1OTRmZ2NqZWVmajMwZGE5N2YxNzBjOWFmYyIgSXNzdWVJbnN0YW50PSIyMDIwLTA3LTA4VDAxOjIzOjEzLjA1N1oiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPmMxZmFvMS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTNnODg1OTRmZ2NqZWVmajMwZGE5N2YxNzBjOWFmYyI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPjI5elZNdlBacCtJa2x6WVZZVVoxUUhidXFGZz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-aDAwLysyNU5mU0U5cFdQYktOMitXeEg4Ym8zWFVEOEJvckllT1BtOS9GVlRJWGNsaUR5bnJFTGh3OUJTWXBWUHIzdnNjSWdCenFlcnJ5MWZDNnNEREh6RGZkeURXRGZXU2hpWDRlSkJnNWdQQWNpNC9rTko2Tk5hSFJDaVY1TmxXT1YvQlRoN0pOb1RMcHVzUENRRXNnQ25nZjdKVklGL0R0K1VOZVpEUjRrPTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA3LTA4VDAyOjIzOjEzLjA3M1oiIFJlY2lwaWVudD0iaHR0cDovL2MxZmFvMS5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvYzFmYW8xLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDctMDhUMDE6MjM6MTMuMDU4WiIgTm90T25PckFmdGVyPSIyMDIwLTA3LTA4VDAyOjIzOjEzLjA3M1oiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5jMWZhbzEuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wNy0wOFQwMToyMzoxMy4wNTdaIiBTZXNzaW9uSW5kZXg9ImFhMzNiNDJpYmRkNmk5OTQ1NWhhaTExMWJpZGk5YyI-PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Rpbmcub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-YWJmNjEyNjAtMTdhNi00NjA5LTgxYTQtNTY5ODhmMjMyZjJmPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Content-Disposition: inline;filename=f.txt
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2040
{
"access_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI2MjliZDFiNzAwY2M0ODE4OGU4MTM2YjY5M2Q0YjJjZCIsInN1YiI6ImZiZTdlZjY2LTI5OGYtNDhmZC05NzQyLTA3MjhjYTJhZjU4NiIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50ME9kdmJuIiwiY2lkIjoidGVzdGNsaWVudDBPZHZibiIsImF6cCI6InRlc3RjbGllbnQwT2R2Ym4iLCJncmFudF90eXBlIjoidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6c2FtbDItYmVhcmVyIiwidXNlcl9pZCI6ImZiZTdlZjY2LTI5OGYtNDhmZC05NzQyLTA3MjhjYTJhZjU4NiIsIm9yaWdpbiI6ImMxZmFvMS5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwiZW1haWwiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlckB0aGlzLWRlZmF1bHQtd2FzLW5vdC1jb25maWd1cmVkLmludmFsaWQiLCJyZXZfc2lnIjoiZDdhNTFmOTEiLCJpYXQiOjE1OTQxNzEzOTMsImV4cCI6MTU5NDE3MTk5MywiaXNzIjoiaHR0cDovL2MxZmFvMS5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJjMWZhbzEiLCJhdWQiOlsidGVzdGNsaWVudDBPZHZibiIsIm9wZW5pZCJdfQ.-mJz2Q9jICzXQ68yIvZANVU-lQHXLSStQeIow22yV28",
"token_type" : "bearer",
"refresh_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJjNTI2YmMzNmQ2M2E0NjMxYjZkYzQ0M2FiZGU4NWIwZi1yIiwic3ViIjoiZmJlN2VmNjYtMjk4Zi00OGZkLTk3NDItMDcyOGNhMmFmNTg2IiwiaWF0IjoxNTk0MTcxMzkzLCJleHAiOjE1OTY3NjMzOTMsImNpZCI6InRlc3RjbGllbnQwT2R2Ym4iLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50ME9kdmJuIiwiaXNzIjoiaHR0cDovL2MxZmFvMS5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJjMWZhbzEiLCJhdWQiOlsidGVzdGNsaWVudDBPZHZibiIsIm9wZW5pZCJdLCJncmFudGVkX3Njb3BlcyI6WyJvcGVuaWQiXSwiZ3JhbnRfdHlwZSI6InVybjppZXRmOnBhcmFtczpvYXV0aDpncmFudC10eXBlOnNhbWwyLWJlYXJlciIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwib3JpZ2luIjoiYzFmYW8xLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIiwidXNlcl9pZCI6ImZiZTdlZjY2LTI5OGYtNDhmZC05NzQyLTA3MjhjYTJhZjU4NiIsInJldl9zaWciOiJkN2E1MWY5MSJ9.DVo6NoDOshJQG_3CQgO2k379xQ7Qy7SMpPJA6NcT5mU",
"expires_in" : 599,
"scope" : "openid",
"jti" : "629bd1b700cc48188e8136b693d4b2cd"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | The client ID of the receiving client, this client must have urn:ietf:params:oauth:grant-type:saml2-bearer grant type |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| grant_type | String | Required | The type of token grant requested, in this case urn:ietf:params:oauth:grant-type:saml2-bearer |
| assertion | String | Required | An XML based SAML 2.0 bearer assertion, which is Base64URl encoded. |
| scope | String | Optional | The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
token_type |
String |
The type of the access token issued, always bearer |
expires_in |
Number |
Number of seconds of lifetime for an access_token, when retrieved |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
JWT Bearer Token Grant
The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in
RFC 7523. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer.
In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed.
The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the
UAA database. If multiple providers exists that have the same issuer, the grant will fail.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=wb6w1nmnh0rs&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI2MDgyMmE0ZC02NzkwLTQ0NmEtOGI5Yy1mZTI2ZWQxZDk0ZmUiLCJhdWQiOlsidENJZkpUTmFZTmdjIl0sImlzcyI6Imh0dHA6Ly9nYm9lcmk5dnM0eTQubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiZXhwIjoxNTk0MjE0NTc3LCJpYXQiOjE1OTQxNzEzNzcsImFtciI6WyJwd2QiXSwiYXpwIjoidENJZkpUTmFZTmdjIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibnhreWw0bmF6bzN5QHRlc3Qub3JnIiwiemlkIjoiZ2JvZXJpOXZzNHk0Iiwib3JpZ2luIjoidWFhIiwianRpIjoiMWJmZjQyM2UxNzk0NDU0MmI2ZWZhZDk2YTdhNzVlZWUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY2xpZW50X2lkIjoidENJZkpUTmFZTmdjIiwiY2lkIjoidENJZkpUTmFZTmdjIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoibnhreWw0bmF6bzN5IiwicmV2X3NpZyI6ImQyYmM5Y2E5IiwidXNlcl9pZCI6IjYwODIyYTRkLTY3OTAtNDQ2YS04YjljLWZlMjZlZDFkOTRmZSIsImF1dGhfdGltZSI6MTU5NDE3MTM3N30.8aOR9WG0M7azR_NwDBqzCEZ3ujPW9BU2JjSaQtB_Deg'
POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost
client_id=wb6w1nmnh0rs&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI2MDgyMmE0ZC02NzkwLTQ0NmEtOGI5Yy1mZTI2ZWQxZDk0ZmUiLCJhdWQiOlsidENJZkpUTmFZTmdjIl0sImlzcyI6Imh0dHA6Ly9nYm9lcmk5dnM0eTQubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiZXhwIjoxNTk0MjE0NTc3LCJpYXQiOjE1OTQxNzEzNzcsImFtciI6WyJwd2QiXSwiYXpwIjoidENJZkpUTmFZTmdjIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibnhreWw0bmF6bzN5QHRlc3Qub3JnIiwiemlkIjoiZ2JvZXJpOXZzNHk0Iiwib3JpZ2luIjoidWFhIiwianRpIjoiMWJmZjQyM2UxNzk0NDU0MmI2ZWZhZDk2YTdhNzVlZWUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY2xpZW50X2lkIjoidENJZkpUTmFZTmdjIiwiY2lkIjoidENJZkpUTmFZTmdjIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoibnhreWw0bmF6bzN5IiwicmV2X3NpZyI6ImQyYmM5Y2E5IiwidXNlcl9pZCI6IjYwODIyYTRkLTY3OTAtNDQ2YS04YjljLWZlMjZlZDFkOTRmZSIsImF1dGhfdGltZSI6MTU5NDE3MTM3N30.8aOR9WG0M7azR_NwDBqzCEZ3ujPW9BU2JjSaQtB_Deg
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 176
{
"access_token" : "5ad0f692374446ddb770aa7f0b1ed3e9",
"token_type" : "bearer",
"expires_in" : 43199,
"scope" : "openid",
"jti" : "5ad0f692374446ddb770aa7f0b1ed3e9"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| assertion | String | Required | JWT token identifying representing the user to be authenticated |
| client_id | String | Required | Required, client with |
| client_secret | String | Required | Required unless a basic authorization header is used |
| grant_type | String | Required | Must be set to urn:ietf:params:oauth:grant-type:jwt-bearer |
| scope | String | Optional | Optional parameter to limit the number of scopes in the scope claim of the access token |
| response_type | String | Optional | May be set to token or token id_token or id_token |
| token_format | String | Optional | May be set to opaque to retrieve revocable and non identifiable access token |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
Access token generated by this grant |
token_type |
String |
Will always be bearer |
scope |
String |
List of scopes present in the scope claim in the access token |
expires_in |
Number |
Number of seconds before this token expires from the time of issuance |
jti |
String |
The unique token ID |
Refresh Token
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=4a89b21951064472bba48387e97d8699-r'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=4a89b21951064472bba48387e97d8699-r
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1138
{
"access_token" : "434136d22d68427f9612ba9405155a6a",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI5MTkzMjY2OC0xZjEyLTRiOWEtYjFjNi0zOTZmMGYyMDI3NjYiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE1OTQyMTQ1OTYsImlhdCI6MTU5NDE3MTM5NiwiYW1yIjpbInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiJpdDRLWHdAdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiJkN2FiZjg1MGNjMzA0YzhjYjQ0MDg3ZTdkMTdhZDhlMyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJpdDRLWHdAdGVzdC5vcmciLCJyZXZfc2lnIjoiZjBjOTQ4YiIsInVzZXJfaWQiOiI5MTkzMjY2OC0xZjEyLTRiOWEtYjFjNi0zOTZmMGYyMDI3NjYiLCJhdXRoX3RpbWUiOjE1OTQxNzEzOTZ9.XpVJiEzQkaVbKsrYhHFo3XOKmWZAZYFqJAEQVN_aMPs",
"refresh_token" : "4a89b21951064472bba48387e97d8699-r",
"expires_in" : 43199,
"scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
"jti" : "434136d22d68427f9612ba9405155a6a"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case refresh_token |
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| refresh_token | String | Required | the refresh_token that was returned along with the access token. |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
OpenID Connect
The token endpoint can provide an ID token as defined by OpenID Connect.
$ curl 'http://localhost/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=UyE6wy9igT&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost
client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=UyE6wy9igT&token_format=opaque&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1088
{
"access_token" : "e3f98d4c3997464197159926e042c367",
"token_type" : "bearer",
"id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhNDNmODE0Zi1lMGQ1LTQ5NzAtOTBmMC1kZTRlYzVhNmE3MTEiLCJhdWQiOlsibG9naW4iXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTU5NDIxNDU5MSwiaWF0IjoxNTk0MTcxMzkxLCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJlbWFpbCI6IjI5SThNeUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6ImUzZjk4ZDRjMzk5NzQ2NDE5NzE1OTkyNmUwNDJjMzY3IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImxvZ2luIiwiY2lkIjoibG9naW4iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9uYW1lIjoiMjlJOE15QHRlc3Qub3JnIiwicmV2X3NpZyI6IjU0YzEwNWJkIiwidXNlcl9pZCI6ImE0M2Y4MTRmLWUwZDUtNDk3MC05MGYwLWRlNGVjNWE2YTcxMSIsImF1dGhfdGltZSI6MTU5NDE3MTM5MX0.nJtpyj5utPO_kZxEiSmayZYOf0llrvY19yRvw0JSpLo",
"refresh_token" : "78eb1244632647079acc583710e1228a-r",
"expires_in" : 43199,
"scope" : "openid oauth.approvals",
"jti" : "e3f98d4c3997464197159926e042c367"
}
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header. |
| redirect_uri | String | Required if provided on authorization request | redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) |
| code | String | Required | the authorization code, obtained from /oauth/authorize, issued for the user |
| grant_type | String | Required | the type of authentication being used to obtain the token, in this case authorization_code |
| client_secret | String | Optional | The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header. |
| token_format | String | Optional | Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used. |
Response Fields
| Path | Type | Description |
|---|---|---|
access_token |
String |
An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers. |
id_token |
String |
An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope. |
token_type |
String |
The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer. |
expires_in |
Number |
The number of seconds until the access token expires. |
scope |
String |
A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client). |
refresh_token |
String |
An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types. |
jti |
String |
A globally unique identifier for this access token. This identifier is used when revoking tokens. |
Revoke tokens
Revoke all tokens for a user
$ curl 'http://localhost/oauth/token/revoke/user/ddd0b7a1-ceb4-4501-ba3a-2713b45f8adb' -i -X GET \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI2Mzg2YjczOWIyNzE0NzVhODYwYTVhZTA5NTZjZmRlZCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTU5NDE3MTM5NywiZXhwIjoxNTk0MjE0NTk3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.h7jvAWvJTGKyWWHvoW4V7djg-ATKhG15OECELwaq3zQ'
GET /oauth/token/revoke/user/ddd0b7a1-ceb4-4501-ba3a-2713b45f8adb HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI2Mzg2YjczOWIyNzE0NzVhODYwYTVhZTA5NTZjZmRlZCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTU5NDE3MTM5NywiZXhwIjoxNTk0MjE0NTk3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.h7jvAWvJTGKyWWHvoW4V7djg-ATKhG15OECELwaq3zQ
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/user/{userId}
| Parameter | Description |
|---|---|
| userId | The id of the user |
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR matching user_id |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Revoke all tokens for a client
$ curl 'http://localhost/oauth/token/revoke/client/piE6Ii' -i -X GET \
-H 'Authorization: Bearer dc1733fd02d9462bbc502fa01c26ba2a'
GET /oauth/token/revoke/client/piE6Ii HTTP/1.1
Authorization: Bearer dc1733fd02d9462bbc502fa01c26ba2a
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/client/{clientId}
| Parameter | Description |
|---|---|
| clientId | The id of the client |
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token with uaa.admin or tokens.revoke scope. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Revoke all tokens for a user and client combination
$ curl 'http://localhost/oauth/token/revoke/user/934a4cd7-1537-429d-aff8-26c09b6e5a40/client/cXkNJa' -i -X GET \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIyZDZmODU2NDVkYjY0MjZmYjQxNDNmZTZkYzEzOTMzZiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTU5NDE3MTM5MCwiZXhwIjoxNTk0MjE0NTkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.HSdz65qjhI-7IhBjvTefIxGlAkfSdrbsX2iUd0FJVWU'
GET /oauth/token/revoke/user/934a4cd7-1537-429d-aff8-26c09b6e5a40/client/cXkNJa HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIyZDZmODU2NDVkYjY0MjZmYjQxNDNmZTZkYzEzOTMzZiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTU5NDE3MTM5MCwiZXhwIjoxNTk0MjE0NTkwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.HSdz65qjhI-7IhBjvTefIxGlAkfSdrbsX2iUd0FJVWU
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/user/{userId}/client/{clientId}
| Parameter | Description |
|---|---|
| userId | The id of the user |
| clientId | The id of the client |
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR (matching user_id AND client_id) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Revoke a single token
$ curl 'http://localhost/oauth/token/revoke/5e6c1a9b969a487cadbfb117050d8f86' -i -X DELETE \
-H 'Authorization: Bearer 5e6c1a9b969a487cadbfb117050d8f86'
DELETE /oauth/token/revoke/5e6c1a9b969a487cadbfb117050d8f86 HTTP/1.1
Authorization: Bearer 5e6c1a9b969a487cadbfb117050d8f86
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/oauth/token/revoke/{tokenId}
| Parameter | Description |
|---|---|
| tokenId | The identifier for the token to be revoked. For opaque tokens, use the token itself. For JWT tokens use the jti claim in the token. |
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR the token ID to be revoked |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
List tokens
List all tokens for a user
The /oauth/token/list/user/{userId} will return all the tokens that match the user_id in the path parameter.
This token requires the tokens.list scope.
$ curl 'http://localhost/oauth/token/list/user/472166cf-1227-4900-b9e3-018b3b60341a' -i -X GET \
-H 'Authorization: Bearer aed06ca8acbd4ce19711dc3ae85ee926' \
-H 'Accept: application/json'
GET /oauth/token/list/user/472166cf-1227-4900-b9e3-018b3b60341a HTTP/1.1
Authorization: Bearer aed06ca8acbd4ce19711dc3ae85ee926
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 631
[ {
"tokenId" : "6b5ad715151544f8a16f813f77b18632",
"clientId" : "LdmxS8",
"userId" : "472166cf-1227-4900-b9e3-018b3b60341a",
"format" : "opaque",
"responseType" : "ACCESS_TOKEN",
"issuedAt" : 1594171397709,
"expiresAt" : 1594214597706,
"scope" : "[openid]",
"value" : null,
"zoneId" : "uaa"
}, {
"tokenId" : "2bfdd78f8111435592eadee7b05e3198-r",
"clientId" : "LdmxS8",
"userId" : "472166cf-1227-4900-b9e3-018b3b60341a",
"format" : "opaque",
"responseType" : "REFRESH_TOKEN",
"issuedAt" : 1594171397709,
"expiresAt" : 1596763397704,
"scope" : "[openid]",
"value" : null,
"zoneId" : "uaa"
} ]
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token containing the tokens.list scope. |
Accept |
Set to application/json |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Path Parameters
/oauth/token/list/user/{userId}
| Parameter | Description |
|---|---|
| userId | The user ID to retrieve tokens for |
Response Fields
| Path | Type | Description |
|---|---|---|
[].zoneId |
String |
The zone ID for the token |
[].tokenId |
String |
The unique ID for the token |
[].clientId |
String |
Client ID for this token, will always match the client_id claim in the access token used for this call |
[].userId |
String |
User ID for this token, will always match the user_id claim in the access token used for this call |
[].format |
String |
What format was requested, possible values OPAQUE or JWT |
[].expiresAt |
Number |
Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC. |
[].issuedAt |
Number |
Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC. |
[].scope |
String |
Comma separated list of scopes this token holds, up to 1000 characters |
[].responseType |
String |
Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN |
[].value |
String |
Access token value will always be null |
List all tokens for a client
The /oauth/token/list/client/{clientId} will return all the tokens that match the client_id in the path parameter.
This token requires the tokens.list scope.
$ curl 'http://localhost/oauth/token/list/client/wiUsMO' -i -X GET \
-H 'Authorization: Bearer 2724175d0841456e831deef69ea4a270' \
-H 'Accept: application/json'
GET /oauth/token/list/client/wiUsMO HTTP/1.1
Authorization: Bearer 2724175d0841456e831deef69ea4a270
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 286
[ {
"tokenId" : "2724175d0841456e831deef69ea4a270",
"clientId" : "wiUsMO",
"userId" : null,
"format" : "opaque",
"responseType" : "ACCESS_TOKEN",
"issuedAt" : 1594171397326,
"expiresAt" : 1594214597323,
"scope" : "[tokens.list]",
"value" : null,
"zoneId" : "uaa"
} ]
Request Header
| Name | Description |
|---|---|
Authorization |
Bearer token containing the tokens.list scope. |
Accept |
Set to application/json |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Path Parameters
/oauth/token/list/client/{clientId}
| Parameter | Description |
|---|---|
| clientId | The client ID to retrieve tokens for |
Response Fields
| Path | Type | Description |
|---|---|---|
[].zoneId |
String |
The zone ID for the token |
[].tokenId |
String |
The unique ID for the token |
[].clientId |
String |
Client ID for this token, will always match the client_id claim in the access token used for this call |
[].userId |
String |
User ID for this token, will always match the user_id claim in the access token used for this call |
[].format |
String |
What format was requested, possible values OPAQUE or JWT |
[].expiresAt |
Number |
Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC. |
[].issuedAt |
Number |
Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC. |
[].scope |
String |
Comma separated list of scopes this token holds, up to 1000 characters |
[].responseType |
String |
Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN |
[].value |
String |
Access token value will always be null |
Introspect Token
Introspect token endpoint is RFC-7662 compliant. Active flag is responsible for showing the validity of the token and not the HTTP status code. Status code will be 200 OK for both valid and invalid tokens.
$ curl 'http://localhost/introspect' -i -X POST \
-H 'Authorization: bearer ba58894f1f3d4012b3893c586684ea93' \
-d 'token=de21ab6a87ea487781bd61e85098be08'
POST /introspect HTTP/1.1
Authorization: bearer ba58894f1f3d4012b3893c586684ea93
Host: localhost
Content-Type: application/x-www-form-urlencoded
token=de21ab6a87ea487781bd61e85098be08
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 706
{
"user_id" : "b1bc64ae-c4d3-4eb5-afab-85acfb3cb60d",
"user_name" : "marissa",
"email" : "[email protected]",
"client_id" : "app",
"exp" : 1594214573,
"scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
"jti" : "de21ab6a87ea487781bd61e85098be08",
"aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
"sub" : "b1bc64ae-c4d3-4eb5-afab-85acfb3cb60d",
"iss" : "http://localhost:8080/uaa/oauth/token",
"iat" : 1594171373,
"cid" : "app",
"grant_type" : "password",
"azp" : "app",
"auth_time" : 1594171373,
"zid" : "uaa",
"rev_sig" : "594c8ccf",
"origin" : "uaa",
"revocable" : true,
"active" : true
}
Request Headers
| Name | Description |
|---|---|
Authorization |
One of the following authentication/authorization mechanisms:
|
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| token | String | Required | The token |
Response Fields
| Path | Type | Description |
|---|---|---|
active |
Boolean |
Indicates whether or not the presented token is currently valid (given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity) |
user_id |
String |
Only applicable for user tokens |
user_name |
String |
Only applicable for user tokens |
email |
String |
Only applicable for user tokens |
client_id |
String |
A unique string representing the registration information provided by the client |
exp |
Number |
Expiration Time Claim |
authorities |
Array |
Only applicable for client tokens |
scope |
Array |
List of scopes authorized by the user for this client |
jti |
String |
JWT ID Claim |
aud |
Array |
Audience Claim |
sub |
String |
Subject Claim |
iss |
String |
Issuer Claim |
iat |
Number |
Issued At Claim |
cid |
String |
See client_id |
grant_type |
String |
The type of authentication being used to obtain the token, in this case password |
azp |
String |
Authorized party |
auth_time |
Number |
Only applicable for user tokens |
zid |
String |
Zone ID |
rev_sig |
String |
Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values. |
origin |
String |
Only applicable for user tokens |
revocable |
Boolean |
Set to true if this token is revocable |
Check Token
$ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
-d 'token=99f5d848345b4d738f05775d5b20dc22&scopes=password.write%2Cscim.userids'
POST /check_token HTTP/1.1
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
Content-Type: application/x-www-form-urlencoded
token=99f5d848345b4d738f05775d5b20dc22&scopes=password.write%2Cscim.userids
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 687
{
"user_id" : "67cd1d7f-314b-4427-a10d-70c15c8e8c6b",
"user_name" : "marissa",
"email" : "[email protected]",
"client_id" : "app",
"exp" : 1594214578,
"scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
"jti" : "99f5d848345b4d738f05775d5b20dc22",
"aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
"sub" : "67cd1d7f-314b-4427-a10d-70c15c8e8c6b",
"iss" : "http://localhost:8080/uaa/oauth/token",
"iat" : 1594171378,
"cid" : "app",
"grant_type" : "password",
"azp" : "app",
"auth_time" : 1594171378,
"zid" : "uaa",
"rev_sig" : "bb3489fd",
"origin" : "uaa",
"revocable" : true
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| token | String | Required | The token |
| scopes | Array | Optional | String of comma-separated scopes, for checking presence of scopes on the token |
Response Fields
| Path | Type | Description |
|---|---|---|
user_id |
String |
Only applicable for user tokens |
user_name |
String |
Only applicable for user tokens |
email |
String |
Only applicable for user tokens |
client_id |
String |
A unique string representing the registration information provided by the client |
exp |
Number |
Expiration Time Claim |
authorities |
Array |
Only applicable for client tokens |
scope |
Array |
List of scopes authorized by the user for this client |
jti |
String |
JWT ID Claim |
aud |
Array |
Audience Claim |
sub |
String |
Subject Claim |
iss |
String |
Issuer Claim |
iat |
Number |
Issued At Claim |
cid |
String |
See client_id |
grant_type |
String |
The type of authentication being used to obtain the token, in this case password |
azp |
String |
Authorized party |
auth_time |
Number |
Only applicable for user tokens |
zid |
String |
Zone ID |
rev_sig |
String |
Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values. |
origin |
String |
Only applicable for user tokens |
revocable |
Boolean |
Set to true if this token is revocable |
Token Key(s)
Token Key
An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.
JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId to use it to sign all new tokens. /introspect will continue to verify tokens signed with the previous signing key for as long as it is present in the keys of the identity zone's token policy. Remove it to invalidate all those tokens.
Asymmetric
$ curl 'http://localhost/token_key' -i -X GET \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_key HTTP/1.1
Accept: application/json
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
ETag: "1594171379737"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 921
{
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "testKey",
"alg" : "RS256",
"value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
"n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
}
Request Headers
| Name | Description |
|---|---|
If-None-Match |
Optional. See Ref: RFC 2616 |
Response Headers
| Name | Description |
|---|---|
ETag |
The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change. |
Response Fields
| Path | Type | Description |
|---|---|---|
kid |
String |
Key ID of key to be used for verification of the token. |
alg |
String |
Encryption algorithm |
value |
String |
Verifier key |
kty |
String |
Key type (RSA) |
use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
n |
String |
RSA key modulus |
e |
String |
RSA key public exponent |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Unregistered client or incorrect client secret |
Symmetric
$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' -X GET \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
ETag: "1594171379575"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 95
{
"kty" : "MAC",
"alg" : "HS256",
"value" : "key",
"use" : "sig",
"kid" : "testKey"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority |
If-None-Match |
Optional. See Ref: RFC 2616 |
Response Fields
| Path | Type | Description |
|---|---|---|
kid |
String |
Key ID of key to be used for verification of the token. |
alg |
String |
Encryption algorithm |
value |
String |
Verifier key |
kty |
String |
Key type (MAC) |
use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Unregistered client or incorrect client secret |
| 403 | Forbidden - Not a resource server (missing uaa.resource scope) |
Token Keys
An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid field, indicating which key should be used for verification of the token.
$ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' -X GET \
-H 'Accept: application/json' \
-H 'If-None-Match: 1501570800000'
GET /token_keys HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost
HTTP/1.1 200 OK
ETag: "1594171379367"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 956
{
"keys" : [ {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "testKey",
"alg" : "RS256",
"value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
"n" : "ANJufZdrvYg5zG61x36pDq59nVUN73wSanA7hVCtN3ftT2Rm1ZTQqp5KSCfLMhaaVvJY51sHj-_i4lqUaM9CO32G93fE44VfOmPfexZeAwa8YDOikyTrhP7sZ6A4WUNeC4DlNnJF4zsznU7JxjCkASwpdL6XFwbRSzGkm6b9aM4vIewyclWehJxUGVFhnYEzIQ65qnr38feVP9enOVgQzpKsCJ-xpa8vZ_UrscoG3_IOQM6VnLrGYAyyCGeyU1JXQW_KlNmtA5eJry2Tp-MD6I34_QsNkCArHOfj8H9tXz_oc3_tVkkR252L_Lmp0TtIGfHpBmoITP9h-oKiW6NpyCc"
} ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
No authorization is required for requesting public keys. |
If-None-Match |
Optional. See Ref: RFC 2616 |
Response Headers
| Name | Description |
|---|---|
ETag |
The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change. |
Response Fields
| Path | Type | Description |
|---|---|---|
keys.[].kid |
String |
Key ID of key to be used for verification of the token. |
keys.[].alg |
String |
Encryption algorithm |
keys.[].value |
String |
Verifier key |
keys.[].kty |
String |
Key type (RSA or MAC) |
keys.[].use |
String |
Public key use parameter - identifies intended use of the public key. (defaults to "sig") |
keys.[].n |
String |
RSA key modulus |
keys.[].e |
String |
RSA key public exponent |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Unregistered client or incorrect client secret |
Session Management
Logout.do
The logout endpoint is meant to be used by applications to log the user out of the UAA session. UAA will only log a user out of the UAA session if they also hit this endpoint, and may also perform Single Logout with SAML providers if configured to do so. The recommendation for application authors is to:
- provide a local logout feature specific to the client application and use that to clear state in the client
- as part of the logout redirect to the logout endpoint using their client ID
- provide a redirect param in the link to the logout success page of their application so that the user come back to a familiar place when logged out
- add the logout success page to the client's redirect_uri configuration to whitelist the URL
If the chosen redirect URI is not whitelisted, users will land on the UAA login page. This is a security feature intended to prevent open redirects as per RFC 6749.
$ curl 'http://localhost/logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param' -i -X GET
GET /logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param HTTP/1.1
Host: localhost
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=cpT1pOjCpDJh70OjQyT4Ae; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:08 GMT; HttpOnly
Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: X-Uaa-Csrf=fYai6IGj85SmZeFGBBYW22; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly
Set-Cookie: JSESSIONID=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://redirect.localhost
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| redirect | String | Optional (defaults to Identity Zone redirect uri) |
On a successful logout redirect the user to here, provided the URL is whitelisted |
| client_id | String | Optional | On a successful logout the client's redirect_uri configuration is used as the redirect uri whitelist. If this value is not provided, the identity zone whitelist will be used instead. |
Response Headers
| Name | Description |
|---|---|
Location |
Redirect URI |
Identity Zones
The UAA supports multi tenancy. This is referred to as identity zones. An identity zone is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io
A zone contains a unique identifier as well as a unique subdomain:
{
"id":"testzone1",
"subdomain":"testzone1",
"name":"The Twiglet Zone[testzone1]",
"version":0,
"description":"Like the Twilight Zone but tastier[testzone1].",
"created":1426258488910,
"last_modified":1426258488910
}
The UAA by default creates a default zone. This zone will always be present, the ID will always be
uaa, and the subdomain is blank:
{
"id": "uaa",
"subdomain": "",
"name": "uaa",
"version": 0,
"description": "The system zone for backwards compatibility",
"created": 946710000000,
"last_modified": 946710000000
}
Creating an identity zone
An identity zone is created using a POST with an IdentityZone object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain field of the identity zone.
When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.
$ curl 'http://localhost/identity-zones' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 6d884356281943d78329ab4a013db03b' \
-d '{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1",
"keys" : {
"active-key-1" : {
"signingKey" : "key"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa",
"defaultIdentityProvider" : "uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1594171382884,
"active" : true,
"last_modified" : 1594171382884
}'
POST /identity-zones HTTP/1.1
Content-Type: application/json
Authorization: Bearer 6d884356281943d78329ab4a013db03b
Content-Length: 6508
Host: localhost
{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1",
"keys" : {
"active-key-1" : {
"signingKey" : "key"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa",
"defaultIdentityProvider" : "uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1594171382884,
"active" : true,
"last_modified" : 1594171382884
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5277
{
"id" : "twiglet-create",
"subdomain" : "twiglet-create",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa",
"defaultIdentityProvider" : "uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but tastier.",
"created" : 1594171382897,
"active" : true,
"last_modified" : 1594171382897
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.write or uaa.admin |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| id | String | Optional | Unique ID of the identity zone |
| subdomain | String | Required | Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
| name | String | Required | Human-readable zone name |
| description | String | Optional | Description of the zone |
| version | Number | Optional | Reserved for future use of E-Tag versioning |
| active | Boolean | Optional | Indicates whether the identity zone is active. Defaults to true. |
| config.clientSecretPolicy.minLength | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.maxLength | Number | Required when clientSecretPolicy in the config is not null |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
| config.clientSecretPolicy.requireUpperCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireLowerCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireDigit | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireSpecialCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
| config.tokenPolicy | Object | Optional | Various fields pertaining to the JWT access and refresh tokens. |
| config.tokenPolicy.activeKeyId | String | Required if config.tokenPolicy.keys are set |
The ID for the key that is being used to sign tokens |
| config.tokenPolicy.keys.. | String | Optional | Keys which will be used to sign the token |
| config.tokenPolicy.accessTokenValidity | Number | Optional | Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
| config.tokenPolicy.refreshTokenValidity | Number | Optional | Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
| config.tokenPolicy.jwtRevocable | Boolean | Optional | Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
| config.tokenPolicy.refreshTokenUnique | Boolean | Optional | If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
| config.tokenPolicy.refreshTokenFormat | String | Optional | The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
| config.samlConfig.disableInResponseToCheck | Boolean | Optional | If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
| config.samlConfig.assertionSigned | Boolean | Optional | If true, the SAML provider will sign all assertions |
| config.samlConfig.wantAssertionSigned | Boolean | Optional | Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
| config.samlConfig.requestSigned | Boolean | Optional | Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
| config.samlConfig.wantAuthnRequestSigned | Boolean | Optional | If true, the authentication request from the partner service provider must be signed. |
| config.samlConfig.assertionTimeToLiveSeconds | Number | Optional | The lifetime of a SAML assertion in seconds. Defaults to 600. |
| config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
| config.samlConfig.certificate | String | Deprecated | Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
| config.samlConfig.privateKey | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key. |
| config.samlConfig.privateKeyPassword | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
| config.samlConfig.activeKeyId | String | Required if a list of keys defined in keys map |
The ID of the key that should be used for signing metadata and assertions. |
| config.samlConfig.keys.*.key | String | Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key. |
| config.samlConfig.keys.*.passphrase | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
| config.samlConfig.keys.*.certificate | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
| config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
| config.links.logout.redirectUrl | String | Optional | Logout redirect url |
| config.links.homeRedirect | String | Optional | Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
| config.links.logout.redirectParameterName | String | Optional | Changes the name of the redirect parameter |
| config.links.logout.disableRedirectParameter | Boolean | Optional | Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
| config.links.logout.whitelist | Array | Optional | List of allowed whitelist redirects |
| config.links.selfService.selfServiceLinksEnabled | Boolean | Optional | Whether or not users are allowed to sign up or reset their passwords via the UI |
| config.links.selfService.signup | Null | Optional | Where users are directed upon clicking the account creation link |
| config.links.selfService.passwd | Null | Optional | Where users are directed upon clicking the password reset link |
| config.prompts[] | Array | Optional | List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
| config.prompts[].name | String | Optional | Name of field |
| config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
| config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
| config.idpDiscoveryEnabled | Boolean | Optional | IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
| config.accountChooserEnabled | Boolean | Optional | This flag is required to enable account choosing functionality for IDP discovery page. |
| config.issuer | String | Optional | Issuer of this zone. Must be a valid URL. |
| config.defaultIdentityProvider | String | Optional | This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. |
| config.branding.companyName | String | Optional | This name is used on the UAA Pages and in account management related communication in UAA |
| config.branding.productLogo | String | Optional | This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
| config.branding.squareLogo | String | Optional | This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
| config.branding.footerLegalText | String | Optional | This text appears on the footer of all UAA pages |
| config.branding.footerLinks.* | String | Optional | These links (Map |
| config.branding.banner.text | String | Optional | This is text displayed in a banner at the top of the UAA login page |
| config.branding.banner.logo | String | Optional | This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
| config.branding.banner.link | String | Optional | The UAA login banner will be a link pointing to this url |
| config.branding.banner.textColor | String | Optional | Hexadecimal color code for banner text color, does not allow color names |
| config.branding.banner.backgroundColor | String | Optional | Hexadecimal color code for banner background color, does not allow color names |
| config.branding.consent.text | String | Optional. Must be set if configuring consent. | If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
| config.branding.consent.link | String | Optional. Can be null if configuring consent. | If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
| config.corsPolicy.xhrConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
| config.corsPolicy.xhrConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
| config.corsPolicy.xhrConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
| config.corsPolicy.xhrConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
| config.corsPolicy.xhrConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
| config.corsPolicy.xhrConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
| config.corsPolicy.xhrConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
| config.corsPolicy.xhrConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
| config.corsPolicy.defaultConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
| config.corsPolicy.defaultConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
| config.corsPolicy.defaultConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
| config.corsPolicy.defaultConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
| config.corsPolicy.defaultConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
| config.corsPolicy.defaultConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
| config.corsPolicy.defaultConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
| config.corsPolicy.defaultConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
| config.userConfig.defaultGroups | Array | Optional | Default groups each user in the zone inherits. |
| config.mfaConfig.enabled | Boolean | Optional | Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
| config.mfaConfig.providerName | String | Required when config.mfaConfig.enabled is true |
The unique name of the MFA provider to use for this zone. |
| config.mfaConfig.identityProviders | Array | Optional | Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
active |
Boolean |
Indicates whether the identity zone is active. Defaults to true. |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true, the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true, the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.defaultIdentityProvider |
String |
This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.issuer |
String |
Issuer of this zone. Must be a valid URL. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
String |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.branding.consent.text |
String |
If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
config.branding.consent.link |
String |
If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
config.mfaConfig.enabled |
Boolean |
Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
config.mfaConfig.providerName |
String |
The unique name of the MFA provider to use for this zone. |
config.mfaConfig.identityProviders |
Array |
Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.) |
| 422 | Unprocessable Entity - Invalid zone details |
Sequential example of creating a zone and creating an admin client in that zone:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"
uaac token client get admin -s adminsecret
uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
uaac target http://testzone1.localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac token decode
Retrieving an identity zone
$ curl 'http://localhost/identity-zones/twiglet-get' -i -X GET \
-H 'Authorization: Bearer 601c7e3f1e234937a8ca93f1fda18d3d'
GET /identity-zones/twiglet-get HTTP/1.1
Authorization: Bearer 601c7e3f1e234937a8ca93f1fda18d3d
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5175
{
"id" : "twiglet-get",
"subdomain" : "twiglet-get",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1594171382727,
"active" : true,
"last_modified" : 1594171382727
}
Path Parameters
/identity-zones/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the identity zone to retrieve |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.read or zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin or zones.<zone id>.read can be used. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
active |
Boolean |
Indicates whether the identity zone is active. Defaults to true. |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true, the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true, the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.defaultIdentityProvider |
String |
This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.issuer |
String |
Issuer of this zone. Must be a valid URL. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
String |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.branding.consent.text |
String |
If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
config.branding.consent.link |
String |
If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
config.mfaConfig.enabled |
Boolean |
Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
config.mfaConfig.providerName |
String |
The unique name of the MFA provider to use for this zone. |
config.mfaConfig.identityProviders |
Array |
Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Zone does not exist |
Retrieving all identity zones
$ curl 'http://localhost/identity-zones' -i -X GET \
-H 'Authorization: Bearer 0e4de8415383412ca171f38492e4a499'
GET /identity-zones HTTP/1.1
Authorization: Bearer 0e4de8415383412ca171f38492e4a499
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 15827
[ {
"id" : "twiglet-get-1",
"subdomain" : "twiglet-get-1",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1594171381825,
"active" : true,
"last_modified" : 1594171381825
}, {
"id" : "twiglet-get-2",
"subdomain" : "twiglet-get-2",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1594171381966,
"active" : true,
"last_modified" : 1594171381966
}, {
"id" : "uaa",
"subdomain" : "",
"config" : {
"clientSecretPolicy" : {
"minLength" : 0,
"maxLength" : 255,
"requireUpperCaseCharacter" : 0,
"requireLowerCaseCharacter" : 0,
"requireDigit" : 0,
"requireSpecialCharacter" : 0
},
"tokenPolicy" : {
"accessTokenValidity" : 43200,
"refreshTokenValidity" : 2592000,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : null
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
}
},
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code ( Get one at http://localhost:8080/uaa/passcode )"
} ],
"idpDiscoveryEnabled" : false,
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "scim.me", "cloud_controller.read", "cloud_controller.write", "cloud_controller_service_permissions.read", "password.write", "scim.userids", "uaa.user", "approvals.me", "oauth.approvals", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
}
},
"name" : "uaa",
"version" : 1,
"description" : "The system zone for backwards compatibility",
"created" : 946684800000,
"active" : true,
"last_modified" : 1594171381418
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.read or zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].id |
String |
Unique ID of the identity zone |
[].subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
[].name |
String |
Human-readable zone name |
[].description |
String |
Description of the zone |
[].version |
Number |
Reserved for future use of E-Tag versioning |
[].active |
Boolean |
Indicates whether the identity zone is active. Defaults to true. |
[].config.tokenPolicy.activeKeyId |
Varies |
The ID for the key that is being used to sign tokens |
[].config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
[].config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
[].config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
[].config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
[].config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
[].config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
[].config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
[].config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
[].config.samlConfig.disableInResponseToCheck |
Boolean |
If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
[].config.samlConfig.assertionSigned |
Boolean |
If true, the SAML provider will sign all assertions |
[].config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
[].config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
[].config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true, the authentication request from the partner service provider must be signed. |
[].config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
[].config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
[].config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
[].config.samlConfig.keys.* |
Object |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
[].config.links.logout.redirectUrl |
String |
Logout redirect url |
[].config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
[].config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
[].config.links.logout.disableRedirectParameter |
Boolean |
Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
[].config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
[].config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
[].config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
[].config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
[].config.branding.companyName |
Varies |
This name is used on the UAA Pages and in account management related communication in UAA |
[].config.branding.productLogo |
Varies |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
[].config.branding.squareLogo |
Varies |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
[].config.branding.footerLegalText |
Varies |
This text appears on the footer of all UAA pages |
[].config.branding.footerLinks |
Object |
These links (Map |
[].config.branding.consent.text |
String |
If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
[].config.branding.consent.link |
String |
If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
[].config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
[].config.prompts[].name |
String |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
[].config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
[].config.prompts[].text |
String |
Actual text displayed on prompt for field |
[].config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
[].config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
[].config.issuer |
String |
Issuer of this zone. Must be a valid URL. |
[].config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
[].config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
[].config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
[].config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
[].config.branding.footerLinks.* |
String |
These links (Map |
[].config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
[].config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
[].config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
[].config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
[].config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
[].config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
[].config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
[].config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
[].config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
[].config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
[].config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
[].config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
[].config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
[].config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
[].config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
[].config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
[].config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
[].config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
[].config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
[].config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
[].config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
[].config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
[].config.mfaConfig.enabled |
Boolean |
Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
[].config.mfaConfig.providerName |
String |
The unique name of the MFA provider to use for this zone. |
[].config.mfaConfig.identityProviders |
Array |
Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope |
Updating an Identity Zone
$ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 9bf8ca8dc327409984a65fc3f593ca08' \
-d '{
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "updatedKeyId",
"keys" : {
"updatedKeyId" : {
"signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Updated Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1594171382544,
"active" : true,
"last_modified" : 1594171382544
}'
PUT /identity-zones/twiglet-update HTTP/1.1
Content-Type: application/json
Authorization: Bearer 9bf8ca8dc327409984a65fc3f593ca08
Content-Length: 6471
Host: localhost
{
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "updatedKeyId",
"keys" : {
"updatedKeyId" : {
"signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT"
}
}
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"passphrase" : "password",
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
"privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
"privateKeyPassword" : "password"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Updated Twiglet Zone",
"version" : 0,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1594171382544,
"active" : true,
"last_modified" : 1594171382544
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5246
{
"id" : "twiglet-update",
"subdomain" : "twiglet-update",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : -1,
"refreshTokenValidity" : -1,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "updatedKeyId"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Updated Twiglet Zone",
"version" : 1,
"description" : "Like the Twilight Zone but not tastier.",
"created" : 1594171382531,
"active" : true,
"last_modified" : 1594171382561
}
Path Parameters
/identity-zones/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the identity zone to update |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| subdomain | String | Required | Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
| name | String | Required | Human-readable zone name |
| description | String | Optional | Description of the zone |
| version | Number | Optional | Reserved for future use of E-Tag versioning |
| active | Boolean | Optional | Indicates whether the identity zone is active. Defaults to true. |
| config.tokenPolicy.activeKeyId | String | Required if config.tokenPolicy.keys are set |
The ID for the key that is being used to sign tokens |
| config.tokenPolicy.keys.. | String | Optional | Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained. |
| config.tokenPolicy.accessTokenValidity | Number | Optional | Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
| config.tokenPolicy.refreshTokenValidity | Number | Optional | Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
| config.tokenPolicy.jwtRevocable | Boolean | Optional | Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
| config.tokenPolicy.refreshTokenUnique | Boolean | Optional | If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
| config.tokenPolicy.refreshTokenFormat | String | Optional | The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
| config.clientSecretPolicy.minLength | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.maxLength | Number | Required when clientSecretPolicy in the config is not null |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
| config.clientSecretPolicy.requireUpperCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireLowerCaseCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireDigit | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
| config.clientSecretPolicy.requireSpecialCharacter | Number | Required when clientSecretPolicy in the config is not null |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
| config.samlConfig.disableInResponseToCheck | Boolean | Optional | If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
| config.samlConfig.assertionSigned | Boolean | Optional | If true, the SAML provider will sign all assertions |
| config.samlConfig.wantAssertionSigned | Boolean | Optional | Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
| config.samlConfig.requestSigned | Boolean | Optional | Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
| config.samlConfig.wantAuthnRequestSigned | Boolean | Optional | If true, the authentication request from the partner service provider must be signed. |
| config.samlConfig.assertionTimeToLiveSeconds | Number | Optional | The lifetime of a SAML assertion in seconds. Defaults to 600. |
| config.samlConfig.entityID | String | Optional | Unique ID of the SAML2 entity |
| config.samlConfig.certificate | String | Deprecated | Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
| config.samlConfig.privateKey | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key. |
| config.samlConfig.privateKeyPassword | String | Deprecated | Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
| config.samlConfig.activeKeyId | String | Required if a list of keys defined in keys map |
The ID of the key that should be used for signing metadata and assertions. |
| config.samlConfig.keys.*.key | String | Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key. |
| config.samlConfig.keys.*.passphrase | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate |
Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use. |
| config.samlConfig.keys.*.certificate | String | Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
| config.links.logout.redirectUrl | String | Optional | Logout redirect url |
| config.links.homeRedirect | String | Optional | Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
| config.links.logout.redirectParameterName | String | Optional | Changes the name of the redirect parameter |
| config.links.logout.disableRedirectParameter | Boolean | Optional | Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
| config.links.logout.whitelist | Array | Optional | List of allowed whitelist redirects |
| config.links.selfService.selfServiceLinksEnabled | Boolean | Optional | Whether or not users are allowed to sign up or reset their passwords via the UI |
| config.links.selfService.signup | Null | Optional | Where users are directed upon clicking the account creation link |
| config.links.selfService.passwd | Null | Optional | Where users are directed upon clicking the password reset link |
| config.prompts[] | Array | Optional | List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
| config.prompts[].name | String | Optional | Name of field |
| config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
| config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
| config.idpDiscoveryEnabled | Boolean | Optional | IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
| config.accountChooserEnabled | Boolean | Optional | This flag is required to enable account choosing functionality for IDP discovery page. |
| config.issuer | String | Optional | Issuer of this zone. Must be a valid URL. |
| config.branding.companyName | String | Optional | This name is used on the UAA Pages and in account management related communication in UAA |
| config.branding.productLogo | String | Optional | This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
| config.branding.squareLogo | String | Optional | This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
| config.branding.footerLegalText | String | Optional | This text appears on the footer of all UAA pages |
| config.branding.footerLinks.* | String | Optional | These links (Map |
| config.branding.banner.text | String | Optional | This is text displayed in a banner at the top of the UAA login page |
| config.branding.banner.logo | String | Optional | This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
| config.branding.banner.link | String | Optional | The UAA login banner will be a link pointing to this url |
| config.branding.banner.textColor | String | Optional | Hexadecimal color code for banner text color, does not allow color names |
| config.branding.banner.backgroundColor | String | Optional | Hexadecimal color code for banner background color, does not allow color names |
| config.branding.consent.text | String | Optional. Must be set if configuring consent. | If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
| config.branding.consent.link | String | Optional. Can be null if configuring consent. | If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
| config.corsPolicy.xhrConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
| config.corsPolicy.xhrConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
| config.corsPolicy.xhrConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
| config.corsPolicy.xhrConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
| config.corsPolicy.xhrConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
| config.corsPolicy.xhrConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
| config.corsPolicy.xhrConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
| config.corsPolicy.xhrConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
| config.corsPolicy.defaultConfiguration.allowedOrigins | Array | Optional | Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
| config.corsPolicy.defaultConfiguration.allowedOriginPatterns | Array | Optional | Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
| config.corsPolicy.defaultConfiguration.allowedUris | Array | Optional | The list of allowed URIs. |
| config.corsPolicy.defaultConfiguration.allowedUriPatterns | Array | Optional | The list of allowed URI patterns. |
| config.corsPolicy.defaultConfiguration.allowedHeaders | Array | Optional | Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
| config.corsPolicy.defaultConfiguration.allowedMethods | Array | Optional | Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
| config.corsPolicy.defaultConfiguration.allowedCredentials | Boolean | Optional | Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
| config.corsPolicy.defaultConfiguration.maxAge | Number | Optional | Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
| config.userConfig.defaultGroups | Array | Optional | Default groups each user in the zone inherits. |
| config.mfaConfig.enabled | Boolean | Optional | Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
| config.mfaConfig.providerName | String | Required when config.mfaConfig.enabled is true |
The unique name of the MFA provider to use for this zone. |
| config.mfaConfig.identityProviders | Array | Optional | Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
active |
Boolean |
Indicates whether the identity zone is active. Defaults to true. |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true, the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true, the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.defaultIdentityProvider |
String |
This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.issuer |
String |
Issuer of this zone. Must be a valid URL. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
String |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.branding.consent.text |
String |
If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
config.branding.consent.link |
String |
If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
config.mfaConfig.enabled |
Boolean |
Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
config.mfaConfig.providerName |
String |
The unique name of the MFA provider to use for this zone. |
config.mfaConfig.identityProviders |
Array |
Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (zone admins can only update own zone) |
| 404 | Not Found - Update to nonexistent zone |
| 422 | Unprocessable Entity - Invalid zone details |
Deleting an Identity Zone
$ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer ca6408e29faa45129190b6008c9d3106'
DELETE /identity-zones/twiglet-delete HTTP/1.1
Content-Type: application/json
Authorization: Bearer ca6408e29faa45129190b6008c9d3106
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5181
{
"id" : "twiglet-delete",
"subdomain" : "twiglet-delete",
"config" : {
"clientSecretPolicy" : {
"minLength" : -1,
"maxLength" : -1,
"requireUpperCaseCharacter" : -1,
"requireLowerCaseCharacter" : -1,
"requireDigit" : -1,
"requireSpecialCharacter" : -1
},
"tokenPolicy" : {
"accessTokenValidity" : 3600,
"refreshTokenValidity" : 7200,
"jwtRevocable" : false,
"refreshTokenUnique" : false,
"refreshTokenFormat" : "jwt",
"activeKeyId" : "active-key-1"
},
"samlConfig" : {
"assertionSigned" : true,
"requestSigned" : true,
"wantAssertionSigned" : true,
"wantAuthnRequestSigned" : false,
"assertionTimeToLiveSeconds" : 600,
"activeKeyId" : "legacy-saml-key",
"keys" : {
"legacy-saml-key" : {
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
}
},
"entityID" : "cloudfoundry-saml-login",
"disableInResponseToCheck" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
},
"corsPolicy" : {
"xhrConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
},
"defaultConfiguration" : {
"allowedOrigins" : [ ".*" ],
"allowedOriginPatterns" : [ ],
"allowedUris" : [ ".*" ],
"allowedUriPatterns" : [ ],
"allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
"allowedMethods" : [ "GET" ],
"allowedCredentials" : false,
"maxAge" : 1728000
}
},
"links" : {
"logout" : {
"redirectUrl" : "/login",
"redirectParameterName" : "redirect",
"disableRedirectParameter" : false,
"whitelist" : null
},
"homeRedirect" : "http://my.hosted.homepage.com/",
"selfService" : {
"selfServiceLinksEnabled" : true,
"signup" : null,
"passwd" : null
}
},
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ],
"idpDiscoveryEnabled" : false,
"branding" : {
"companyName" : "Test Company",
"productLogo" : "VGVzdFByb2R1Y3RMb2dv",
"squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
"footerLegalText" : "Test footer legal text",
"footerLinks" : {
"Support" : "http://support.example.com"
},
"banner" : {
"logo" : "VGVzdFByb2R1Y3RMb2dv",
"text" : "Announcement",
"textColor" : "#000000",
"backgroundColor" : "#89cff0",
"link" : "http://announce.example.com"
},
"consent" : {
"text" : "Some Policy",
"link" : "http://policy.example.com"
}
},
"accountChooserEnabled" : false,
"userConfig" : {
"defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
},
"mfaConfig" : {
"enabled" : false,
"identityProviders" : [ "uaa", "ldap" ]
},
"issuer" : "http://localhost:8080/uaa"
},
"name" : "The Twiglet Zone",
"version" : 0,
"created" : 1594171382318,
"active" : true,
"last_modified" : 1594171382318
}
Path Parameters
/identity-zones/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the identity zone to delete |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique ID of the identity zone |
subdomain |
String |
Unique subdomain for the running instance. May only contain legal characters for a subdomain name. |
name |
String |
Human-readable zone name |
description |
String |
Description of the zone |
version |
Number |
Reserved for future use of E-Tag versioning |
active |
Boolean |
Indicates whether the identity zone is active. Defaults to true. |
config.tokenPolicy.activeKeyId |
String |
The ID for the key that is being used to sign tokens |
config.tokenPolicy.accessTokenValidity |
Number |
Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity |
config.tokenPolicy.refreshTokenValidity |
Number |
Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity |
config.tokenPolicy.jwtRevocable |
Boolean |
Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable. |
config.tokenPolicy.refreshTokenUnique |
Boolean |
If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false. |
config.tokenPolicy.refreshTokenFormat |
String |
The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt. |
config.clientSecretPolicy.minLength |
Number |
Minimum number of characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.maxLength |
Number |
Maximum number of characters required for secret to be considered valid (defaults to 255). |
config.clientSecretPolicy.requireUpperCaseCharacter |
Number |
Minimum number of uppercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireLowerCaseCharacter |
Number |
Minimum number of lowercase characters required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireDigit |
Number |
Minimum number of digits required for secret to be considered valid (defaults to 0). |
config.clientSecretPolicy.requireSpecialCharacter |
Number |
Minimum number of special characters required for secret to be considered valid (defaults to 0). |
config.samlConfig.disableInResponseToCheck |
Boolean |
If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html |
config.samlConfig.assertionSigned |
Boolean |
If true, the SAML provider will sign all assertions |
config.samlConfig.wantAssertionSigned |
Boolean |
Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true. |
config.samlConfig.requestSigned |
Boolean |
Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true. |
config.samlConfig.wantAuthnRequestSigned |
Boolean |
If true, the authentication request from the partner service provider must be signed. |
config.samlConfig.assertionTimeToLiveSeconds |
Number |
The lifetime of a SAML assertion in seconds. Defaults to 600. |
config.samlConfig.entityID |
String |
Unique ID of the SAML2 entity |
config.samlConfig.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.samlConfig.activeKeyId |
String |
The ID of the key that should be used for signing metadata and assertions. |
config.samlConfig.keys.*.certificate |
String |
Exposed SAML metadata property. The certificate used to verify the authenticity all communications. |
config.links.logout.redirectUrl |
String |
Logout redirect url |
config.links.homeRedirect |
String |
Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home. |
config.links.logout.redirectParameterName |
String |
Changes the name of the redirect parameter |
config.links.logout.disableRedirectParameter |
Boolean |
Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout |
config.links.logout.whitelist |
Array |
List of allowed whitelist redirects |
config.links.selfService.selfServiceLinksEnabled |
Boolean |
Whether or not users are allowed to sign up or reset their passwords via the UI |
config.links.selfService.signup |
Null |
Where users are directed upon clicking the account creation link |
config.links.selfService.passwd |
Null |
Where users are directed upon clicking the password reset link |
config.prompts[] |
Array |
List of fields that users are prompted for to login. Defaults to username, password, and passcode. |
config.prompts[].name |
String |
Name of field |
config.prompts[].type |
String |
What kind of field this is (e.g. text or password) |
config.prompts[].text |
String |
Actual text displayed on prompt for field |
config.defaultIdentityProvider |
String |
This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. |
config.idpDiscoveryEnabled |
Boolean |
IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider |
config.accountChooserEnabled |
Boolean |
This flag is required to enable account choosing functionality for IDP discovery page. |
config.issuer |
String |
Issuer of this zone. Must be a valid URL. |
config.branding.companyName |
String |
This name is used on the UAA Pages and in account management related communication in UAA |
config.branding.productLogo |
String |
This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc. |
config.branding.squareLogo |
String |
This is a base64 encoded PNG image which will be used as the favicon for the UAA pages |
config.branding.footerLegalText |
String |
This text appears on the footer of all UAA pages |
config.branding.footerLinks.* |
String |
These links (Map |
config.branding.banner.text |
String |
This is text displayed in a banner at the top of the UAA login page |
config.branding.banner.logo |
String |
This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text |
config.branding.banner.link |
String |
The UAA login banner will be a link pointing to this url |
config.branding.banner.textColor |
String |
Hexadecimal color code for banner text color, does not allow color names |
config.branding.banner.backgroundColor |
String |
Hexadecimal color code for banner background color, does not allow color names |
config.branding.consent.text |
String |
If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue. |
config.branding.consent.link |
String |
If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location. |
config.corsPolicy.defaultConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.defaultConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.defaultConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.defaultConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.defaultConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.defaultConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.defaultConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.defaultConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.corsPolicy.xhrConfiguration.allowedOrigins |
Array |
Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. |
config.corsPolicy.xhrConfiguration.allowedOriginPatterns |
Array |
Indicates whether a resource can be shared based by returning the value of the Origin patterns. |
config.corsPolicy.xhrConfiguration.allowedUris |
Array |
The list of allowed URIs. |
config.corsPolicy.xhrConfiguration.allowedUriPatterns |
Array |
The list of allowed URI patterns. |
config.corsPolicy.xhrConfiguration.allowedHeaders |
Array |
Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response |
config.corsPolicy.xhrConfiguration.allowedMethods |
Array |
Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request. |
config.corsPolicy.xhrConfiguration.allowedCredentials |
Boolean |
Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.. |
config.corsPolicy.xhrConfiguration.maxAge |
Number |
Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache |
config.userConfig.defaultGroups |
Array |
Default groups each user in the zone inherits. |
config.mfaConfig.enabled |
Boolean |
Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false |
config.mfaConfig.providerName |
String |
The unique name of the MFA provider to use for this zone. |
config.mfaConfig.identityProviders |
Array |
Only trigger MFA when user is using an identity provider whose origin key matches one of these values |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (zone admins can only delete their own zone) |
| 404 | Not Found - Zone does not exist |
Identity Providers
Create
SAML
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 94124b3e66924d6bba6126d49284f622' \
-d '{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAML",
"name" : "SAML name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 94124b3e66924d6bba6126d49284f622
Content-Length: 2990
Host: localhost
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAML",
"name" : "SAML name",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3239
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
"idpEntityAlias" : "SAML",
"zoneId" : "uaa",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"id" : "7ac3e849-389d-431a-8bf5-fad08d3d960f",
"originKey" : "SAML",
"name" : "SAML name",
"version" : 0,
"created" : 1594171384160,
"last_modified" : 1594171384160,
"active" : true,
"identityZoneId" : "uaa"
}
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 94124b3e66924d6bba6126d49284f622' \
-d '{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <md:KeyDescriptor use=\"signing\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:KeyDescriptor use=\"encryption\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n </md:IDPSSODescriptor>\n <md:ContactPerson contactType=\"technical\">\n <md:GivenName>Filip</md:GivenName>\n <md:SurName>Hanik</md:SurName>\n <md:EmailAddress>[email protected]</md:EmailAddress>\n </md:ContactPerson>\n</md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 94124b3e66924d6bba6126d49284f622
Content-Length: 7617
Host: localhost
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <md:KeyDescriptor use=\"signing\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:KeyDescriptor use=\"encryption\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n </md:IDPSSODescriptor>\n <md:ContactPerson contactType=\"technical\">\n <md:GivenName>Filip</md:GivenName>\n <md:SurName>Hanik</md:SurName>\n <md:EmailAddress>[email protected]</md:EmailAddress>\n </md:ContactPerson>\n</md:EntityDescriptor>\n",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7877
{
"type" : "saml",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : { },
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <md:KeyDescriptor use=\"signing\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:KeyDescriptor use=\"encryption\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n </md:IDPSSODescriptor>\n <md:ContactPerson contactType=\"technical\">\n <md:GivenName>Filip</md:GivenName>\n <md:SurName>Hanik</md:SurName>\n <md:EmailAddress>[email protected]</md:EmailAddress>\n </md:ContactPerson>\n</md:EntityDescriptor>\n",
"idpEntityAlias" : "SAMLMetadataUrl",
"zoneId" : "uaa",
"nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
"assertionConsumerIndex" : 0,
"metadataTrustCheck" : false,
"showSamlLink" : false,
"linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
"iconUrl" : null,
"groupMappingMode" : "EXPLICITLY_MAPPED",
"skipSslValidation" : false,
"authnContext" : null,
"socketFactoryClassName" : null
},
"id" : "a0597c17-bd40-4d87-902d-bce6baffac36",
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"version" : 0,
"created" : 1594171384270,
"last_modified" : 1594171384270,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | saml |
| originKey | String | Required | A unique alias for the SAML provider |
| config.skipSslValidation | Boolean | Optional (defaults to false) |
Set to true, to skip SSL validation when fetching metadata. |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| config.metaDataLocation | String | Required | SAML Metadata - either an XML string or a URL that will deliver XML content |
| config.nameID | String | Optional | The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". |
| config.assertionConsumerIndex | Number | Optional | SAML assertion consumer index, default is 0 |
| config.metadataTrustCheck | Boolean | Optional | Should metadata be validated, defaults to false |
| config.showSamlLink | Boolean | Optional | Should the SAML login link be displayed on the login page, defaults to false |
| config.linkText | String | Required if the showSamlLink is set to true |
The link text for the SAML IDP on the login page |
| config.groupMappingMode | String | Optional (defaults to "EXPLICITLY_MAPPED") |
Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes. |
| config.iconUrl | String | Optional | Reserved for future use |
| config.socketFactoryClassName | Null | Optional | Property is deprecated and value is ignored. |
| config.authnContext | Array | Optional | List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested. |
| config.attributeMappings.user_name | String | Optional (defaults to "NameID") |
Map user_name to the attribute for user name in the provider assertion or token. The default for SAML is NameID. |
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion or token. |
| config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.attributeMappings.external_groups | Array | Optional | Map external_groups to the attribute for groups in the provider assertion. |
| config.attributeMappings['user.attribute.department'] | String | Optional | Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
saml |
originKey |
String |
A unique alias for the SAML provider |
config.skipSslValidation |
Boolean |
Set to true, to skip SSL validation when fetching metadata. |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
config.metaDataLocation |
String |
SAML Metadata - either an XML string or a URL that will deliver XML content |
config.nameID |
String |
The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". |
config.assertionConsumerIndex |
Number |
SAML assertion consumer index, default is 0 |
config.metadataTrustCheck |
Boolean |
Should metadata be validated, defaults to false |
config.showSamlLink |
Boolean |
Should the SAML login link be displayed on the login page, defaults to false |
config.linkText |
String |
The link text for the SAML IDP on the login page |
config.groupMappingMode |
String |
Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes. |
config.iconUrl |
String |
Reserved for future use |
config.socketFactoryClassName |
Null |
Property is deprecated and value is ignored. |
config.authnContext |
Array |
List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested. |
config.attributeMappings.user_name |
String |
Map user_name to the attribute for user name in the provider assertion or token. The default for SAML is NameID. |
config.attributeMappings |
Object |
Map external attribute to UAA recognized mappings. |
config.attributeMappings.email |
String |
Map email to the attribute for email in the provider assertion or token. |
config.attributeMappings.given_name |
String |
Map given_name to the attribute for given name in the provider assertion or token. |
config.attributeMappings.family_name |
String |
Map family_name to the attribute for family name in the provider assertion or token. |
config.attributeMappings.phone_number |
String |
Map phone_number to the attribute for phone number in the provider assertion or token. |
config.attributeMappings.email_verified |
String |
Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
config.attributeMappings.external_groups |
Array |
Map external_groups to the attribute for groups in the provider assertion. |
config.attributeMappings['user.attribute.department'] |
String |
Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
config.additionalConfiguration |
Object |
(Unused.) |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
config.idpEntityAlias |
String |
This will be set to originKey |
config.zoneId |
String |
This will be set to the ID of the zone where the provider is being created |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
LDAP
LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are
- Bind authentication - the UAA uses the user's credentials to construct a DN and attempt a BIND operation to the LDAP server
- Search and Bind authentication - We take the username and password, search for the user DN, and attempt a bind operation to the LDAP server
- Search and Compare authentication - We take the username and password, search for the user DN and the user password, and perform a comparison of the provided password with the LDAP password
Group integration also supports different strategies
- No group integration - LDAP is only used for authentication
- Map a group to a UAA scope - using external group mappings
- LDAP groups contain scopes - an entry in the LDAP record contains UAA scope names
LDAP Simple Bind
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: ard7ytxm' \
-H 'Authorization: Bearer 624e309549534b118dcd66f1ee9fb58d' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: ard7ytxm
Authorization: Bearer 624e309549534b118dcd66f1ee9fb58d
Content-Length: 1201
Host: localhost
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1402
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-simple-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
"userDNPatternDelimiter" : ";",
"bindUserDn" : null,
"userSearchBase" : null,
"userSearchFilter" : null,
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-null.xml",
"groupSearchBase" : null,
"groupSearchFilter" : null,
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 10,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"id" : "f92beabe-e641-4cf5-a718-5529232ae285",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1594171386038,
"last_modified" : 1594171386038,
"active" : true,
"identityZoneId" : "ard7ytxm"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Missing or invalid token |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
LDAP Search and Bind
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: l7j8cbrz' \
-H 'Authorization: Bearer a4a6ab1b62d543ada6512556c86af93f' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: l7j8cbrz
Authorization: Bearer a4a6ab1b62d543ada6512556c86af93f
Content-Length: 1306
Host: localhost
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1471
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : null,
"passwordEncoder" : null,
"localPasswordCompare" : null,
"mailAttributeName" : "mail",
"mailSubstitute" : "{0}@my.org",
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : null,
"tlsConfiguration" : "none"
},
"id" : "c3416dff-9ab8-46c9-a934-1fa4c62d9c85",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1594171384501,
"last_modified" : 1594171384501,
"active" : true,
"identityZoneId" : "l7j8cbrz"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Missing or invalid token |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
LDAP Search and Compare
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'X-Identity-Zone-Subdomain: estabrwk' \
-H 'Authorization: Bearer b91481241f12463390938d504d59a251' \
-d '{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: estabrwk
Authorization: Bearer b91481241f12463390938d504d59a251
Content-Length: 1383
Host: localhost
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"bindPassword" : "adminsecret",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"originKey" : "ldap",
"name" : "ldap name",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1548
{
"type" : "ldap",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
"baseUrl" : "ldap://localhost:23389",
"referral" : null,
"skipSSLVerification" : false,
"userDNPattern" : null,
"userDNPatternDelimiter" : null,
"bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
"userSearchBase" : "dc=test,dc=com",
"userSearchFilter" : "cn={0}",
"passwordAttributeName" : "userPassword",
"passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
"localPasswordCompare" : true,
"mailAttributeName" : "mail",
"mailSubstitute" : null,
"mailSubstituteOverridesLdap" : false,
"ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
"groupSearchBase" : "ou=scopes,dc=test,dc=com",
"groupSearchFilter" : "member={0}",
"groupsIgnorePartialResults" : null,
"autoAddGroups" : true,
"groupSearchSubTree" : true,
"maxGroupSearchDepth" : 3,
"groupRoleAttribute" : "description",
"tlsConfiguration" : "none"
},
"id" : "35cc8b0e-a664-4659-bf95-0c3d5d1cc278",
"originKey" : "ldap",
"name" : "ldap name",
"version" : 0,
"created" : 1594171385417,
"last_modified" : 1594171385417,
"active" : true,
"identityZoneId" : "estabrwk"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | ldap |
| originKey | String | Required | Origin key must be ldap for an LDAP provider |
| config.ldapProfileFile | String | Required | The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml |
| config.ldapGroupFile | String | Required | The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml |
| config.baseUrl | String | Required | The URL to the ldap server, must start with ldap:// or ldaps:// |
| config.bindPassword | String | Required | Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information. |
| config.mailAttributeName | String | Optional (defaults to "mail") |
The name of the LDAP attribute that contains the user's email address |
| config.mailSubstitute | String | Optional | Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication |
| config.mailSubstituteOverridesLdap | Boolean | Optional (defaults to false) |
Set to true if you wish to override an LDAP user email address with a generated one |
| config.skipSSLVerification | Boolean | Optional (defaults to false) |
Skips validation of the LDAP cert if set to true. |
| config.tlsConfiguration | String | Optional (defaults to "none") |
Sets the StartTLS options, valid values are none, simple or external |
| config.referral | String | Optional (defaults to "follow") |
Configures the UAA LDAP referral behavior. The following values are possible:
|
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.user_name | String | Optional (defaults to "user_name") |
Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter |
| config.attributeMappings.first_name | String | Optional (defaults to "givenname") |
Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional (defaults to "sn") |
Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional (defaults to "telephonenumber") |
Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Missing or invalid token |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
OAuth/OIDC
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer d1438befcc8840bf89e173ef7ab1b4d9' \
-d '{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username"
},
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer d1438befcc8840bf89e173ef7ab1b4d9
Content-Length: 989
Host: localhost
{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username"
},
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1213
{
"type" : "oauth2.0",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : "http://auth.url",
"tokenUrl" : "http://token.url",
"tokenKeyUrl" : null,
"tokenKey" : "token-key",
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : false,
"relyingPartyId" : "uaa",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username",
"checkTokenUrl" : null
},
"id" : "29084018-7706-4efc-8fd1-200beda98bac",
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"version" : 0,
"created" : 1594171385116,
"last_modified" : 1594171385116,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | "oauth2.0" |
| originKey | String | Required | A unique alias for a OAuth provider |
| config.authUrl | String | Required | The OAuth 2.0 authorization endpoint URL |
| config.tokenUrl | String | Required | The OAuth 2.0 token endpoint URL |
| config.tokenKeyUrl | String | Optional | The URL of the token key endpoint which renders a verification key for validating token signatures |
| config.tokenKey | String | Optional | A verification key for validating token signatures, set to null if a tokenKeyUrl is provided. |
| config.showLinkText | Boolean | Optional (defaults to true) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
| config.linkText | String | Optional | Text to use for the login link to the provider |
| config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
| config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
| config.scopes | Array | Optional | What scopes to request on a call to the external OAuth provider |
| config.checkTokenUrl | Object | Optional | Reserved for future OAuth use. |
| config.responseType | String | Optional (defaults to "code") |
Response type for the authorize request, will be sent to OAuth server, defaults to code |
| config.clientAuthInBody | Boolean | Optional (defaults to false) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
| config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
| config.userPropagationParameter | String | Optional (defaults to "username") |
Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser |
| config.attributeMappings.user_name | String | Optional (defaults to "sub") |
Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub |
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion or token. |
| config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.attributeMappings.external_groups | Array | Optional | Map external_groups to the attribute for groups in the provider assertion. |
| config.attributeMappings['user.attribute.department'] | String | Optional | Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
| config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | "oauth2.0" |
| originKey | String | Required | A unique alias for a OAuth provider |
| config.authUrl | String | Required | The OAuth 2.0 authorization endpoint URL |
| config.tokenUrl | String | Required | The OAuth 2.0 token endpoint URL |
| config.tokenKeyUrl | String | Optional | The URL of the token key endpoint which renders a verification key for validating token signatures |
| config.tokenKey | String | Optional | A verification key for validating token signatures, set to null if a tokenKeyUrl is provided. |
| config.showLinkText | Boolean | Optional (defaults to true) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
| config.linkText | String | Optional | Text to use for the login link to the provider |
| config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
| config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
| config.scopes | Array | Optional | What scopes to request on a call to the external OAuth provider |
| config.checkTokenUrl | Object | Optional | Reserved for future OAuth use. |
| config.responseType | String | Optional (defaults to "code") |
Response type for the authorize request, will be sent to OAuth server, defaults to code |
| config.clientAuthInBody | Boolean | Optional (defaults to false) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
| config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
| config.userPropagationParameter | String | Optional (defaults to "username") |
Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser |
| config.attributeMappings.user_name | String | Optional (defaults to "sub") |
Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub |
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion or token. |
| config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.attributeMappings.external_groups | Array | Optional | Map external_groups to the attribute for groups in the provider assertion. |
| config.attributeMappings['user.attribute.department'] | String | Optional | Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
| config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 72d51f940fdc46c190e7e1d3d25323ee' \
-d '{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ "uaa.user" ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
"passwordGrantEnabled" : false,
"setForwardHeader" : false,
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ]
},
"originKey" : "my-oidc-provider-unjxwx",
"name" : "UAA Provider",
"active" : true
}'
POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 72d51f940fdc46c190e7e1d3d25323ee
Content-Length: 1508
Host: localhost
{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ "uaa.user" ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"relyingPartySecret" : "secret",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
"passwordGrantEnabled" : false,
"setForwardHeader" : false,
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ]
},
"originKey" : "my-oidc-provider-unjxwx",
"name" : "UAA Provider",
"active" : true
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1667
{
"type" : "oidc1.0",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"externalGroupsWhitelist" : [ "uaa.user" ],
"attributeMappings" : {
"email_verified" : "emailVerified",
"external_groups" : [ "roles" ],
"user.attribute.department" : "department",
"phone_number" : "telephone",
"given_name" : "first_name",
"family_name" : "last_name",
"email" : "emailAddress"
},
"addShadowUserOnLogin" : true,
"storeCustomAttributes" : true,
"authUrl" : null,
"tokenUrl" : null,
"tokenKeyUrl" : null,
"tokenKey" : null,
"linkText" : null,
"showLinkText" : false,
"clientAuthInBody" : false,
"skipSslValidation" : true,
"relyingPartyId" : "uaa",
"scopes" : null,
"issuer" : null,
"responseType" : "code",
"userPropagationParameter" : "username",
"userInfoUrl" : null,
"discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
"passwordGrantEnabled" : false,
"setForwardHeader" : false,
"prompts" : [ {
"name" : "username",
"type" : "text",
"text" : "Email"
}, {
"name" : "password",
"type" : "password",
"text" : "Password"
}, {
"name" : "passcode",
"type" : "password",
"text" : "Temporary Authentication Code (Get on at /passcode)"
} ]
},
"id" : "c9b88126-a6c0-4487-a715-34e9ffbaa601",
"originKey" : "my-oidc-provider-unjxwx",
"name" : "UAA Provider",
"version" : 0,
"created" : 1594171385176,
"last_modified" : 1594171385176,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | "oidc1.0" |
| originKey | String | Required | A unique alias for the OIDC 1.0 provider |
| config.discoveryUrl | String | Optional | The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit |
| config.authUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenKeyUrl | String | Required unless discoveryUrl is set. |
The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenKey | String | Required unless discoveryUrl is set. |
A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.showLinkText | Boolean | Optional (defaults to true) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
| config.linkText | String | Optional | Text to use for the login link to the provider |
| config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
| config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
| config.scopes | Array | Optional | What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively. |
| config.checkTokenUrl | Object | Optional | Reserved for future OAuth/OIDC use. |
| config.clientAuthInBody | Boolean | Optional (defaults to false) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
| config.userInfoUrl | Object | Optional | Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.responseType | String | Optional (defaults to "code") |
Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect. |
| config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
| config.userPropagationParameter | String | Optional (defaults to "username") |
Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser |
| config.externalGroupsWhitelist | Array | Optional | JSON Array containing the groups names which need to be populated in the user's id_token or response from /userinfo endpoint. If you don't specify the whitelist no groups will be populated in the id_token or /userinfo response.Please note that regex is allowed. Acceptable patterns are
|
| config.passwordGrantEnabled | Boolean | Optional (defaults to false) |
Enable Resource Owner Password Grant flow for this identity provider. |
| config.setForwardHeader | Boolean | Optional (defaults to false) |
Only effective, if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider. |
| config.attributeMappings.user_name | String | Optional (defaults to "sub") |
Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub. |
| config.prompts[] | Array | Optional | List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider. |
| config.prompts[].name | String | Optional | Name of field |
| config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
| config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion or token. |
| config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.attributeMappings.external_groups | Array | Optional | Map external_groups to the attribute for groups in the provider assertion. |
| config.attributeMappings['user.attribute.department'] | String | Optional | Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
| config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | "oidc1.0" |
| originKey | String | Required | A unique alias for the OIDC 1.0 provider |
| config.discoveryUrl | String | Optional | The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit |
| config.authUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenUrl | String | Required unless discoveryUrl is set. |
The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenKeyUrl | String | Required unless discoveryUrl is set. |
The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.tokenKey | String | Required unless discoveryUrl is set. |
A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.showLinkText | Boolean | Optional (defaults to true) |
A flag controlling whether a link to this provider's login will be shown on the UAA login page |
| config.linkText | String | Optional | Text to use for the login link to the provider |
| config.relyingPartyId | String | Required | The client ID which is registered with the external OAuth provider for use by the UAA |
| config.skipSslValidation | Boolean | Optional | A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server |
| config.scopes | Array | Optional | What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively. |
| config.checkTokenUrl | Object | Optional | Reserved for future OAuth/OIDC use. |
| config.clientAuthInBody | Boolean | Optional (defaults to false) |
Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. |
| config.userInfoUrl | Object | Optional | Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL. |
| config.responseType | String | Optional (defaults to "code") |
Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect. |
| config.issuer | String | Optional | The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token. |
| config.userPropagationParameter | String | Optional (defaults to "username") |
Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser |
| config.externalGroupsWhitelist | Array | Optional | JSON Array containing the groups names which need to be populated in the user's id_token or response from /userinfo endpoint. If you don't specify the whitelist no groups will be populated in the id_token or /userinfo response.Please note that regex is allowed. Acceptable patterns are
|
| config.passwordGrantEnabled | Boolean | Optional (defaults to false) |
Enable Resource Owner Password Grant flow for this identity provider. |
| config.setForwardHeader | Boolean | Optional (defaults to false) |
Only effective, if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider. |
| config.attributeMappings.user_name | String | Optional (defaults to "sub") |
Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub. |
| config.prompts[] | Array | Optional | List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider. |
| config.prompts[].name | String | Optional | Name of field |
| config.prompts[].type | String | Optional | What kind of field this is (e.g. text or password) |
| config.prompts[].text | String | Optional | Actual text displayed on prompt for field |
| config.attributeMappings | Object | Optional | Map external attribute to UAA recognized mappings. |
| config.attributeMappings.email | String | Optional | Map email to the attribute for email in the provider assertion or token. |
| config.attributeMappings.given_name | String | Optional | Map given_name to the attribute for given name in the provider assertion or token. |
| config.attributeMappings.family_name | String | Optional | Map family_name to the attribute for family name in the provider assertion or token. |
| config.attributeMappings.phone_number | String | Optional | Map phone_number to the attribute for phone number in the provider assertion or token. |
| config.attributeMappings.email_verified | String | Optional | Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications. |
| config.attributeMappings.external_groups | Array | Optional | Map external_groups to the attribute for groups in the provider assertion. |
| config.attributeMappings['user.attribute.department'] | String | Optional | Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute. |
| config.relyingPartySecret | String | Required | The client secret of the relying party at the external OAuth provider |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict - Provider with same origin and zone id exists |
| 422 | Unprocessable Entity - Invalid configuration |
| 500 | Internal Server Error |
Retrieve All
$ curl 'http://localhost/identity-providers?rawConfig=false' -i -X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 58fa1ee857e440fdbc3c18fc23f4417d'
GET /identity-providers?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer 58fa1ee857e440fdbc3c18fc23f4417d
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 15625
[ {
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/SAML\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAML\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "7ac3e849-389d-431a-8bf5-fad08d3d960f",
"originKey" : "SAML",
"name" : "SAML name",
"version" : 0,
"created" : 1594171384160,
"last_modified" : 1594171384160,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\"?>\\n<md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\" entityID=\\\"http://example.com/saml2/idp/metadata.php\\\" ID=\\\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Signature>\\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/>\\n <ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\\\"/>\\n <ds:Reference URI=\\\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2001/04/xmlenc#sha256\\\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\\n <md:IDPSSODescriptor protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\">\\n <md:KeyDescriptor use=\\\"signing\\\">\\n <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n <ds:X509Data>\\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n </ds:X509Data>\\n </ds:KeyInfo>\\n </md:KeyDescriptor>\\n <md:KeyDescriptor use=\\\"encryption\\\">\\n <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n <ds:X509Data>\\n <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n </ds:X509Data>\\n </ds:KeyInfo>\\n </md:KeyDescriptor>\\n <md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SingleLogoutService.php\\\"/>\\n <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\\n <md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SSOService.php\\\"/>\\n </md:IDPSSODescriptor>\\n <md:ContactPerson contactType=\\\"technical\\\">\\n <md:GivenName>Filip</md:GivenName>\\n <md:SurName>Hanik</md:SurName>\\n <md:EmailAddress>[email protected]</md:EmailAddress>\\n </md:ContactPerson>\\n</md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAMLMetadataUrl\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:transient\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "a0597c17-bd40-4d87-902d-bce6baffac36",
"originKey" : "SAMLMetadataUrl",
"name" : "SAML name",
"version" : 0,
"created" : 1594171384270,
"last_modified" : 1594171384270,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "keystone",
"config" : "null",
"id" : "0aa2929b-a50d-4cb5-9331-a78e4b2af501",
"originKey" : "keystone",
"name" : "keystone",
"version" : 0,
"created" : 946684800000,
"last_modified" : 946684800000,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "ldap",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"ldapProfileFile\":\"ldap/ldap-search-and-bind.xml\",\"baseUrl\":\"ldap://localhost:389/\",\"referral\":null,\"skipSSLVerification\":false,\"userDNPattern\":null,\"userDNPatternDelimiter\":null,\"bindUserDn\":\"cn=admin,dc=test,dc=com\",\"userSearchBase\":\"dc=test,dc=com\",\"userSearchFilter\":\"cn={0}\",\"passwordAttributeName\":null,\"passwordEncoder\":null,\"localPasswordCompare\":null,\"mailAttributeName\":\"mail\",\"mailSubstitute\":null,\"mailSubstituteOverridesLdap\":false,\"ldapGroupFile\":null,\"groupSearchBase\":null,\"groupSearchFilter\":null,\"groupsIgnorePartialResults\":null,\"autoAddGroups\":true,\"groupSearchSubTree\":true,\"maxGroupSearchDepth\":10,\"groupRoleAttribute\":null,\"tlsConfiguration\":\"none\"}",
"id" : "24979205-5128-431a-be85-66d6a890d71d",
"originKey" : "ldap",
"name" : "UAA LDAP Provider",
"version" : 1,
"created" : 946684800000,
"last_modified" : 1594171383708,
"active" : false,
"identityZoneId" : "uaa"
}, {
"type" : "login-server",
"config" : "null",
"id" : "9d1f7314-33f6-4dd0-8b3a-3e1cb3900d24",
"originKey" : "login-server",
"name" : "login-server",
"version" : 0,
"created" : 946684800000,
"last_modified" : 946684800000,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "oauth2.0",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"checkTokenUrl\":null}",
"id" : "29084018-7706-4efc-8fd1-200beda98bac",
"originKey" : "my-oauth2-provider",
"name" : "UAA Provider",
"version" : 0,
"created" : 1594171385116,
"last_modified" : 1594171385116,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "oidc1.0",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[\"uaa.user\"],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":null,\"tokenUrl\":null,\"tokenKeyUrl\":null,\"tokenKey\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"userInfoUrl\":null,\"discoveryUrl\":\"https://accounts.google.com/.well-known/openid-configuration\",\"passwordGrantEnabled\":false,\"setForwardHeader\":false,\"prompts\":[{\"name\":\"username\",\"type\":\"text\",\"text\":\"Email\"},{\"name\":\"password\",\"type\":\"password\",\"text\":\"Password\"},{\"name\":\"passcode\",\"type\":\"password\",\"text\":\"Temporary Authentication Code (Get on at /passcode)\"}]}",
"id" : "c9b88126-a6c0-4487-a715-34e9ffbaa601",
"originKey" : "my-oidc-provider-unjxwx",
"name" : "UAA Provider",
"version" : 0,
"created" : 1594171385176,
"last_modified" : 1594171385176,
"active" : true,
"identityZoneId" : "uaa"
}, {
"type" : "uaa",
"config" : "null",
"id" : "eb9f1724-dbb3-4bcc-964f-ef601bd07d09",
"originKey" : "uaa",
"name" : "uaa",
"version" : 3,
"created" : 946684800000,
"last_modified" : 1594171385239,
"active" : true,
"identityZoneId" : "uaa"
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].type |
String |
Type of the identity provider. |
[].originKey |
String |
Unique identifier for the identity provider. |
[].name |
String |
Human-readable name for this provider |
[].config |
String |
Json config for the Identity Provider |
[].version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
[].active |
Boolean |
Defaults to true. |
[].id |
String |
Unique identifier for this provider - GUID generated by the UAA |
[].identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
[].created |
Number |
UAA sets the creation date |
[].last_modified |
Number |
UAA sets the modification date |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Retrieve
$ curl 'http://localhost/identity-providers/41c6ddb9-cb1a-474c-9d86-457527d15fad?rawConfig=false' -i -X GET \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer dbfcfc1e24454b929fa118a83953a7a3'
GET /identity-providers/41c6ddb9-cb1a-474c-9d86-457527d15fad?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer dbfcfc1e24454b929fa118a83953a7a3
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3207
{
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-get\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-get\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-get\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "41c6ddb9-cb1a-474c-9d86-457527d15fad",
"originKey" : "saml-for-get",
"name" : "saml-for-get name",
"version" : 0,
"created" : 1594171385048,
"last_modified" : 1594171385048,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
Type of the identity provider. |
originKey |
String |
Unique identifier for the identity provider. |
config |
String |
Various configuration properties for the identity provider. |
config.additionalConfiguration |
Object |
(Unused.) |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Update
$ curl 'http://localhost/identity-providers/eb9f1724-dbb3-4bcc-964f-ef601bd07d09?rawConfig=true' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer bcbff4cfba984db0b7b74ca66442e7de' \
-d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}'
PUT /identity-providers/eb9f1724-dbb3-4bcc-964f-ef601bd07d09?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer bcbff4cfba984db0b7b74ca66442e7de
Content-Length: 280
Host: localhost
{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 559
{
"type" : "uaa",
"config" : {
"emailDomain" : null,
"additionalConfiguration" : null,
"providerDescription" : null,
"passwordPolicy" : null,
"lockoutPolicy" : {
"lockoutPeriodSeconds" : 8,
"lockoutAfterFailures" : 8,
"countFailuresWithin" : 8
},
"disableInternalUserManagement" : false
},
"id" : "eb9f1724-dbb3-4bcc-964f-ef601bd07d09",
"originKey" : "uaa",
"name" : "uaa",
"version" : 4,
"created" : 946684800000,
"last_modified" : 1594171385864,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Request and Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider |
| config.providerDescription | String | Optional | Human readable name/description of this provider |
| config.emailDomain | Array | Optional | List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
| active | Boolean | Optional | Defaults to true. |
| config.addShadowUserOnLogin | Boolean | Optional (defaults to true) |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
| config.storeCustomAttributes | Boolean | Optional (defaults to true) |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
| type | String | Required | uaa |
| originKey | String | Required | A unique identifier for the IDP. Cannot be updated. |
| version | Number | Required | Version of the identity provider data. Clients can use this to protect against conflicting updates |
| config.passwordPolicy.minLength | Number | Required when passwordPolicy in the config is not null |
Minimum number of characters required for password to be considered valid (defaults to 0). |
| config.passwordPolicy.maxLength | Number | Required when passwordPolicy in the config is not null |
Maximum number of characters required for password to be considered valid (defaults to 255). |
| config.passwordPolicy.requireUpperCaseCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of uppercase characters required for password to be considered valid (defaults to 0). |
| config.passwordPolicy.requireLowerCaseCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of lowercase characters required for password to be considered valid (defaults to 0). |
| config.passwordPolicy.requireDigit | Number | Required when passwordPolicy in the config is not null |
Minimum number of digits required for password to be considered valid (defaults to 0). |
| config.passwordPolicy.requireSpecialCharacter | Number | Required when passwordPolicy in the config is not null |
Minimum number of special characters required for password to be considered valid (defaults to 0). |
| config.passwordPolicy.expirePasswordInMonths | Number | Required when passwordPolicy in the config is not null |
Number of months after which current password expires (defaults to 0). |
| config.passwordPolicy.passwordNewerThan | Number | Required when passwordPolicy in the config is not null |
This timestamp value can be used to force change password for every user. If the user's passwordLastModified is older than this value, the password is expired (defaults to null). |
| config.lockoutPolicy.lockoutPeriodSeconds | Number | Required when LockoutPolicy in the config is not null |
Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600). |
| config.lockoutPolicy.lockoutAfterFailures | Number | Required when LockoutPolicy in the config is not null |
Number of allowed failures before account is locked (defaults to 5). |
| config.lockoutPolicy.countFailuresWithin | Number | Required when LockoutPolicy in the config is not null |
Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300). |
| config.disableInternalUserManagement | Boolean | Optional | When set to true, user management is disabled for this provider, defaults to false |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 422 | Unprocessable Entity - Invalid config |
Delete
$ curl 'http://localhost/identity-providers/13223802-e41a-4cf1-966b-5610956e7fc8' -i -X DELETE \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer e3d4b285d6174cf0be5e22e61052d5aa'
DELETE /identity-providers/13223802-e41a-4cf1-966b-5610956e7fc8 HTTP/1.1
Content-Type: application/json
Authorization: Bearer e3d4b285d6174cf0be5e22e61052d5aa
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3222
{
"type" : "saml",
"config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-delete\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-delete\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-delete\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
"id" : "13223802-e41a-4cf1-966b-5610956e7fc8",
"originKey" : "saml-for-delete",
"name" : "saml-for-delete name",
"version" : 0,
"created" : 1594171385792,
"last_modified" : 1594171385792,
"active" : true,
"identityZoneId" : "uaa"
}
Path Parameters
/identity-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| rawConfig | Boolean | Optional (defaults to false) |
UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider |
config.providerDescription |
String |
Human readable name/description of this provider |
config.emailDomain |
Array |
List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported. |
active |
Boolean |
Defaults to true. |
config.addShadowUserOnLogin |
Boolean |
Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false). |
config.storeCustomAttributes |
Boolean |
Set to true, to store custom user attributes to be fetched from the /userinfo endpoint |
type |
String |
Type of the identity provider. |
originKey |
String |
Unique identifier for the identity provider. |
config |
String |
Various configuration properties for the identity provider. |
config.additionalConfiguration |
Object |
(Unused.) |
version |
Number |
Version of the identity provider data. Clients can use this to protect against conflicting updates |
id |
String |
Unique identifier for this provider - GUID generated by the UAA |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
created |
Number |
UAA sets the creation date |
last_modified |
Number |
UAA sets the modification date |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 422 | Unprocessable Entity |
Force password change for Users
$ curl 'http://localhost/identity-providers/eb9f1724-dbb3-4bcc-964f-ef601bd07d09/status' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer cd0102f4da0f4243ad1b87137bd2ca21' \
-d '{"requirePasswordChange":true}'
PATCH /identity-providers/eb9f1724-dbb3-4bcc-964f-ef601bd07d09/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer cd0102f4da0f4243ad1b87137bd2ca21
Content-Length: 30
Host: localhost
{"requirePasswordChange":true}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 36
{
"requirePasswordChange" : true
}
Path Parameters
/identity-providers/{id}/status
| Parameter | Description |
|---|---|
| id | Unique identifier for this provider - GUID generated by the UAA |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of) |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request and Response Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| requirePasswordChange | Boolean | Required | Set to true in order to force password change for all users. The passwordNewerThan property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user's passwordLastModified is older than this value, the password is expired. |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 422 | Unprocessable Entity - Invalid config |
Service Providers
UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.
Obtaining the UAA SAML IdP metadata:
In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.
GET http://localhost:8080/uaa/saml/idp/metadata
Initiate IDP Login Flow
When the UAA is an IdP, you can initiate the login flow to the Service Provider, SP, by using the initiate endpoint
This is a browser flow.
$ curl 'http://o7ukl5kluew6nfaqffjodycj.localhost/saml/idp/initiate?sp=XlDhYhy163.cloudfoundry-saml-login' -i -X GET
GET /saml/idp/initiate?sp=XlDhYhy163.cloudfoundry-saml-login HTTP/1.1
Host: o7ukl5kluew6nfaqffjodycj.localhost
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="http://XlDhYhy163.localhost:8080/uaa/saml/SSO/alias/XlDhYhy163.cloudfoundry-saml-login" method="post">
<div>
<input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cDovL1hsRGhZaHkxNjMubG9jYWxob3N0OjgwODAvdWFhL3NhbWwvU1NPL2FsaWFzL1hsRGhZaHkxNjMuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW4iIElEPSJhM2g4MWdmYzJnMDJiNWNiMTI1YjJkNTRmN2o4ZWRhIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDctMDhUMDE6MjM6MDkuNTEyWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5vN3VrbDVrbHVldzZuZmFxZmZqb2R5Y2ouY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOklzc3Vlcj48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTUzYmFnOTUxM2doajI1NDFjaWg3YTYzY2RmMzBiYSIgSXNzdWVJbnN0YW50PSIyMDIwLTA3LTA4VDAxOjIzOjA5LjQzMloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPm83dWtsNWtsdWV3Nm5mYXFmZmpvZHljai5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTUzYmFnOTUxM2doajI1NDFjaWg3YTYzY2RmMzBiYSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjNkT3YzbHgzYVhaemZCekhLZTZBb0NPYjUwaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+YmIzendLZ3BZay83SDFDdkxBN3VQVEVWMnVYV2s5czEyWjIxeEFTZ2xKRk5mWXViUk1PeUtyQUJoTTZXQW9UeXRSV2JxekhMUEllbDBBaDFVVEpKbjgwMXNoaktZYVJVUWRvR0FwdG1sdFh1UnlhYVRWNnk4eUlMVnNJNDRpampRY0RuQUVBRWNLSjVqazJNSEFJV3dZNXJFWUs2NFdkQnBMN0NiL041Yy80PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPm1hcmlzc2E8L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDctMDhUMDE6MjM6MDkuNDQxWiIgUmVjaXBpZW50PSJodHRwOi8vWGxEaFloeTE2My5sb2NhbGhvc3Q6ODA4MC91YWEvc2FtbC9TU08vYWxpYXMvWGxEaFloeTE2My5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIwLTA3LTA4VDAxOjIzOjA5LjQzN1oiIE5vdE9uT3JBZnRlcj0iMjAyMC0wNy0wOFQwMToyMzowOS40MzdaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+WGxEaFloeTE2My5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDIwLTA3LTA4VDAxOjIzOjA5LjQzNFoiIFNlc3Npb25JbmRleD0iYTUxZmI2NzczZ2hlMDkwYzI5MGlnOGFpZmJoZ2piOSI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImF1dGhvcml0aWVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dWFhLnVzZXI8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Qub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+OWEzZTU1Y2ItZmQwZS00ZmZkLTg5NjEtNzU1ZTA0ODljMTM3PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yaWdpbiI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJ6b25lSWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5vN3VrbDVrbHVldzZuZmFxZmZqb2R5Y2o8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ib3JnYW5pemF0aW9uLWVtYWlscyI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmNvbnRhY3RAZGVtb29yZy5jb208L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5pbmZvQGRlbW8ub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Im9yZ2FuaXphdGlvbi1uYW1lIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+VGhlIERlbW8gT3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InByaW1hcnktZW1haWwiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXJpc3NhQHRlc3Qub3JnPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| sp | String | required | The entity ID of a configured and active the service provider. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | If IDP initiated login is not enabled, the SP parameter is incorrect or SP is disabled. |
List
$ curl 'http://localhost/saml/service-providers' -i -X GET \
-H 'Authorization: Bearer 5f95cb1066a74ea9a0821532087077f8'
GET /saml/service-providers HTTP/1.1
Authorization: Bearer 5f95cb1066a74ea9a0821532087077f8
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7326
[ {
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"2NMYzwXxeT.cloudfoundry-saml-login\\\" entityID=\\\"2NMYzwXxeT.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#2NMYzwXxeT.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://2NMYzwXxeT.localhost:8080/uaa/saml/SingleLogout/alias/2NMYzwXxeT.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://2NMYzwXxeT.localhost:8080/uaa/saml/SingleLogout/alias/2NMYzwXxeT.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://2NMYzwXxeT.localhost:8080/uaa/saml/SSO/alias/2NMYzwXxeT.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://2NMYzwXxeT.localhost:8080/uaa/saml/SSO/alias/2NMYzwXxeT.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : "000e56d7-a857-4a4b-8a86-4003e9e50059",
"entityId" : "2NMYzwXxeT.cloudfoundry-saml-login",
"name" : "2NMYzwXxeT",
"version" : 0,
"created" : 1594171389672,
"lastModified" : 1594171389672,
"active" : true,
"identityZoneId" : "uaa"
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing sps.read |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
[].name |
String |
Human readable name for the SAML SP. |
[].entityId |
String |
The entity id of the SAML SP. |
[].active |
Boolean |
Defaults to true. |
[].created |
Number |
UAA sets this to the UTC creation date. |
[].identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
[].lastModified |
Number |
UAA sets this to the UTC last date of modification. |
[].version |
Number |
Version of the identity provider data. Clients can use this. |
[].config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
[].config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
[].config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Get
$ curl 'http://localhost/saml/service-providers/36229a77-fab2-4ec6-967c-132ff8df17df' -i -X GET \
-H 'Authorization: Bearer 8b16b64c2fb34620ae161aac59720a54'
GET /saml/service-providers/36229a77-fab2-4ec6-967c-132ff8df17df HTTP/1.1
Authorization: Bearer 8b16b64c2fb34620ae161aac59720a54
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7322
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"d5Zzy7zvGK.cloudfoundry-saml-login\\\" entityID=\\\"d5Zzy7zvGK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#d5Zzy7zvGK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://d5Zzy7zvGK.localhost:8080/uaa/saml/SingleLogout/alias/d5Zzy7zvGK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://d5Zzy7zvGK.localhost:8080/uaa/saml/SingleLogout/alias/d5Zzy7zvGK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://d5Zzy7zvGK.localhost:8080/uaa/saml/SSO/alias/d5Zzy7zvGK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://d5Zzy7zvGK.localhost:8080/uaa/saml/SSO/alias/d5Zzy7zvGK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : "36229a77-fab2-4ec6-967c-132ff8df17df",
"entityId" : "d5Zzy7zvGK.cloudfoundry-saml-login",
"name" : "d5Zzy7zvGK",
"version" : 0,
"created" : 1594171389738,
"lastModified" : 1594171389738,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing sps.read |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Path Parameters
/saml/service-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the service provider |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.email |
String |
Map email value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
config.staticCustomAttributes |
Object |
A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Create
$ curl 'http://localhost/saml/service-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 6606fd400b124e18bea089a576cd3fc4' \
-d '{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\" entityID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : null,
"entityId" : "kKjvKrQKDK.cloudfoundry-saml-login",
"name" : "kKjvKrQKDK",
"version" : 0,
"created" : null,
"lastModified" : null,
"active" : true,
"identityZoneId" : null
}'
POST /saml/service-providers HTTP/1.1
Content-Type: application/json
Authorization: Bearer 6606fd400b124e18bea089a576cd3fc4
Content-Length: 7269
Host: localhost
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\" entityID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : null,
"entityId" : "kKjvKrQKDK.cloudfoundry-saml-login",
"name" : "kKjvKrQKDK",
"version" : 0,
"created" : null,
"lastModified" : null,
"active" : true,
"identityZoneId" : null
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7322
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\" entityID=\\\"kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#kKjvKrQKDK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SingleLogout/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://kKjvKrQKDK.localhost:8080/uaa/saml/SSO/alias/kKjvKrQKDK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : "8256a5dc-9c79-4168-825a-0b7ccc44b143",
"entityId" : "kKjvKrQKDK.cloudfoundry-saml-login",
"name" : "kKjvKrQKDK",
"version" : 0,
"created" : 1594171389899,
"lastModified" : 1594171389899,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human readable name for the SAML SP. |
| entityId | String | Optional | If provided, it should match the entityId in the SP metadata. |
| active | Boolean | Optional | Defaults to true |
| config | String | Required | Contains metaDataLocation and metadataTrustCheck fields as json fields. |
| config.metaDataLocation | String | Required | The SAML SP Metadata - either an XML string or a URL that |
| config.attributeMappings.given_name | String | Optional | Map given_name value within UAA to a specified assertion in the SAML response. |
| config.attributeMappings.family_name | String | Optional | Map family_name value within UAA to a specified assertion in the SAML response |
| config.attributeMappings.phone_number | String | Optional | Map phone_number value within UAA to a specified assertion in the SAML response. |
| config.attributeMappings.email | String | Optional | Map email value within UAA to a specified assertion in the SAML response. |
| config.metadataTrustCheck | Boolean | Optional | Determines whether UAA should validate the SAML SP metadata. |
| config.enableIdpInitiatedSso | Boolean | Optional | When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
| config.staticCustomAttributes | Object | Optional | A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.email |
String |
Map email value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
config.staticCustomAttributes |
Object |
A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 422 | Unprocessable Entity |
| 409 | Conflict - A provider with the same entity id and zone id exists. |
Update
$ curl 'http://localhost/saml/service-providers/11fd0b63-3b42-49e3-8057-bcbf64c992cc' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 9ee026db0be74923a4182cdecc25bc7f' \
-d '{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\" entityID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
"id" : null,
"entityId" : "Cy2ju2SZjd.cloudfoundry-saml-login",
"name" : "Cy2ju2SZjd",
"version" : 0,
"created" : null,
"lastModified" : null,
"active" : true,
"identityZoneId" : null
}'
PUT /saml/service-providers/11fd0b63-3b42-49e3-8057-bcbf64c992cc HTTP/1.1
Content-Type: application/json
Authorization: Bearer 9ee026db0be74923a4182cdecc25bc7f
Content-Length: 7300
Host: localhost
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\" entityID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
"id" : null,
"entityId" : "Cy2ju2SZjd.cloudfoundry-saml-login",
"name" : "Cy2ju2SZjd",
"version" : 0,
"created" : null,
"lastModified" : null,
"active" : true,
"identityZoneId" : null
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7353
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\" entityID=\\\"Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#Cy2ju2SZjd.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SingleLogout/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://Cy2ju2SZjd.localhost:8080/uaa/saml/SSO/alias/Cy2ju2SZjd.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
"id" : "11fd0b63-3b42-49e3-8057-bcbf64c992cc",
"entityId" : "Cy2ju2SZjd.cloudfoundry-saml-login",
"name" : "Cy2ju2SZjd",
"version" : 1,
"created" : 1594171389956,
"lastModified" : 1594171389976,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human readable name for the SAML SP. |
| entityId | String | Optional | If provided, it should match the entityId in the SP metadata. |
| active | Boolean | Optional | Defaults to true |
| config | String | Required | Contains metaDataLocation and metadataTrustCheck fields as json fields. |
| config.metaDataLocation | String | Required | The SAML SP Metadata - either an XML string or a URL that |
| config.attributeMappings.given_name | String | Optional | Map given_name value within UAA to a specified assertion in the SAML response. |
| config.attributeMappings.family_name | String | Optional | Map family_name value within UAA to a specified assertion in the SAML response |
| config.attributeMappings.phone_number | String | Optional | Map phone_number value within UAA to a specified assertion in the SAML response. |
| config.attributeMappings.email | String | Optional | Map email value within UAA to a specified assertion in the SAML response. |
| config.metadataTrustCheck | Boolean | Optional | Determines whether UAA should validate the SAML SP metadata. |
| config.enableIdpInitiatedSso | Boolean | Optional | When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
| config.staticCustomAttributes | Object | Optional | A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Path Parameters
/saml/service-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the service provider |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.email |
String |
Map email value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
config.staticCustomAttributes |
Object |
A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 422 | Unprocessable Entity |
| 409 | Conflict - A provider with the same entity id and zone id exists. |
Delete
$ curl 'http://localhost/saml/service-providers/eeea2ee4-fe70-42f8-9f59-fc64fdba8d86' -i -X DELETE \
-H 'Authorization: Bearer b6aa1974dc6e470c80927a00fdbfcc57' \
-H 'Accept: application/json'
DELETE /saml/service-providers/eeea2ee4-fe70-42f8-9f59-fc64fdba8d86 HTTP/1.1
Authorization: Bearer b6aa1974dc6e470c80927a00fdbfcc57
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7322
{
"config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"yQYJT0c13h.cloudfoundry-saml-login\\\" entityID=\\\"yQYJT0c13h.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#yQYJT0c13h.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yQYJT0c13h.localhost:8080/uaa/saml/SingleLogout/alias/yQYJT0c13h.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://yQYJT0c13h.localhost:8080/uaa/saml/SingleLogout/alias/yQYJT0c13h.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://yQYJT0c13h.localhost:8080/uaa/saml/SSO/alias/yQYJT0c13h.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://yQYJT0c13h.localhost:8080/uaa/saml/SSO/alias/yQYJT0c13h.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"[email protected]\",\"[email protected]\"],\"organization-name\":\"The Demo Org\"}}",
"id" : "eeea2ee4-fe70-42f8-9f59-fc64fdba8d86",
"entityId" : "yQYJT0c13h.cloudfoundry-saml-login",
"name" : "yQYJT0c13h",
"version" : 0,
"created" : 1594171389828,
"lastModified" : 1594171389828,
"active" : true,
"identityZoneId" : "uaa"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing sps.write |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Path Parameters
/saml/service-providers/{id}
| Parameter | Description |
|---|---|
| id | Unique ID of the service provider |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
Unique identifier for this provider - GUID generated by the UAA. |
name |
String |
Human readable name for the SAML SP. |
entityId |
String |
The entity id of the SAML SP. |
active |
Boolean |
Defaults to true. |
created |
Number |
UAA sets this to the UTC creation date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined by either. |
lastModified |
Number |
UAA sets this to the UTC last date of modification. |
version |
Number |
Version of the identity provider data. Clients can use this. |
config |
String |
Contains metaDataLocation and metadataTrustCheck fields as json fields. |
config.metaDataLocation |
String |
The SAML SP Metadata - either an XML string or a URL that. |
config.metadataTrustCheck |
Boolean |
Determines whether UAA should validate the SAML SP metadata. |
config.attributeMappings.given_name |
String |
Map given_name value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.family_name |
String |
Map family_name value within UAA to a specified assertion in the SAML response |
config.attributeMappings.phone_number |
String |
Map phone_number value within UAA to a specified assertion in the SAML response. |
config.attributeMappings.email |
String |
Map email value within UAA to a specified assertion in the SAML response. |
config.enableIdpInitiatedSso |
Boolean |
When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id |
config.staticCustomAttributes |
Object |
A map of static attributes that will be sent with every assertion. |
The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute.
Currently only xs:string type values are supported.
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
MFA Providers
Create
$ curl 'http://localhost/mfa-providers' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 77b8a1319ebd40bc8e965d55e01dcd08' \
-d '{
"name" : "sampleGoogleMfaProvider1tjBty",
"config" : {
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator"
}'
POST /mfa-providers HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer 77b8a1319ebd40bc8e965d55e01dcd08
Content-Length: 159
Host: localhost
{
"name" : "sampleGoogleMfaProvider1tjBty",
"config" : {
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator"
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 322
{
"id" : "cb403292-25a0-44b7-9acb-bed119c50de3",
"name" : "sampleGoogleMfaProvider1tjBty",
"identityZoneId" : "uaa",
"config" : {
"issuer" : "uaa",
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator",
"created" : 1594171380610,
"last_modified" : 1594171380610
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing uaa.admin or zones.<zoneId>.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| name | String | Required | Human-readable name for this provider. Must be alphanumeric. |
| type | String | Required | Type of MFA provider. Available types include google-authenticator. |
| config | Object | Optional | Human-readable provider description. Object with optional providerDescription and issue properties. |
| config.providerDescription | String | Optional | Human-readable provider description. Only for backend description purposes. |
| config.issuer | String | Optional | Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider. Must be alphanumeric. |
type |
String |
Type of MFA provider. Available types include google-authenticator. |
config |
Object |
Human-readable provider description. Object with optional providerDescription and issue properties. |
config.providerDescription |
String |
Human-readable provider description. Only for backend description purposes. |
config.issuer |
String |
Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone. |
id |
String |
Unique identifier for this provider. This is a GUID generated by UAA. |
created |
Number |
UAA sets the creation date. |
last_modified |
Number |
UAA sets the last modification date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - JSON body was malformed or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider) |
| 422 | Unprocessable Entity - Some values in the MFA configuration are invalid |
Update
Error Codes
| Error Code | Description |
|---|---|
| 405 | Method Not Allowed |
Get
$ curl 'http://localhost/mfa-providers/a12b3d32-5ae1-41f9-bf42-fc4db49380ed' -i -X GET \
-H 'Authorization: Bearer 72313c37e70245feb460ca6cdefe004b' \
-H 'Accept: application/json'
GET /mfa-providers/a12b3d32-5ae1-41f9-bf42-fc4db49380ed HTTP/1.1
Authorization: Bearer 72313c37e70245feb460ca6cdefe004b
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 322
{
"id" : "a12b3d32-5ae1-41f9-bf42-fc4db49380ed",
"name" : "sampleGoogleMfaProviderYAfoTs",
"identityZoneId" : "uaa",
"config" : {
"issuer" : "uaa",
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator",
"created" : 1594171380861,
"last_modified" : 1594171380861
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing uaa.admin or zones.<zoneId>.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider. Must be alphanumeric. |
type |
String |
Type of MFA provider. Available types include google-authenticator. |
config |
Object |
Human-readable provider description. Object with optional providerDescription and issue properties. |
config.providerDescription |
String |
Human-readable provider description. Only for backend description purposes. |
config.issuer |
String |
Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone. |
id |
String |
Unique identifier for this provider. This is a GUID generated by UAA. |
created |
Number |
UAA sets the creation date. |
last_modified |
Number |
UAA sets the last modification date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider) |
| 404 | Not Found - Provider id not found |
Delete
$ curl 'http://localhost/mfa-providers/a3183edf-812c-45dd-b5a3-f024c1f98069' -i -X DELETE \
-H 'Authorization: Bearer eae5140d4cec430dade8b207f0680e16' \
-H 'Accept: application/json'
DELETE /mfa-providers/a3183edf-812c-45dd-b5a3-f024c1f98069 HTTP/1.1
Authorization: Bearer eae5140d4cec430dade8b207f0680e16
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 322
{
"id" : "a3183edf-812c-45dd-b5a3-f024c1f98069",
"name" : "sampleGoogleMfaProvidertjwtRl",
"identityZoneId" : "uaa",
"config" : {
"issuer" : "uaa",
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator",
"created" : 1594171380768,
"last_modified" : 1594171380768
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing uaa.admin or zones.<zoneId>.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
name |
String |
Human-readable name for this provider. Must be alphanumeric. |
type |
String |
Type of MFA provider. Available types include google-authenticator. |
config |
Object |
Human-readable provider description. Object with optional providerDescription and issue properties. |
config.providerDescription |
String |
Human-readable provider description. Only for backend description purposes. |
config.issuer |
String |
Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone. |
id |
String |
Unique identifier for this provider. This is a GUID generated by UAA. |
created |
Number |
UAA sets the creation date. |
last_modified |
Number |
UAA sets the last modification date. |
identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider) |
| 404 | Not Found - Provider id not found |
List
$ curl 'http://localhost/mfa-providers' -i -X GET \
-H 'Authorization: Bearer bb8b2dfc05da4875abf753a54ca7a348' \
-H 'Accept: application/json'
GET /mfa-providers HTTP/1.1
Authorization: Bearer bb8b2dfc05da4875abf753a54ca7a348
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 650
[ {
"id" : "cb403292-25a0-44b7-9acb-bed119c50de3",
"name" : "sampleGoogleMfaProvider1tjBty",
"identityZoneId" : "uaa",
"config" : {
"issuer" : "uaa",
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator",
"created" : 1594171380610,
"last_modified" : 1594171380610
}, {
"id" : "01495309-4c40-4e11-97b6-5fdcba1bde3b",
"name" : "sampleGoogleMfaProvider857Mvf",
"identityZoneId" : "uaa",
"config" : {
"issuer" : "uaa",
"providerDescription" : "Google MFA for default zone"
},
"type" : "google-authenticator",
"created" : 1594171380690,
"last_modified" : 1594171380690
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing uaa.admin or zones.<zoneId>.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].name |
String |
Human-readable name for this provider. Must be alphanumeric. |
[].type |
String |
Type of MFA provider. Available types include google-authenticator. |
[].config |
Object |
Human-readable provider description. Object with optional providerDescription and issue properties. |
[].config.providerDescription |
String |
Human-readable provider description. Only for backend description purposes. |
[].config.issuer |
String |
Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone. |
[].id |
String |
Unique identifier for this provider. This is a GUID generated by UAA. |
[].created |
Number |
UAA sets the creation date. |
[].last_modified |
Number |
UAA sets the last modification date. |
[].identityZoneId |
String |
Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header. |
Error Codes
| Error Code | Description |
|---|---|
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider) |
Users
Users can be queried, created and updated via the /Users endpoint.
Get
$ curl 'http://localhost/Users/c135643a-78bb-4d79-b5d7-a03a555d9031' -i -X GET \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 9d49851da9394bb08cee5cc605a862fe' \
-H 'Content-Type: application/json' \
-H 'If-Match: 0'
GET /Users/c135643a-78bb-4d79-b5d7-a03a555d9031 HTTP/1.1
Accept: application/json
Authorization: Bearer 9d49851da9394bb08cee5cc605a862fe
Content-Type: application/json
If-Match: 0
Host: localhost
HTTP/1.1 200 OK
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2880
{
"id" : "c135643a-78bb-4d79-b5d7-a03a555d9031",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.333Z",
"lastModified" : "2020-07-08T01:23:21.333Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "c135643a-78bb-4d79-b5d7-a03a555d9031",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:21.337Z",
"expiresAt" : "2020-07-08T01:23:31.337Z"
}, {
"userId" : "c135643a-78bb-4d79-b5d7-a03a555d9031",
"clientId" : "identity",
"scope" : "uaa.user",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:51.339Z",
"expiresAt" : "2020-07-08T01:23:51.339Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"previousLogonTime" : 1594171401339,
"lastLogonTime" : 1594171401340,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scope scim.read, uaa.admin, or zones.uaa.admin required |
If-Match |
The version of the SCIM object to be deleted. Optional. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
id |
String |
A guid generated by the UAA to uniquely identity this user. |
userName |
String |
User name of the user, typically an email address. |
name |
Object |
A map with the user's first name and last name. |
name.familyName |
String |
The user's last name. |
name.givenName |
String |
The user's first name. |
phoneNumbers |
Array |
The user's phone numbers. |
phoneNumbers[].value |
String |
The phone number. |
emails |
Array |
The user's email addresses. |
emails[].value |
String |
The email address. |
emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
groups |
Array |
A list of groups the user belongs to. |
groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
groups[].display |
String |
The group display name, also referred to as scope during authorization. |
groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
approvals[].userId |
String |
The user id on the approval. Will be the same as the id field. |
approvals[].clientId |
String |
The client id on the approval. Represents the application this approval or denial was for. |
approvals[].scope |
String |
The scope on the approval. Will be a group display value. |
approvals[].status |
String |
The status of the approval. Status may be either APPROVED or DENIED. |
approvals[].lastUpdatedAt |
String |
Date this approval was last updated. |
approvals[].expiresAt |
String |
Date this approval will expire. |
active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
passwordLastModified |
String |
The timestamp when this user's password was last changed. |
lastLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
previousLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
externalId |
String |
External user ID if authenticated through an external identity provider. |
meta |
Object |
SCIM object meta data. |
meta.version |
Number |
Object version. |
meta.lastModified |
String |
Object last modified date. |
meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.read is required to retrieve a user) |
| 404 | Not Found - User id not found |
Example using uaac to get users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac user get testuser
List
Listing users supports SCIM filtering on the available attributes.
By default users are returned with their group memberships and approvals, a rather expensive operation.
To avoid this, perform the search by including the attributes parameter to reduce the results.
$ curl 'http://localhost/Users?filter=id+eq+%22b305c97c-16cd-427d-9d50-9cc14555dc4a%22+or+email+eq+%22z3JPom%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
-H 'Accept: application/json' \
-H 'Authorization: Bearer a30305ad032c442582fa7e37ca9153c3'
GET /Users?filter=id+eq+%22b305c97c-16cd-427d-9d50-9cc14555dc4a%22+or+email+eq+%22z3JPom%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
Accept: application/json
Authorization: Bearer a30305ad032c442582fa7e37ca9153c3
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2962
{
"resources" : [ {
"id" : "b305c97c-16cd-427d-9d50-9cc14555dc4a",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.537Z",
"lastModified" : "2020-07-08T01:23:21.537Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "b305c97c-16cd-427d-9d50-9cc14555dc4a",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:21.542Z",
"expiresAt" : "2020-07-08T01:23:31.542Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"previousLogonTime" : 1594171401544,
"lastLogonTime" : 1594171401544,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
} ],
"startIndex" : 1,
"itemsPerPage" : 5,
"totalResults" : 1,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.read or uaa.admin required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| filter | String | Optional | SCIM filter for searching |
| sortBy | String | Optional (defaults to created) |
Sorting field name, like email or id |
| sortOrder | String | Optional (defaults to ascending) |
Sort order, ascending/descending |
| startIndex | Number | Optional (defaults to 1) |
The starting index of the search results when paginated. Index starts with 1. |
| count | Number | Optional (defaults to 100) |
Max number of results to be returned |
Response Fields
| Path | Type | Description |
|---|---|---|
startIndex |
Number |
The starting index of the search results when paginated. Index starts with 1. |
itemsPerPage |
Number |
The maximum number of items returned per request. |
totalResults |
Number |
Number of results in result set. |
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
resources |
Array |
A list of SCIM user objects retrieved by the search. |
resources[].schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
resources[].id |
String |
A guid generated by the UAA to uniquely identity this user. |
resources[].userName |
String |
User name of the user, typically an email address. |
resources[].name |
Object |
A map with the user's first name and last name. |
resources[].name.familyName |
String |
The user's last name. |
resources[].name.givenName |
String |
The user's first name. |
resources[].phoneNumbers |
Array |
The user's phone numbers. |
resources[].phoneNumbers[].value |
String |
The phone number. |
resources[].emails |
Array |
The user's email addresses. |
resources[].emails[].value |
String |
The email address. |
resources[].emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
resources[].groups |
Array |
A list of groups the user belongs to. |
resources[].groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
resources[].groups[].display |
String |
The group display name, also referred to as scope during authorization. |
resources[].groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
resources[].approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
resources[].approvals[].userId |
String |
The user id on the approval. Will be the same as the id field. |
resources[].approvals[].clientId |
String |
The client id on the approval. Represents the application this approval or denial was for. |
resources[].approvals[].scope |
String |
The scope on the approval. Will be a group display value. |
resources[].approvals[].status |
String |
The status of the approval. Status may be either APPROVED or DENIED. |
resources[].approvals[].lastUpdatedAt |
String |
Date this approval was last updated. |
resources[].approvals[].expiresAt |
String |
Date this approval will expire. |
resources[].active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
resources[].lastLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
resources[].previousLogonTime |
Number |
The unix epoch timestamp in milliseconds of 2nd to last successful user authentication. This field will only be included in the response once the user has authenticated two or more times. |
resources[].verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
resources[].origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
resources[].zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
resources[].passwordLastModified |
String |
The timestamp when this user's password was last changed. |
resources[].externalId |
String |
External user ID if authenticated through an external identity provider. |
resources[].meta |
Object |
SCIM object meta data. |
resources[].meta.version |
Number |
Object version. |
resources[].meta.lastModified |
String |
Object last modified date. |
resources[].meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.read is required to search users) |
Example using uaac to view users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac users
List with Attribute Filtering
Listing users supports SCIM filtering on the available attributes.
When users are searched we can return only selected amount of data using filtering.
The attribute groups will cause the UAA to query the group memberships and include them in the result making the operation more expensive.
The attribute approvals will cause the UAA to query the user approvals and include them in the result making the operation more expensive.
$ curl 'http://localhost/Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%22cc85016f-6eea-465b-996e-7cd00cdf418c%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
-H 'Accept: application/json' \
-H 'Authorization: Bearer d26d64c839754cbbab3265e1a47755ac'
GET /Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%22cc85016f-6eea-465b-996e-7cd00cdf418c%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
Accept: application/json
Authorization: Bearer d26d64c839754cbbab3265e1a47755ac
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 334
{
"resources" : [ {
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"active" : true,
"id" : "cc85016f-6eea-465b-996e-7cd00cdf418c",
"userName" : "[email protected]"
} ],
"startIndex" : 1,
"itemsPerPage" : 5,
"totalResults" : 1,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.read or uaa.admin required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| filter | String | Optional | SCIM filter for searching |
| sortBy | String | Optional (defaults to created) |
Sorting field name, like email or id |
| sortOrder | String | Optional (defaults to ascending) |
Sort order, ascending/descending |
| startIndex | Number | Optional (defaults to 1) |
The starting index of the search results when paginated. Index starts with 1. |
| count | Number | Optional (defaults to 100) |
Max number of results to be returned |
| attributes | String | Optional | Comma separated list of attribute names to be returned. |
Response Fields
| Path | Type | Description |
|---|---|---|
startIndex |
Number |
The starting index of the search results when paginated. Index starts with 1. |
itemsPerPage |
Number |
The maximum number of items returned per request. |
totalResults |
Number |
Number of results in result set. |
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
resources |
Array |
A list of SCIM user objects retrieved by the search. |
resources[].id |
String |
A guid generated by the UAA to uniquely identity this user. |
resources[].userName |
String |
User name of the user, typically an email address. |
resources[].emails |
Array |
The user's email addresses. |
resources[].emails[].value |
String |
The email address. |
resources[].emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
resources[].active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
Create
$ curl 'http://localhost/Users' -i -X POST \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 8e69756f113f4de3a72da6a01e5c4e0e' \
-H 'Content-Type: application/json' \
-d '{
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.824Z"
},
"userName" : "[email protected]",
"name" : {
"formatted" : "given name family name",
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : true
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "",
"password" : "secret",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
POST /Users HTTP/1.1
Accept: application/json
Authorization: Bearer 8e69756f113f4de3a72da6a01e5c4e0e
Content-Type: application/json
Content-Length: 537
Host: localhost
{
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.824Z"
},
"userName" : "[email protected]",
"name" : {
"formatted" : "given name family name",
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : true
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "",
"password" : "secret",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 201 Created
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2327
{
"id" : "800a1eb8-df31-4518-b51e-123125cf6452",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.830Z",
"lastModified" : "2020-07-08T01:23:21.830Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write or uaa.admin scope required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| userName | String | Required | User name of the user, typically an email address. |
| password | String | Optional | User's password, required if origin is set to uaa. May be be subject to validations if the UAA is configured with a password policy. |
| name | Object | Required | A map with the user's first name and last name. |
| name.familyName | String | Optional | The user's last name. |
| name.givenName | String | Optional | The user's first name. |
| phoneNumbers | Array | Optional | The user's phone numbers. |
| phoneNumbers[].value | String | Optional | The phone number. |
| emails | Array | Required | The user's email addresses. |
| emails[].value | String | Required | The email address. |
| emails[].primary | Boolean | Required | Set to true if this is the user's primary email address. |
| active | Boolean | Optional (defaults to true) |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
| verified | Boolean | Optional (defaults to true) |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
| origin | String | Optional (defaults to "uaa") |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
| externalId | String | Optional | External user ID if authenticated through an external identity provider. |
Response Fields
| Path | Type | Description |
|---|---|---|
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
id |
String |
A guid generated by the UAA to uniquely identity this user. |
userName |
String |
User name of the user, typically an email address. |
name |
Object |
A map with the user's first name and last name. |
name.familyName |
String |
The user's last name. |
name.givenName |
String |
The user's first name. |
phoneNumbers |
Array |
The user's phone numbers. |
phoneNumbers[].value |
String |
The phone number. |
emails |
Array |
The user's email addresses. |
emails[].value |
String |
The email address. |
emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
groups |
Array |
A list of groups the user belongs to. |
groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
groups[].display |
String |
The group display name, also referred to as scope during authorization. |
groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
passwordLastModified |
String |
The timestamp when this user's password was last changed. |
externalId |
String |
External user ID if authenticated through an external identity provider. |
meta |
Object |
SCIM object meta data. |
meta.version |
Number |
Object version. |
meta.lastModified |
String |
Object last modified date. |
meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write is required to create a user) |
| 409 | Conflict - Username already exists |
Example using uaac to view users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac user add testuser --given_name About --family_name Schmidt --emails [email protected] --password secret
Update
$ curl 'http://localhost/Users/b9d2e5a4-e532-4ed3-a70c-cf38d65222d3' -i -X PUT \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 1c22ea41df5a489383f77c748a9722bc' \
-H 'Content-Type: application/json' \
-H 'If-Match: 0' \
-d '{
"id" : "b9d2e5a4-e532-4ed3-a70c-cf38d65222d3",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.701Z",
"lastModified" : "2020-07-08T01:23:21.701Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ ],
"approvals" : [ ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
PUT /Users/b9d2e5a4-e532-4ed3-a70c-cf38d65222d3 HTTP/1.1
Accept: application/json
Authorization: Bearer 1c22ea41df5a489383f77c748a9722bc
Content-Type: application/json
If-Match: 0
Content-Length: 684
Host: localhost
{
"id" : "b9d2e5a4-e532-4ed3-a70c-cf38d65222d3",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.701Z",
"lastModified" : "2020-07-08T01:23:21.701Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ ],
"approvals" : [ ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804
{
"id" : "b9d2e5a4-e532-4ed3-a70c-cf38d65222d3",
"externalId" : "test-user",
"meta" : {
"version" : 1,
"created" : "2020-07-08T01:23:21.701Z",
"lastModified" : "2020-07-08T01:23:21.749Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "b9d2e5a4-e532-4ed3-a70c-cf38d65222d3",
"clientId" : "identity",
"scope" : "uaa.user",
"status" : "DENIED",
"lastUpdatedAt" : "2020-07-08T01:23:51.707Z",
"expiresAt" : "2020-07-08T01:23:51.707Z"
}, {
"userId" : "b9d2e5a4-e532-4ed3-a70c-cf38d65222d3",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:21.705Z",
"expiresAt" : "2020-07-08T01:23:31.705Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write, uaa.admin, or openid required. The openid scope only allows the user to update their own first and last name, when origin is uaa. |
If-Match |
The version of the SCIM object to be updated. Wildcard (*) accepted. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| userName | String | Required | User name of the user, typically an email address. |
| name | Object | Required | A map with the user's first name and last name. |
| name.familyName | String | Required | The user's last name. |
| name.givenName | String | Required | The user's first name. |
| phoneNumbers | Array | Optional | The user's phone numbers. |
| phoneNumbers[].value | String | Optional | The phone number. |
| emails | Array | Required | The user's email addresses. |
| emails[].value | String | Required | The email address. |
| emails[].primary | Boolean | Required | Set to true if this is the user's primary email address. |
| active | Boolean | Optional (defaults to true) |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
| verified | Boolean | Optional (defaults to true) |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
| origin | String | Optional (defaults to "uaa") |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
| externalId | String | Optional | External user ID if authenticated through an external identity provider. |
Response Fields
| Path | Type | Description |
|---|---|---|
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
id |
String |
A guid generated by the UAA to uniquely identity this user. |
userName |
String |
User name of the user, typically an email address. |
name |
Object |
A map with the user's first name and last name. |
name.familyName |
String |
The user's last name. |
name.givenName |
String |
The user's first name. |
phoneNumbers |
Array |
The user's phone numbers. |
phoneNumbers[].value |
String |
The phone number. |
emails |
Array |
The user's email addresses. |
emails[].value |
String |
The email address. |
emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
groups |
Array |
A list of groups the user belongs to. |
groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
groups[].display |
String |
The group display name, also referred to as scope during authorization. |
groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
approvals[].userId |
String |
The user id on the approval. Will be the same as the id field. |
approvals[].clientId |
String |
The client id on the approval. Represents the application this approval or denial was for. |
approvals[].scope |
String |
The scope on the approval. Will be a group display value. |
approvals[].status |
String |
The status of the approval. Status may be either APPROVED or DENIED. |
approvals[].lastUpdatedAt |
String |
Date this approval was last updated. |
approvals[].expiresAt |
String |
Date this approval will expire. |
active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
passwordLastModified |
String |
The timestamp when this user's password was last changed. |
lastLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
previousLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
externalId |
String |
External user ID if authenticated through an external identity provider. |
meta |
Object |
SCIM object meta data. |
meta.version |
Number |
Object version. |
meta.lastModified |
String |
Object last modified date. |
meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write is required to update a user) |
| 404 | Not Found - User id not found |
Example using uaac to view users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac user update testuser --given_name About --family_name Schmidt --emails [email protected] --phones 415-555-1212
Patch
$ curl 'http://localhost/Users/b6b832bd-ccfe-4362-974e-fda4190ba81c' -i -X PATCH \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 2119e13cbb5543cc95c32b27e67c3d32' \
-H 'Content-Type: application/json' \
-H 'If-Match: 0' \
-d '{
"id" : "b6b832bd-ccfe-4362-974e-fda4190ba81c",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.118Z",
"lastModified" : "2020-07-08T01:23:22.118Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ ],
"approvals" : [ ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:22.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
PATCH /Users/b6b832bd-ccfe-4362-974e-fda4190ba81c HTTP/1.1
Accept: application/json
Authorization: Bearer 2119e13cbb5543cc95c32b27e67c3d32
Content-Type: application/json
If-Match: 0
Content-Length: 684
Host: localhost
{
"id" : "b6b832bd-ccfe-4362-974e-fda4190ba81c",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.118Z",
"lastModified" : "2020-07-08T01:23:22.118Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ ],
"approvals" : [ ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:22.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804
{
"id" : "b6b832bd-ccfe-4362-974e-fda4190ba81c",
"externalId" : "test-user",
"meta" : {
"version" : 1,
"created" : "2020-07-08T01:23:22.118Z",
"lastModified" : "2020-07-08T01:23:22.137Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "b6b832bd-ccfe-4362-974e-fda4190ba81c",
"clientId" : "identity",
"scope" : "uaa.user",
"status" : "DENIED",
"lastUpdatedAt" : "2020-07-08T01:23:52.124Z",
"expiresAt" : "2020-07-08T01:23:52.124Z"
}, {
"userId" : "b6b832bd-ccfe-4362-974e-fda4190ba81c",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:22.123Z",
"expiresAt" : "2020-07-08T01:23:32.123Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:22.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write, uaa.admin, or openid required. The openid scope only allows the user to update their own first and last name, when origin is uaa. |
If-Match |
The version of the SCIM object to be updated. Wildcard (*) accepted. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| userName | String | Required | User name of the user, typically an email address. |
| name | Object | Required | A map with the user's first name and last name. |
| name.familyName | String | Required | The user's last name. |
| name.givenName | String | Required | The user's first name. |
| phoneNumbers | Array | Optional | The user's phone numbers. |
| phoneNumbers[].value | String | Optional | The phone number. |
| emails | Array | Required | The user's email addresses. |
| emails[].value | String | Required | The email address. |
| emails[].primary | Boolean | Required | Set to true if this is the user's primary email address. |
| active | Boolean | Optional (defaults to true) |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
| verified | Boolean | Optional (defaults to true) |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
| origin | String | Optional (defaults to "uaa") |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
| externalId | String | Optional | External user ID if authenticated through an external identity provider. |
| meta.attributes | Array | Optional | Names of attributes that shall be deleted |
Response Fields
| Path | Type | Description |
|---|---|---|
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
id |
String |
A guid generated by the UAA to uniquely identity this user. |
userName |
String |
User name of the user, typically an email address. |
name |
Object |
A map with the user's first name and last name. |
name.familyName |
String |
The user's last name. |
name.givenName |
String |
The user's first name. |
phoneNumbers |
Array |
The user's phone numbers. |
phoneNumbers[].value |
String |
The phone number. |
emails |
Array |
The user's email addresses. |
emails[].value |
String |
The email address. |
emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
groups |
Array |
A list of groups the user belongs to. |
groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
groups[].display |
String |
The group display name, also referred to as scope during authorization. |
groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
approvals[].userId |
String |
The user id on the approval. Will be the same as the id field. |
approvals[].clientId |
String |
The client id on the approval. Represents the application this approval or denial was for. |
approvals[].scope |
String |
The scope on the approval. Will be a group display value. |
approvals[].status |
String |
The status of the approval. Status may be either APPROVED or DENIED. |
approvals[].lastUpdatedAt |
String |
Date this approval was last updated. |
approvals[].expiresAt |
String |
Date this approval will expire. |
active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
passwordLastModified |
String |
The timestamp when this user's password was last changed. |
lastLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
previousLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
externalId |
String |
External user ID if authenticated through an external identity provider. |
meta |
Object |
SCIM object meta data. |
meta.version |
Number |
Object version. |
meta.lastModified |
String |
Object last modified date. |
meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write is required to update a user) |
| 404 | Not Found - User id not found |
Example using uaac to patch users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac user update testuser --given_name About --family_name Schmidt --emails [email protected] --phones 415-555-1212
Delete
$ curl 'http://localhost/Users/b49685b9-a6d8-4f61-9af3-15d389b668c1' -i -X DELETE \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 499bcb71177a4451a020eb55518ef0be' \
-H 'Content-Type: application/json' \
-H 'If-Match: 0'
DELETE /Users/b49685b9-a6d8-4f61-9af3-15d389b668c1 HTTP/1.1
Accept: application/json
Authorization: Bearer 499bcb71177a4451a020eb55518ef0be
Content-Type: application/json
If-Match: 0
Host: localhost
HTTP/1.1 200 OK
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2806
{
"id" : "b49685b9-a6d8-4f61-9af3-15d389b668c1",
"externalId" : "test-user",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:21.255Z",
"lastModified" : "2020-07-08T01:23:21.255Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "family name",
"givenName" : "given name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"groups" : [ {
"value" : "4fbef6ce-2f9f-473e-9afb-29f7a6c2f8b6",
"display" : "oauth.approvals",
"type" : "DIRECT"
}, {
"value" : "d0af108f-796e-4a6f-b3e9-a103a23c9650",
"display" : "uaa.offline_token",
"type" : "DIRECT"
}, {
"value" : "b597a923-5422-4f6c-86ea-d142348d80ab",
"display" : "password.write",
"type" : "DIRECT"
}, {
"value" : "43e41f50-9d69-4d40-9d5c-6ad575338228",
"display" : "scim.userids",
"type" : "DIRECT"
}, {
"value" : "98890a69-0207-4236-a1c5-ed153cdcfa95",
"display" : "openid",
"type" : "DIRECT"
}, {
"value" : "748f9ddd-2dda-486f-a3b5-56f63d76f313",
"display" : "uaa.user",
"type" : "DIRECT"
}, {
"value" : "60b530cf-05ee-41e8-8a35-7e5d09e783e5",
"display" : "cloud_controller_service_permissions.read",
"type" : "DIRECT"
}, {
"value" : "b3e2efdc-6ca2-4282-b511-ae2540ee3b6d",
"display" : "cloud_controller.write",
"type" : "DIRECT"
}, {
"value" : "86fa26e4-c6f6-4d1f-80a8-55e593c78953",
"display" : "scim.me",
"type" : "DIRECT"
}, {
"value" : "35dc7f86-2e6b-4699-9feb-8da9d48512aa",
"display" : "cloud_controller.read",
"type" : "DIRECT"
}, {
"value" : "6e2bea4d-c1eb-4541-a8c0-764e3883ac15",
"display" : "roles",
"type" : "DIRECT"
}, {
"value" : "8fd9a162-a310-4ad9-8954-e52eaa261485",
"display" : "profile",
"type" : "DIRECT"
}, {
"value" : "e2e3713b-f32f-4acc-8c03-5ccf9cc642e1",
"display" : "approvals.me",
"type" : "DIRECT"
}, {
"value" : "f01a15ca-87b1-4aca-9207-f4321ef0029a",
"display" : "user_attributes",
"type" : "DIRECT"
} ],
"approvals" : [ {
"userId" : "b49685b9-a6d8-4f61-9af3-15d389b668c1",
"clientId" : "client id",
"scope" : "scim.read",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:21.259Z",
"expiresAt" : "2020-07-08T01:23:31.259Z"
}, {
"userId" : "b49685b9-a6d8-4f61-9af3-15d389b668c1",
"clientId" : "identity",
"scope" : "uaa.user",
"status" : "APPROVED",
"lastUpdatedAt" : "2020-07-08T01:23:51.260Z",
"expiresAt" : "2020-07-08T01:23:51.260Z"
} ],
"phoneNumbers" : [ {
"value" : "5555555555"
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write or uaa.admin required |
If-Match |
The version of the SCIM object to be deleted. Optional. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
schemas |
Array |
SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ] |
id |
String |
A guid generated by the UAA to uniquely identity this user. |
userName |
String |
User name of the user, typically an email address. |
name |
Object |
A map with the user's first name and last name. |
name.familyName |
String |
The user's last name. |
name.givenName |
String |
The user's first name. |
phoneNumbers |
Array |
The user's phone numbers. |
phoneNumbers[].value |
String |
The phone number. |
emails |
Array |
The user's email addresses. |
emails[].value |
String |
The email address. |
emails[].primary |
Boolean |
Set to true if this is the user's primary email address. |
groups |
Array |
A list of groups the user belongs to. |
groups[].value |
String |
A guid generated by the UAA to uniquely identity this group. |
groups[].display |
String |
The group display name, also referred to as scope during authorization. |
groups[].type |
String |
Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group. |
approvals |
Array |
A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions. |
approvals[].userId |
String |
The user id on the approval. Will be the same as the id field. |
approvals[].clientId |
String |
The client id on the approval. Represents the application this approval or denial was for. |
approvals[].scope |
String |
The scope on the approval. Will be a group display value. |
approvals[].status |
String |
The status of the approval. Status may be either APPROVED or DENIED. |
approvals[].lastUpdatedAt |
String |
Date this approval was last updated. |
approvals[].expiresAt |
String |
Date this approval will expire. |
active |
Boolean |
Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in. |
verified |
Boolean |
New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address. |
origin |
String |
The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store. |
zoneId |
String |
The Identity Zone this user belongs to. The value uaa refers to the default zone. |
passwordLastModified |
String |
The timestamp when this user's password was last changed. |
lastLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
previousLogonTime |
Number |
The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated. |
externalId |
String |
External user ID if authenticated through an external identity provider. |
meta |
Object |
SCIM object meta data. |
meta.version |
Number |
Object version. |
meta.lastModified |
String |
Object last modified date. |
meta.created |
String |
Object created date. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write is required to delete a user) |
| 404 | Not Found - User id not found |
Example using uaac to delete users:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac user delete testuser
User Info
An OAuth2 protected resource and an OpenID Connect endpoint. Given an appropriate access_token, returns information about a user. Defined fields include various standard user profile fields. The response may include other user information such as group membership.
$ curl 'http://localhost/userinfo' -i -X GET \
-H 'Authorization: Bearer 5d3164d2653841cc8b9b1e92a7acfa11'
GET /userinfo HTTP/1.1
Authorization: Bearer 5d3164d2653841cc8b9b1e92a7acfa11
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 411
{
"user_id" : "cd3eba74-3eda-411f-989f-5383c9910f19",
"user_name" : "[email protected]",
"given_name" : "PasswordResetUserFirst",
"family_name" : "PasswordResetUserLast",
"phone_number" : "+15558880000",
"email" : "[email protected]",
"email_verified" : true,
"previous_logon_time" : null,
"sub" : "cd3eba74-3eda-411f-989f-5383c9910f19",
"name" : "PasswordResetUserFirst PasswordResetUserLast"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with openid required. If the user_attributes scope is in the token, the response object will contain custom attributes, if mapped to the external identity provider.If the roles scope is present, the response object will contain group memberships from the external identity provider. |
Response Fields
| Path | Type | Description |
|---|---|---|
sub |
String |
Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client. |
user_id |
String |
Unique user identifier. |
email |
String |
The user's email address. |
email_verified |
Boolean |
Indicates whether the user has verified their email address. |
user_name |
String |
User name of the user, typically an email address. |
given_name |
String |
The user's first name. |
family_name |
String |
The user's last name. |
name |
String |
A map with the user's first name and last name. |
phone_number |
String |
The user's phone number. |
previous_logon_time |
Null |
The unix epoch timestamp in milliseconds of 2nd to last successful user authentication. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (openid is required to get the user info) |
Example using uaac to view user info:
uaac target http://localhost:8080/uaa
uaac token authcode get admin -s adminsecret
uaac curl -X GET /userinfo -k
Change user password
$ curl 'http://localhost/Users/e6044cf4-35c9-4069-a35d-7df648c286f6/password' -i -X PUT \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 74e6b0e5ddb14483b2a3975c96efaeee' \
-H 'Content-Type: application/json' \
-d '{
"oldPassword" : "secret",
"password" : "newsecret"
}'
PUT /Users/e6044cf4-35c9-4069-a35d-7df648c286f6/password HTTP/1.1
Accept: application/json
Authorization: Bearer 74e6b0e5ddb14483b2a3975c96efaeee
Content-Type: application/json
Content-Length: 58
Host: localhost
{
"oldPassword" : "secret",
"password" : "newsecret"
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 55
{
"status" : "ok",
"message" : "password updated"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with password.write or uaa.admin required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| oldPassword | String | Required | Old password. Optional when resetting another users password as an admin with uaa.admin scope |
| password | String | Required | New password. |
Response Fields
| Path | Type | Description |
|---|---|---|
status |
String |
Will be 'ok' if password changed successfully. |
message |
String |
Will be 'password updated' if password changed successfully. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid JSON format or missing fields |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write or a token containing the user id is required) |
| 404 | Not Found - User id not found |
Example using uaac to view users:
uaac target http://localhost:8080/uaa
uaac token owner get cf testuser -s "" -p "secret"
uaac password change -o secret -p newsecret
Unlock Account
$ curl 'http://localhost/Users/46362ded-63f8-4dfd-93cd-eeb813d3c865/status' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer e850385d81b340dd8c15d42d00de77aa' \
-H 'Accept: application/json' \
-d '{
"locked" : false
}'
PATCH /Users/46362ded-63f8-4dfd-93cd-eeb813d3c865/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer e850385d81b340dd8c15d42d00de77aa
Accept: application/json
Content-Length: 22
Host: localhost
{
"locked" : false
}
HTTP/1.1 200 OK
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 22
{
"locked" : false
}
Path Parameters
/Users/{userId}/status
| Parameter | Description |
|---|---|
| userId | A guid generated by the UAA to uniquely identity this user. |
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write, uaa.account_status.write, or uaa.admin required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| locked | Boolean | Optional | Set to false in order to unlock the user when they have been locked out according to the password lock-out policy. Setting to true will produce an error, as the user cannot be locked out via the API. |
Response Fields
| Path | Type | Description |
|---|---|---|
locked |
Boolean |
The locked value given in the request. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - invalid JSON format or illegal value |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write or uaa.account_status.write) |
| 404 | User id not found |
Force user password to expire
$ curl 'http://localhost/Users/8307ec82-1e7b-48ef-8235-6a63ea4c1e9f/status' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer a9060db736dd44229511c4eabc508f78' \
-H 'Accept: application/json' \
-d '{
"passwordChangeRequired" : true
}'
PATCH /Users/8307ec82-1e7b-48ef-8235-6a63ea4c1e9f/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer a9060db736dd44229511c4eabc508f78
Accept: application/json
Content-Length: 37
Host: localhost
{
"passwordChangeRequired" : true
}
HTTP/1.1 200 OK
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 37
{
"passwordChangeRequired" : true
}
Path Parameters
/Users/{userId}/status
| Parameter | Description |
|---|---|
| userId | A guid generated by the UAA to uniquely identity this user. |
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with scim.write, uaa.account_status.write, or uaa.admin required |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| passwordChangeRequired | Boolean | Optional | Set to true in order to force internal user’s password to expire |
Response Fields
| Path | Type | Description |
|---|---|---|
passwordChangeRequired |
Boolean |
The passwordChangeRequired value given in the request. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - invalid JSON format or illegal value |
| 401 | Unauthorized - Invalid token |
| 403 | Forbidden - Insufficient scope (scim.write or uaa.account_status.write required) |
| 404 | Not Found - User id not found |
Get user verification link
$ curl 'http://localhost/Users/22016af5-b593-413a-890c-f4c860f6f8bb/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp' -i -X GET \
-H 'Authorization: Bearer 6823824e5dbd41a3a79efecafd217524' \
-H 'Accept: application/json'
GET /Users/22016af5-b593-413a-890c-f4c860f6f8bb/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp HTTP/1.1
Authorization: Bearer 6823824e5dbd41a3a79efecafd217524
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 68
{
"verify_link" : "http://localhost/verify_user?code=XE806BI6OB"
}
Path Parameters
/Users/{userId}/verify-link
| Parameter | Description |
|---|---|
| userId | The ID of the user to verify |
Request Headers
| Name | Description |
|---|---|
Authorization |
The bearer token, with a pre-amble of Bearer |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| redirect_uri | String | Required | Location where the user will be redirected after verifying by clicking the verification link |
Response Fields
| Path | Type | Description |
|---|---|---|
verify_link |
String |
Location the user must visit and authenticate to verify |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope or internal user management disabled |
| 404 | Not Found - User not found |
Verify user
$ curl 'http://localhost/Users/5d495375-744f-4b33-ae80-d512f3a25d53/verify' -i -X GET \
-H 'Authorization: Bearer 4f7b53e09f8a46c3a3356079f59b22a2' \
-H 'If-Match: 12' \
-H 'Accept: application/json'
GET /Users/5d495375-744f-4b33-ae80-d512f3a25d53/verify HTTP/1.1
Authorization: Bearer 4f7b53e09f8a46c3a3356079f59b22a2
If-Match: 12
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
ETag: "12"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 561
{
"id" : "5d495375-744f-4b33-ae80-d512f3a25d53",
"meta" : {
"version" : 12,
"created" : "2020-07-08T01:23:21.207Z",
"lastModified" : "2020-07-08T01:23:21.207Z"
},
"userName" : "[email protected]",
"name" : {
"familyName" : "d'Orange",
"givenName" : "William"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:21.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Users/{userId}/verify
| Parameter | Description |
|---|---|
| userId | The ID of the user to verify |
Request Headers
| Name | Description |
|---|---|
Authorization |
The bearer token, with a pre-amble of Bearer |
If-Match |
(Optional) The expected current version of the user, which will prevent update if the version does not match |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Incorrect version supplied in If-Match header |
| 403 | Forbidden - Insufficient scope or internal user management disabled |
| 404 | Not Found - User not found |
Delete MFA registration
$ curl 'http://localhost/Users/d67e84dd-6406-43bc-8b92-e04493c70ae8/mfa' -i -X DELETE \
-H 'Authorization: Bearer 7d3174fed65b4c9aa4a98907fe01cc4a'
DELETE /Users/d67e84dd-6406-43bc-8b92-e04493c70ae8/mfa HTTP/1.1
Authorization: Bearer 7d3174fed65b4c9aa4a98907fe01cc4a
Host: localhost
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Path Parameters
/Users/{userId}/mfa
| Parameter | Description |
|---|---|
| userId | Unique user identifier. |
Request Headers
| Name | Description |
|---|---|
Authorization |
Access token with zones.<zoneId>.admin or uaa.admin required. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain. |
Error Codes
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope or internal user management disabled |
| 404 | Not Found - User not found |
Lookup User IDs/Usernames
$ curl 'http://localhost/ids/Users?filter=userName+eq+%22boboZD372%40test.org%22+or+id+eq+%22239296ce-93f3-47ab-b0f8-3c9a6daa981c%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true' -i -X GET \
-H 'Authorization: Bearer c0c37ee4b8504cb882b9deccd5d04a81'
GET /ids/Users?filter=userName+eq+%22boboZD372%40test.org%22+or+id+eq+%22239296ce-93f3-47ab-b0f8-3c9a6daa981c%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true HTTP/1.1
Authorization: Bearer c0c37ee4b8504cb882b9deccd5d04a81
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 372
{
"resources" : [ {
"origin" : "uaa",
"id" : "239296ce-93f3-47ab-b0f8-3c9a6daa981c",
"userName" : "[email protected]"
}, {
"origin" : "uaa",
"id" : "81b818a1-17af-4aed-b241-f22c31d6da52",
"userName" : "[email protected]"
} ],
"startIndex" : 1,
"itemsPerPage" : 5,
"totalResults" : 2,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with authorization for scim.userids scope |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| filter | String | Required | SCIM filter for users over userName, id, and origin, using only the eq comparison operator |
| sortOrder | String | Optional (defaults to ascending) |
sort by username in ascending or descending order |
| startIndex | Number | Optional (defaults to 1) |
display paged results beginning at specified index |
| count | Number | Optional (defaults to 100) |
number of results to return per page |
| includeInactive | Boolean | Optional (defaults to false) |
include users from inactive identity providers |
Response Fields
| Path | Type | Description |
|---|---|---|
totalResults |
Number |
The number of results which matched the filter |
startIndex |
Number |
The index of the first item of this page of results |
itemsPerPage |
Number |
The page size used in producing this page of results |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
resources[].id |
String |
The globally unique identifier for this user |
resources[].userName |
String |
The username |
resources[].origin |
String |
The origin of the user, e.g. an identity provider alias |
Error Codes
| Error Code | Description |
|---|---|
| 400 | Bad Request - Request was invalid or unparseable |
| 403 | Forbidden - Insufficient scope |
Invite users
$ curl 'http://localhost/invite_users?client_id=huuzir&redirect_uri=example.com' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 983e7ce1e8a541a4a4dd05bb85f1e638' \
-d '{
"emails" : [ "[email protected]", "[email protected]" ]
}'
POST /invite_users?client_id=huuzir&redirect_uri=example.com HTTP/1.1
Content-Type: application/json
Authorization: Bearer 983e7ce1e8a541a4a4dd05bb85f1e638
Content-Length: 59
Host: localhost
{
"emails" : [ "[email protected]", "[email protected]" ]
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 578
{
"new_invites" : [ {
"email" : "[email protected]",
"userId" : "f8468b2b-ecf0-4420-abe2-07cf2c0cddac",
"origin" : "uaa",
"success" : true,
"errorCode" : null,
"errorMessage" : null,
"inviteLink" : "http://localhost/invitations/accept?code=xjDgOFM7bc"
}, {
"email" : "[email protected]",
"userId" : "7ed1d658-c5fe-4257-9877-17ddc18a282b",
"origin" : "uaa",
"success" : true,
"errorCode" : null,
"errorMessage" : null,
"inviteLink" : "http://localhost/invitations/accept?code=Xvof2P1UMq"
} ],
"failed_invites" : [ ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing scim.invite |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| emails | Array | Required | User is invited by providing an email address. More than one email addresses can be provided. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | A unique string representing the registration information provided by the client |
| redirect_uri | String | Required | The user will be redirected to this uri, when user accepts the invitation. The redirect_uri will be validated against allowed redirect_uri for the client. |
Response Fields
| Path | Type | Description |
|---|---|---|
new_invites[].email |
String |
Primary email id of the invited user |
new_invites[].userId |
String |
A unique string for the invited user |
new_invites[].origin |
String |
Unique alias of the provider |
new_invites[].success |
Boolean |
Flag to determine whether the invitation was sent successfully |
new_invites[].errorCode |
String |
Error code in case of failure to send invitation |
new_invites[].errorMessage |
String |
Error message in case of failure to send invitation |
new_invites[].inviteLink |
String |
Invitation link to invite users |
failed_invites |
Array |
List of invites having exception in sending the invitation |
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Groups
Create
$ curl 'http://localhost/Groups' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334' \
-d '{
"displayName" : "Cool Group Name",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}'
POST /Groups HTTP/1.1
Content-Type: application/json
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
Content-Length: 196
Host: localhost
{
"displayName" : "Cool Group Name",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}
HTTP/1.1 201 Created
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 441
{
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.322Z"
},
"displayName" : "Cool Group Name",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| displayName | String | Required | An identifier, unique within the identity zone |
| description | String | Optional | Human readable description of the group, displayed e.g. when approving scopes |
| members | Array | Optional | Members to be included in the group |
| members[].value | String | Required for each item in members |
The globally-unique ID of the member entity, either a user ID or another group ID |
| members[].type | String | Optional (defaults to "USER") |
Either "USER" or "GROUP" |
| members[].origin | String | Optional (defaults to "uaa") |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
The globally unique group ID |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
members |
Array |
Array of group members |
members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
members[].type |
String |
Either "USER" or "GROUP" |
members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
zoneId |
String |
Identifier for the identity zone to which the group belongs |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group was created |
meta.lastModified |
String |
The time the group was last updated |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid member ID |
| 403 | Forbidden - Insufficient scope |
Retrieve
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d' -i -X GET \
-H 'Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd'
GET /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d HTTP/1.1
Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd
Host: localhost
HTTP/1.1 200 OK
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454
{
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 2,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.384Z"
},
"displayName" : "Cooler Group Name for Update",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/{groupId}
| Parameter | Description |
|---|---|
| groupId | Globally unique identifier of the group to retrieve |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.read |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
The globally unique group ID |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
members |
Array |
Array of group members |
members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
members[].type |
String |
Either "USER" or "GROUP" |
members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
zoneId |
String |
Identifier for the identity zone to which the group belongs |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group was created |
meta.lastModified |
String |
The time the group was last updated |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
Update
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334' \
-H 'If-Match: 0' \
-d '{
"displayName" : "Cooler Group Name for Update",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}'
PUT /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d HTTP/1.1
Content-Type: application/json
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
If-Match: 0
Content-Length: 209
Host: localhost
{
"displayName" : "Cooler Group Name for Update",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}
HTTP/1.1 200 OK
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454
{
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 1,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.350Z"
},
"displayName" : "Cooler Group Name for Update",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/{groupId}
| Parameter | Description |
|---|---|
| groupId | Globally unique identifier of the group to update |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write or groups.update |
If-Match |
The version of the SCIM object to be updated. Wildcard (*) accepted. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| displayName | String | Required | An identifier, unique within the identity zone |
| description | String | Optional | Human readable description of the group, displayed e.g. when approving scopes |
| members | Array | Optional | Members to be included in the group |
| members[].value | String | Required for each item in members |
The globally-unique ID of the member entity, either a user ID or another group ID |
| members[].type | String | Optional (defaults to "USER") |
Either "USER" or "GROUP" |
| members[].origin | String | Optional (defaults to "uaa") |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
The globally unique group ID |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
members |
Array |
Array of group members |
members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
members[].type |
String |
Either "USER" or "GROUP" |
members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
zoneId |
String |
Identifier for the identity zone to which the group belongs |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group was created |
meta.lastModified |
String |
The time the group was last updated |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Incorrect version supplied in If-Match header |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict |
Patch
Updating partial elements of a group is documented at SCIM Specification
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d' -i -X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334' \
-H 'If-Match: *' \
-d '{
"displayName" : "Cooler Group Name for Update",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}'
PATCH /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d HTTP/1.1
Content-Type: application/json
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
If-Match: *
Content-Length: 209
Host: localhost
{
"displayName" : "Cooler Group Name for Update",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
}
HTTP/1.1 200 OK
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454
{
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 2,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.384Z"
},
"displayName" : "Cooler Group Name for Update",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/{groupId}
| Parameter | Description |
|---|---|
| groupId | Globally unique identifier of the group to update |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write or groups.update |
If-Match |
The version of the SCIM object to be updated. Wildcard (*) accepted. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| displayName | String | Required | An identifier, unique within the identity zone |
| description | String | Optional | Human readable description of the group, displayed e.g. when approving scopes |
| members | Array | Optional | Members to be included in the group |
| members[].value | String | Required for each item in members |
The globally-unique ID of the member entity, either a user ID or another group ID |
| members[].type | String | Optional (defaults to "USER") |
Either "USER" or "GROUP" |
| members[].origin | String | Optional (defaults to "uaa") |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin. |
| members[].operation | String | Optional | "delete" if the corresponding member shall be deleted |
| meta.attributes | Array | Optional | Names of attributes that shall be deleted |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
The globally unique group ID |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
members |
Array |
Array of group members |
members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
members[].type |
String |
Either "USER" or "GROUP" |
members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
zoneId |
String |
Identifier for the identity zone to which the group belongs |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group was created |
meta.lastModified |
String |
The time the group was last updated |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Incorrect version supplied in If-Match header |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict |
Delete
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d' -i -X DELETE \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334'
DELETE /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d HTTP/1.1
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
Host: localhost
HTTP/1.1 200 OK
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454
{
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 2,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.384Z"
},
"displayName" : "Cooler Group Name for Update",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/{groupId}
| Parameter | Description |
|---|---|
| groupId | The globally unique identifier of the group |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write |
If-Match |
The version of the SCIM object to be updated. Wildcard (*) accepted. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
id |
String |
The globally unique group ID |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
members |
Array |
Array of group members |
members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
members[].type |
String |
Either "USER" or "GROUP" |
members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
zoneId |
String |
Identifier for the identity zone to which the group belongs |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group was created |
meta.lastModified |
String |
The time the group was last updated |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Incorrect version supplied in If-Match header |
| 403 | Forbidden - Insufficient scope |
| 409 | Conflict |
List
$ curl 'http://localhost/Groups?filter=id+eq+%220219ea52-4d54-4995-8509-e64bc6f9712d%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1' -i -X GET \
-H 'Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd'
GET /Groups?filter=id+eq+%220219ea52-4d54-4995-8509-e64bc6f9712d%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1 HTTP/1.1
Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 621
{
"resources" : [ {
"id" : "0219ea52-4d54-4995-8509-e64bc6f9712d",
"meta" : {
"version" : 2,
"created" : "2020-07-08T01:23:23.322Z",
"lastModified" : "2020-07-08T01:23:23.384Z"
},
"displayName" : "Cooler Group Name for Update",
"zoneId" : "uaa",
"description" : "the cool group",
"members" : [ {
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ],
"schemas" : [ "urn:scim:schemas:core:1.0" ]
} ],
"startIndex" : 1,
"itemsPerPage" : 5,
"totalResults" : 1,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.read |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| filter | String | Optional (defaults to id pr) |
A SCIM filter over groups |
| sortBy | String | Optional (defaults to created) |
The field of the SCIM group to sort by |
| sortOrder | Number | Optional (defaults to ascending) |
Sort in ascending or descending order |
| startIndex | Number | Optional (defaults to 1) |
The index of the first result of this page within all matches |
| count | Number | Optional (defaults to 100) |
Maximum number of results to return in a single page |
Response Fields
| Path | Type | Description |
|---|---|---|
resources[].id |
String |
The globally unique group ID |
resources[].displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
resources[].description |
String |
Human readable description of the group, displayed e.g. when approving scopes |
resources[].members |
Array |
Array of group members |
resources[].members[].value |
String |
Globally unique identifier of the member, either a user ID or another group ID |
resources[].members[].type |
String |
Either "USER" or "GROUP" |
resources[].members[].origin |
String |
The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. |
resources[].zoneId |
String |
Identifier for the identity zone to which the group belongs |
resources[].meta.version |
Number |
The version of the group entity |
resources[].meta.created |
String |
The time the group was created |
resources[].meta.lastModified |
String |
The time the group was last updated |
resources[].schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
itemsPerPage |
Number |
The page-size used to produce the current page of results |
startIndex |
Number |
The index of the first result of this page within all matches |
totalResults |
Number |
The number of groups that matched the given filter |
schemas |
Array |
[ "urn:scim:schemas:core:1.0" ] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid attributes |
| 403 | Forbidden - Insufficient scope |
Check Membership
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members/526ccf65-2a46-48f4-b884-793a18953f7e' -i -X GET \
-H 'Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd'
GET /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members/526ccf65-2a46-48f4-b884-793a18953f7e HTTP/1.1
Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93
{
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
}
Path Parameters
/Groups/{groupId}/members/{memberId}
| Parameter | Description |
|---|---|
| groupId | The globally unique identifier of the group |
| memberId | The globally unique identifier the user or group which is a member of the specified by groupId |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.read |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
value |
String |
The globally unique identifier the user or group which is a member of the specified by groupId |
type |
String |
Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID |
origin |
String |
The originating IDP of the entity, or "uaa" for groups and internal users |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid member ID |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Group does not exist, or the entity is not a member |
Add Member
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334' \
-d '{"origin":"uaa","type":"USER","value":"526ccf65-2a46-48f4-b884-793a18953f7e"}'
POST /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members HTTP/1.1
Content-Type: application/json
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
Content-Length: 77
Host: localhost
{"origin":"uaa","type":"USER","value":"526ccf65-2a46-48f4-b884-793a18953f7e"}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93
{
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
}
Path Parameters
/Groups/{groupId}/members
| Parameter | Description |
|---|---|
| groupId | The globally unique identifier of the group |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| value | String | Required | The globally unique identifier the user or group which is a member of the specified by groupId |
| type | String | Required | Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID |
| origin | String | Required | The originating IDP of the entity, or "uaa" for groups and internal users |
Response Fields
| Path | Type | Description |
|---|---|---|
value |
String |
The globally unique identifier the user or group which is a member of the specified by groupId |
type |
String |
Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID |
origin |
String |
The originating IDP of the entity, or "uaa" for groups and internal users |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid member ID |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Specified group or member entity does not exist |
Remove Member
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members/526ccf65-2a46-48f4-b884-793a18953f7e' -i -X DELETE \
-H 'Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334'
DELETE /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members/526ccf65-2a46-48f4-b884-793a18953f7e HTTP/1.1
Authorization: Bearer 7bd6be8dbb6b4167b6f11812cf402334
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93
{
"origin" : "uaa",
"type" : "USER",
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
}
Path Parameters
/Groups/{groupId}/members/{memberId}
| Parameter | Description |
|---|---|
| groupId | The globally unique identifier of the group |
| memberId | The globally unique identifier of the entity, i.e. the user or group, to be removed from membership in the group specified by groupId |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.write |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
origin |
String |
The originating IDP of the entity |
type |
String |
Either "USER" or "GROUP", indicating what type of entity the group membership refers to |
value |
String |
The globally unique identifier of the user or group which has been removed from the group specified by groupId |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Incorrect version supplied in If-Match header |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Group does not exist, or the entity is not a member |
| 409 | Conflict |
List Members
$ curl 'http://localhost/Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members?returnEntities=true' -i -X GET \
-H 'Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd'
GET /Groups/0219ea52-4d54-4995-8509-e64bc6f9712d/members?returnEntities=true HTTP/1.1
Authorization: Bearer 61f196dd253e4b98a08823fadb88d2cd
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 707
[ {
"origin" : "uaa",
"type" : "USER",
"entity" : {
"id" : "526ccf65-2a46-48f4-b884-793a18953f7e",
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:23.312Z",
"lastModified" : "2020-07-08T01:23:23.312Z"
},
"userName" : "pN57AF",
"name" : {
"familyName" : "cool-familyName",
"givenName" : "cool-name"
},
"emails" : [ {
"value" : "[email protected]",
"primary" : false
} ],
"active" : true,
"verified" : true,
"origin" : "uaa",
"zoneId" : "uaa",
"passwordLastModified" : "2020-07-08T01:23:23.000Z",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
},
"value" : "526ccf65-2a46-48f4-b884-793a18953f7e"
} ]
Path Parameters
/Groups/{groupId}/members
| Parameter | Description |
|---|---|
| groupId | The globally unique identifier of the group |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with scope scim.read |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| returnEntities | Boolean | Optional (defaults to false) |
Set to true to return the SCIM entities which have membership in the group |
Response Fields
| Path | Type | Description |
|---|---|---|
[].value |
String |
The globally unique identifier the user or group which is a member of the specified by groupId |
[].type |
String |
Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID |
[].origin |
String |
The originating IDP of the entity, or "uaa" for groups and internal users |
[].entity.* |
Varies |
Present only if requested with returnEntities; user or group details for each entity that is a member of this group |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid attributes |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Specified group does not exist |
External Group Mappings
Map
$ curl 'http://localhost/Groups/External' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 68864cf20f4c4a299baafdfdcd942e09' \
-d '{
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.956Z"
},
"groupId" : "596ad723-58fc-4381-8e7e-7a9bd18f9249",
"externalGroup" : "External group",
"origin" : "ldap",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}'
POST /Groups/External HTTP/1.1
Content-Type: application/json
Authorization: Bearer 68864cf20f4c4a299baafdfdcd942e09
Content-Length: 242
Host: localhost
{
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.956Z"
},
"groupId" : "596ad723-58fc-4381-8e7e-7a9bd18f9249",
"externalGroup" : "External group",
"origin" : "ldap",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 362
{
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.961Z",
"lastModified" : "2020-07-08T01:23:22.961Z"
},
"groupId" : "596ad723-58fc-4381-8e7e-7a9bd18f9249",
"externalGroup" : "external group",
"displayName" : "Group For Testing Creating External Group Mapping",
"origin" : "ldap",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with authorization for scim.write scope |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| groupId | String | Required | The globally unique group ID |
| externalGroup | String | Required | The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
| origin | String | Optional (defaults to "ldap") |
Unique alias of the identity provider |
| meta.version | Number | Optional (defaults to 0) |
The version of the group entity |
Response Fields
| Path | Type | Description |
|---|---|---|
groupId |
String |
The globally unique group ID |
externalGroup |
String |
The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
origin |
String |
Unique alias of the identity provider |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group mapping was created |
meta.lastModified |
String |
The time the group mapping was last updated |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - External group or origin should not be null |
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - Incorrect group ID provided |
Unmap
By group ID
$ curl 'http://localhost/Groups/External/groupId/810f55e4-b2a6-4b39-9c5a-5c4e32228212/externalGroup/external%20group/origin/ldap' -i -X DELETE \
-H 'Authorization: Bearer 760675077d584689825d56c6fe0e67c5'
DELETE /Groups/External/groupId/810f55e4-b2a6-4b39-9c5a-5c4e32228212/externalGroup/external%20group/origin/ldap HTTP/1.1
Authorization: Bearer 760675077d584689825d56c6fe0e67c5
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 362
{
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:22.814Z",
"lastModified" : "2020-07-08T01:23:22.814Z"
},
"groupId" : "810f55e4-b2a6-4b39-9c5a-5c4e32228212",
"externalGroup" : "external group",
"displayName" : "Group For Testing Deleting External Group Mapping",
"origin" : "ldap",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/External/groupId/{groupId}/externalGroup/{externalGroup}/origin/{origin}
| Parameter | Description |
|---|---|
| groupId | The globally unique group ID |
| externalGroup | The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
| origin | Unique alias of the identity provider |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with authorization for scim.write scope |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
groupId |
String |
The globally unique group ID |
externalGroup |
String |
The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
origin |
String |
Unique alias of the identity provider |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group mapping was created |
meta.lastModified |
String |
The time the group mapping was last updated |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - No such group ID, external group, origin combination |
By group display name
$ curl 'http://localhost/Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap' -i -X DELETE \
-H 'Authorization: Bearer c4a3f2ce7d6647cc9ff5e14e04e2e659'
DELETE /Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap HTTP/1.1
Authorization: Bearer c4a3f2ce7d6647cc9ff5e14e04e2e659
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 370
{
"meta" : {
"version" : 0,
"created" : "2020-07-08T01:23:23.024Z",
"lastModified" : "2020-07-08T01:23:23.024Z"
},
"groupId" : "66a1a06c-e017-42f8-979d-984d57035086",
"externalGroup" : "external group",
"displayName" : "Group For Testing Deleting External Group Mapping By Name",
"origin" : "ldap",
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Path Parameters
/Groups/External/displayName/{displayName}/externalGroup/{externalGroup}/origin/{origin}
| Parameter | Description |
|---|---|
| displayName | The identifier specified upon creation of the group, unique within the identity zone |
| externalGroup | The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
| origin | Unique alias of the identity provider |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with authorization for scim.write scope |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
groupId |
String |
The globally unique group ID |
externalGroup |
String |
The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
origin |
String |
Unique alias of the identity provider |
meta.version |
Number |
The version of the group entity |
meta.created |
String |
The time the group mapping was created |
meta.lastModified |
String |
The time the group mapping was last updated |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
| Error Code | Description |
|---|---|
| 403 | Forbidden - Insufficient scope |
| 404 | Not Found - No such group display name, external group, origin combination |
List
$ curl 'http://localhost/Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter=&externalGroup=&filter=' -i -X GET \
-H 'Authorization: Bearer 2827197e630f4ad082454edeb96d63a0'
GET /Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter=&externalGroup=&filter= HTTP/1.1
Authorization: Bearer 2827197e630f4ad082454edeb96d63a0
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1284
{
"resources" : [ {
"displayName" : "Group For Testing Retrieving External Group Mappings",
"externalGroup" : "external group",
"groupId" : "316608c6-4f2f-4811-8301-56c545b8142d",
"origin" : "ldap"
}, {
"displayName" : "internal.write",
"externalGroup" : "cn=operators,ou=scopes,dc=test,dc=com",
"groupId" : "48a684c3-baf2-443f-96b9-cabfd4095614",
"origin" : "ldap"
}, {
"displayName" : "internal.everything",
"externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
"groupId" : "a55f3a5b-ce1a-4218-b8aa-dc759ce296ed",
"origin" : "ldap"
}, {
"displayName" : "organizations.acme",
"externalGroup" : "cn=test_org,ou=people,o=springsource,o=org",
"groupId" : "b04f161c-cd63-4cbd-b23e-669799759cb3",
"origin" : "ldap"
}, {
"displayName" : "internal.read",
"externalGroup" : "cn=developers,ou=scopes,dc=test,dc=com",
"groupId" : "c051e04e-8193-44eb-a3ad-ca8f1b6686e4",
"origin" : "ldap"
}, {
"displayName" : "internal.superuser",
"externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
"groupId" : "ed09204a-589a-4368-9e89-9b23363ff477",
"origin" : "ldap"
} ],
"startIndex" : 1,
"itemsPerPage" : 6,
"totalResults" : 6,
"schemas" : [ "urn:scim:schemas:core:1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with authorization for scim.read scope |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone. |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
Response Fields
| Path | Type | Description |
|---|---|---|
resources[].groupId |
String |
The globally unique group ID |
resources[].displayName |
String |
The identifier specified upon creation of the group, unique within the identity zone |
resources[].externalGroup |
String |
The identifier for the group in external identity provider that needs to be mapped to internal UAA groups |
resources[].origin |
String |
Unique alias of the identity provider |
startIndex |
Number |
The index of the first item of this page of results |
itemsPerPage |
Number |
The page size used in producing this page of results |
totalResults |
Number |
The number of results which matched the filter |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
| Error Code | Description |
|---|---|
| 400 | Bad Request - Invalid request parameters |
| 403 | Forbidden - Insufficient scope |
Clients
Create
$ curl 'http://localhost/oauth/clients' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer e4d1f3a4d9e44b029f899df38c5085e6' \
-H 'Accept: application/json' \
-d '{
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "SUmM9V",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "b0d8Nm",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}'
POST /oauth/clients HTTP/1.1
Content-Type: application/json
Authorization: Bearer e4d1f3a4d9e44b029f899df38c5085e6
Accept: application/json
Content-Length: 468
Host: localhost
{
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "SUmM9V",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "b0d8Nm",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517
{
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "SUmM9V",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "b0d8Nm",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372643,
"required_user_groups" : [ ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Required | Client identifier, unique within identity zone |
| authorized_grant_types | Array | Optional | List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
| redirect_uri | Array | Optional | Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
| scope | Array | Optional (defaults to "uaa.none") |
Scopes allowed for the client |
| resource_ids | Array | Optional (defaults to []) |
Resources the client is allowed access to |
| authorities | Array | Optional (defaults to "uaa.none") |
Scopes which the client is able to grant when creating a client |
| autoapprove | [Boolean, Array] | Optional (defaults to []) |
Scopes that do not require user approval |
| access_token_validity | Number | Optional | time in seconds to access token expiration after it is issued |
| refresh_token_validity | Number | Optional | time in seconds to refresh token expiration after it is issued |
| allowedproviders | Array | Optional | A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
| name | String | Optional | A human readable name for the client |
| token_salt | String | Optional | A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
| createdwith | String | Optional | What scope the bearer token had when client was created |
| approvals_deleted | Boolean | Optional | Were the approvals deleted for the client, and an audit event sent |
| required_user_groups | Array | Optional | A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
| client_secret | String | Required if the client allows authorization_code or client_credentials grant type |
A secret string used for authenticating as this client. To support secret rotation this can be space delimited string of two secrets. |
Response Fields
| Path | Type | Description |
|---|---|---|
client_id |
String |
Client identifier, unique within identity zone |
authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
scope |
Array |
Scopes allowed for the client |
resource_ids |
Array |
Resources the client is allowed access to |
authorities |
Array |
Scopes which the client is able to grant when creating a client |
autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
name |
String |
A human readable name for the client |
token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
createdwith |
String |
What scope the bearer token had when client was created |
approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Retrieve
$ curl 'http://localhost/oauth/clients/7ijSwf' -i -X GET \
-H 'Authorization: Bearer aaaf11a32177445191878afb4e4b4e3b' \
-H 'Accept: application/json'
GET /oauth/clients/7ijSwf HTTP/1.1
Authorization: Bearer aaaf11a32177445191878afb4e4b4e3b
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517
{
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "7ijSwf",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "Z6hWu4",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372851,
"required_user_groups" : [ ]
}
Path Parameters
/oauth/clients/{client_id}
| Parameter | Description |
|---|---|
| client_id | Client identifier, unique within identity zone |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
client_id |
String |
Client identifier, unique within identity zone |
authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
scope |
Array |
Scopes allowed for the client |
resource_ids |
Array |
Resources the client is allowed access to |
authorities |
Array |
Scopes which the client is able to grant when creating a client |
autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
name |
String |
A human readable name for the client |
token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
createdwith |
String |
What scope the bearer token had when client was created |
approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Update
$ curl 'http://localhost/oauth/clients/jWRbJ4' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer fbfec9c7a4cb4cf39295f65077f97f12' \
-H 'Accept: application/json' \
-d '{
"scope" : [ "clients.new", "clients.autoapprove" ],
"client_id" : "jWRbJ4",
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://redirect.url" ],
"autoapprove" : [ "clients.autoapprove" ]
}'
PUT /oauth/clients/jWRbJ4 HTTP/1.1
Content-Type: application/json
Authorization: Bearer fbfec9c7a4cb4cf39295f65077f97f12
Accept: application/json
Content-Length: 228
Host: localhost
{
"scope" : [ "clients.new", "clients.autoapprove" ],
"client_id" : "jWRbJ4",
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://redirect.url" ],
"autoapprove" : [ "clients.autoapprove" ]
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 498
{
"scope" : [ "clients.new", "clients.autoapprove" ],
"client_id" : "jWRbJ4",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://redirect.url" ],
"autoapprove" : [ "clients.autoapprove" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "VgjMpU",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372103,
"required_user_groups" : [ ]
}
Path Parameters
/oauth/clients/{client_id}
| Parameter | Description |
|---|---|
| client_id | Client identifier, unique within identity zone |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Required | Client identifier, unique within identity zone |
| authorized_grant_types | Array | Optional | List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
| redirect_uri | Array | Optional | Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
| scope | Array | Optional (defaults to "uaa.none") |
Scopes allowed for the client |
| resource_ids | Array | Optional (defaults to []) |
Resources the client is allowed access to |
| authorities | Array | Optional (defaults to "uaa.none") |
Scopes which the client is able to grant when creating a client |
| autoapprove | [Boolean, Array] | Optional (defaults to []) |
Scopes that do not require user approval |
| access_token_validity | Number | Optional | time in seconds to access token expiration after it is issued |
| refresh_token_validity | Number | Optional | time in seconds to refresh token expiration after it is issued |
| allowedproviders | Array | Optional | A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
| name | String | Optional | A human readable name for the client |
| token_salt | String | Optional | A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
| createdwith | String | Optional | What scope the bearer token had when client was created |
| approvals_deleted | Boolean | Optional | Were the approvals deleted for the client, and an audit event sent |
| required_user_groups | Array | Optional | A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
Response Fields
| Path | Type | Description |
|---|---|---|
client_id |
String |
Client identifier, unique within identity zone |
authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
scope |
Array |
Scopes allowed for the client |
resource_ids |
Array |
Resources the client is allowed access to |
authorities |
Array |
Scopes which the client is able to grant when creating a client |
autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
name |
String |
A human readable name for the client |
token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
createdwith |
String |
What scope the bearer token had when client was created |
approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Delete
$ curl 'http://localhost/oauth/clients/xR8mgO' -i -X DELETE \
-H 'Authorization: Bearer 10a80a335da349209e85b0c1e5dbf3ed' \
-H 'Accept: application/json'
DELETE /oauth/clients/xR8mgO HTTP/1.1
Authorization: Bearer 10a80a335da349209e85b0c1e5dbf3ed
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517
{
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "xR8mgO",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "T7VHQb",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372220,
"required_user_groups" : [ ]
}
Path Parameters
/oauth/clients/{client_id}
| Parameter | Description |
|---|---|
| client_id | Client identifier, unique within identity zone |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Response Fields
| Path | Type | Description |
|---|---|---|
client_id |
String |
Client identifier, unique within identity zone |
authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
scope |
Array |
Scopes allowed for the client |
resource_ids |
Array |
Resources the client is allowed access to |
authorities |
Array |
Scopes which the client is able to grant when creating a client |
autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
name |
String |
A human readable name for the client |
token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
createdwith |
String |
What scope the bearer token had when client was created |
approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Change Secret
$ curl 'http://localhost/oauth/clients/8AgTHw/secret' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer e026825efc1a4d4f8f444f083caf6ed4' \
-H 'Accept: application/json' \
-d '{
"clientId" : "8AgTHw",
"secret" : "new_secret"
}'
PUT /oauth/clients/8AgTHw/secret HTTP/1.1
Content-Type: application/json
Authorization: Bearer e026825efc1a4d4f8f444f083caf6ed4
Accept: application/json
Content-Length: 54
Host: localhost
{
"clientId" : "8AgTHw",
"secret" : "new_secret"
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 53
{
"status" : "ok",
"message" : "secret updated"
}
Path Parameters
/oauth/clients/{client_id}/secret
| Parameter | Description |
|---|---|
| client_id | Client identifier, unique within identity zone |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| clientId | String | Required | Client identifier, unique within identity zone |
| oldSecret | String | Optional if authenticated as an admin client. Required otherwise. | A valid client secret before updating |
| secret | String | Required | The new client secret |
| changeMode | String | Optional (defaults to "UPDATE") |
If change mode is set to ADD, the new secret will be added to the existing one and if the change mode is set to DELETE, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time. |
List
$ curl 'http://localhost/oauth/clients?filter=client_id+eq+%223pltpz%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10' -i -X GET \
-H 'Authorization: Bearer bcf581ca09d44dc2a8ff24a11e459fa6' \
-H 'Accept: application/json'
GET /oauth/clients?filter=client_id+eq+%223pltpz%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10 HTTP/1.1
Authorization: Bearer bcf581ca09d44dc2a8ff24a11e459fa6
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 672
{
"resources" : [ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "3pltpz",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "t1WJgO",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372727
} ],
"startIndex" : 1,
"itemsPerPage" : 1,
"totalResults" : 1,
"schemas" : [ "http://cloudfoundry.org/schema/scim/oauth-clients-1.0" ]
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| filter | String | Optional (defaults to client_id pr) |
SCIM filter for querying clients |
| sortBy | String | Optional (defaults to client_id) |
Field to sort results by |
| sortOrder | String | Optional (defaults to ascending) |
Sort results in ascending or descending order |
| startIndex | Number | Optional (defaults to 1) |
Index of the first result on which to begin the page |
| count | Number | Optional (defaults to 100) |
Number of results per page |
Response Fields
| Path | Type | Description |
|---|---|---|
resources[].client_id |
String |
Client identifier, unique within identity zone |
resources[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
resources[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
resources[].scope |
Array |
Scopes allowed for the client |
resources[].resource_ids |
Array |
Resources the client is allowed access to |
resources[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
resources[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
resources[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
resources[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
resources[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
resources[].name |
String |
A human readable name for the client |
resources[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
resources[].createdwith |
String |
What scope the bearer token had when client was created |
resources[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
resources[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
resources[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
startIndex |
Number |
Index of the first result on this page |
itemsPerPage |
Number |
Number of results per page |
totalResults |
Number |
Total number of results that matched the query |
schemas |
Array |
["urn:scim:schemas:core:1.0"] |
Batch Create
$ curl 'http://localhost/oauth/clients/tx' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 847b503f60c246babe212c08b7837d7b' \
-H 'Accept: application/json' \
-d '[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "CZLzcO",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
} ]'
POST /oauth/clients/tx HTTP/1.1
Content-Type: application/json
Authorization: Bearer 847b503f60c246babe212c08b7837d7b
Accept: application/json
Content-Length: 942
Host: localhost
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "CZLzcO",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
} ]
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1040
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372352,
"required_user_groups" : [ ]
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "CZLzcO",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372354,
"required_user_groups" : [ ]
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| [].client_id | String | Required | Client identifier, unique within identity zone |
| [].authorized_grant_types | Array | Optional | List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
| [].redirect_uri | Array | Optional | Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
| [].scope | Array | Optional (defaults to "uaa.none") |
Scopes allowed for the client |
| [].resource_ids | Array | Optional (defaults to []) |
Resources the client is allowed access to |
| [].authorities | Array | Optional (defaults to "uaa.none") |
Scopes which the client is able to grant when creating a client |
| [].autoapprove | [Boolean, Array] | Optional (defaults to []) |
Scopes that do not require user approval |
| [].access_token_validity | Number | Optional | time in seconds to access token expiration after it is issued |
| [].refresh_token_validity | Number | Optional | time in seconds to refresh token expiration after it is issued |
| [].allowedproviders | Array | Optional | A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
| [].name | String | Optional | A human readable name for the client |
| [].token_salt | String | Optional | A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
| [].createdwith | String | Optional | What scope the bearer token had when client was created |
| [].approvals_deleted | Boolean | Optional | Were the approvals deleted for the client, and an audit event sent |
| [].required_user_groups | Array | Optional | A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
| [].client_secret | String | Required if the client allows authorization_code or client_credentials grant type |
A secret string used for authenticating as this client. To support secret rotation this can be space delimited string of two secrets. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].client_id |
String |
Client identifier, unique within identity zone |
[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
[].scope |
Array |
Scopes allowed for the client |
[].resource_ids |
Array |
Resources the client is allowed access to |
[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
[].name |
String |
A human readable name for the client |
[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
[].createdwith |
String |
What scope the bearer token had when client was created |
[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Batch Update
$ curl 'http://localhost/oauth/clients/tx' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 847b503f60c246babe212c08b7837d7b' \
-H 'Accept: application/json' \
-d '[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "new.authority", "clients.write" ],
"token_salt" : "CZLzcO",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
} ]'
PUT /oauth/clients/tx HTTP/1.1
Content-Type: application/json
Authorization: Bearer 847b503f60c246babe212c08b7837d7b
Accept: application/json
Content-Length: 899
Host: localhost
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"authorities" : [ "clients.read", "new.authority", "clients.write" ],
"token_salt" : "CZLzcO",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name"
} ]
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1057
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372352,
"required_user_groups" : [ ]
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "new.authority", "clients.write" ],
"token_salt" : "CZLzcO",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372354,
"required_user_groups" : [ ]
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| [].client_id | String | Required | Client identifier, unique within identity zone |
| [].authorized_grant_types | Array | Optional | List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
| [].redirect_uri | Array | Optional | Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
| [].scope | Array | Optional (defaults to "uaa.none") |
Scopes allowed for the client |
| [].resource_ids | Array | Optional (defaults to []) |
Resources the client is allowed access to |
| [].authorities | Array | Optional (defaults to "uaa.none") |
Scopes which the client is able to grant when creating a client |
| [].autoapprove | [Boolean, Array] | Optional (defaults to []) |
Scopes that do not require user approval |
| [].access_token_validity | Number | Optional | time in seconds to access token expiration after it is issued |
| [].refresh_token_validity | Number | Optional | time in seconds to refresh token expiration after it is issued |
| [].allowedproviders | Array | Optional | A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
| [].name | String | Optional | A human readable name for the client |
| [].token_salt | String | Optional | A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
| [].createdwith | String | Optional | What scope the bearer token had when client was created |
| [].approvals_deleted | Boolean | Optional | Were the approvals deleted for the client, and an audit event sent |
| [].required_user_groups | Array | Optional | A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].client_id |
String |
Client identifier, unique within identity zone |
[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
[].scope |
Array |
Scopes allowed for the client |
[].resource_ids |
Array |
Resources the client is allowed access to |
[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
[].name |
String |
A human readable name for the client |
[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
[].createdwith |
String |
What scope the bearer token had when client was created |
[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
Batch Secret Change
$ curl 'http://localhost/oauth/clients/tx/secret' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 847b503f60c246babe212c08b7837d7b' \
-H 'Accept: application/json' \
-d '[ {
"clientId" : "1kAzds",
"secret" : "new_secret"
}, {
"clientId" : "HXOw5a",
"secret" : "new_secret"
} ]'
POST /oauth/clients/tx/secret HTTP/1.1
Content-Type: application/json
Authorization: Bearer 847b503f60c246babe212c08b7837d7b
Accept: application/json
Content-Length: 114
Host: localhost
[ {
"clientId" : "1kAzds",
"secret" : "new_secret"
}, {
"clientId" : "HXOw5a",
"secret" : "new_secret"
} ]
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1117
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372424,
"required_user_groups" : [ ],
"approvals_deleted" : true
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "new.authority", "clients.write" ],
"token_salt" : "CZLzcO",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372426,
"required_user_groups" : [ ],
"approvals_deleted" : true
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| [].clientId | String | Required | Client identifier, unique within identity zone |
| [].oldSecret | String | Optional if authenticated as an admin client. Required otherwise. | A valid client secret before updating |
| [].secret | String | Required | The new client secret |
| [].changeMode | String | Optional (defaults to "UPDATE") |
If change mode is set to ADD, the new secret will be added to the existing one and if the change mode is set to DELETE, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time. |
Response Fields
| Path | Type | Description |
|---|---|---|
[].client_id |
String |
Client identifier, unique within identity zone |
[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
[].scope |
Array |
Scopes allowed for the client |
[].resource_ids |
Array |
Resources the client is allowed access to |
[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
[].name |
String |
A human readable name for the client |
[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
[].createdwith |
String |
What scope the bearer token had when client was created |
[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
[].approvals_deleted |
Boolean |
Indicates whether the approvals associated with the client were deleted as a result of this action |
Mixed Actions
$ curl 'http://localhost/oauth/clients/tx/modify' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 847b503f60c246babe212c08b7837d7b' \
-H 'Accept: application/json' \
-d '[ {
"action" : "secret",
"client_secret" : "new_secret",
"client_id" : "1kAzds"
}, {
"action" : "delete",
"client_id" : "HXOw5a"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "pv63N2",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"action" : "add",
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "hq0P3W",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"approvals_deleted" : false
} ]'
POST /oauth/clients/tx/modify HTTP/1.1
Content-Type: application/json
Authorization: Bearer 847b503f60c246babe212c08b7837d7b
Accept: application/json
Content-Length: 663
Host: localhost
[ {
"action" : "secret",
"client_secret" : "new_secret",
"client_id" : "1kAzds"
}, {
"action" : "delete",
"client_id" : "HXOw5a"
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "pv63N2",
"client_secret" : "secret",
"resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
"action" : "add",
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "hq0P3W",
"autoapprove" : true,
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"approvals_deleted" : false
} ]
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1343
[ {
"scope" : [ ],
"client_id" : "1kAzds",
"resource_ids" : [ ],
"authorized_grant_types" : [ ],
"action" : "secret",
"authorities" : [ ],
"approvals_deleted" : false
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "HXOw5a",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"action" : "delete",
"authorities" : [ "clients.read", "new.authority", "clients.write" ],
"token_salt" : "CZLzcO",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372426,
"required_user_groups" : [ ],
"approvals_deleted" : true
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "pv63N2",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"action" : "add",
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "hq0P3W",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"approvals_deleted" : false,
"lastModified" : 1594171372538,
"required_user_groups" : [ ]
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| [].client_id | String | Required | Client identifier, unique within identity zone |
| [].authorized_grant_types | Array | Optional | List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
| [].redirect_uri | Array | Optional | Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
| [].scope | Array | Optional (defaults to "uaa.none") |
Scopes allowed for the client |
| [].resource_ids | Array | Optional (defaults to []) |
Resources the client is allowed access to |
| [].authorities | Array | Optional (defaults to "uaa.none") |
Scopes which the client is able to grant when creating a client |
| [].autoapprove | [Boolean, Array] | Optional (defaults to []) |
Scopes that do not require user approval |
| [].access_token_validity | Number | Optional | time in seconds to access token expiration after it is issued |
| [].refresh_token_validity | Number | Optional | time in seconds to refresh token expiration after it is issued |
| [].allowedproviders | Array | Optional | A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
| [].name | String | Optional | A human readable name for the client |
| [].token_salt | String | Optional | A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
| [].createdwith | String | Optional | What scope the bearer token had when client was created |
| [].approvals_deleted | Boolean | Optional | Were the approvals deleted for the client, and an audit event sent |
| [].required_user_groups | Array | Optional | A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
| [].client_secret | String | Required if the client allows authorization_code or client_credentials grant type |
A secret string used for authenticating as this client. To support secret rotation this can be space delimited string of two secrets. |
| [].action | String | Always required. | Set to secret to change client secret, delete to delete the client or add to add the client |
Response Fields
| Path | Type | Description |
|---|---|---|
[].client_id |
String |
Client identifier, unique within identity zone |
[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
[].scope |
Array |
Scopes allowed for the client |
[].resource_ids |
Array |
Resources the client is allowed access to |
[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
[].name |
String |
A human readable name for the client |
[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
[].createdwith |
String |
What scope the bearer token had when client was created |
[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
[].action |
String |
Set to secret to change client secret, delete to delete the client or add to add the client |
Batch Delete
$ curl 'http://localhost/oauth/clients/tx/delete' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 847b503f60c246babe212c08b7837d7b' \
-H 'Accept: application/json' \
-d '[ {
"client_id" : "1kAzds"
}, {
"client_id" : "pv63N2"
} ]'
POST /oauth/clients/tx/delete HTTP/1.1
Content-Type: application/json
Authorization: Bearer 847b503f60c246babe212c08b7837d7b
Accept: application/json
Content-Length: 62
Host: localhost
[ {
"client_id" : "1kAzds"
}, {
"client_id" : "pv63N2"
} ]
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1100
[ {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "1kAzds",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "BDjoCs",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"lastModified" : 1594171372424,
"required_user_groups" : [ ],
"approvals_deleted" : true
}, {
"scope" : [ "clients.read", "clients.write" ],
"client_id" : "pv63N2",
"resource_ids" : [ "none" ],
"authorized_grant_types" : [ "client_credentials" ],
"redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
"autoapprove" : [ "true" ],
"authorities" : [ "clients.read", "clients.write" ],
"token_salt" : "hq0P3W",
"allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
"name" : "My Client Name",
"approvals_deleted" : true,
"lastModified" : 1594171372538,
"required_user_groups" : [ ]
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Fields
| Path | Type | Constraints | Description |
|---|---|---|---|
| [].client_id | String | Required | Client identifier, unique within identity zone |
Response Fields
| Path | Type | Description |
|---|---|---|
[].client_id |
String |
Client identifier, unique within identity zone |
[].authorized_grant_types |
Array |
List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials. |
[].redirect_uri |
Array |
Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. |
[].scope |
Array |
Scopes allowed for the client |
[].resource_ids |
Array |
Resources the client is allowed access to |
[].authorities |
Array |
Scopes which the client is able to grant when creating a client |
[].autoapprove |
[Boolean, Array] |
Scopes that do not require user approval |
[].access_token_validity |
Number |
time in seconds to access token expiration after it is issued |
[].refresh_token_validity |
Number |
time in seconds to refresh token expiration after it is issued |
[].allowedproviders |
Array |
A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed. |
[].name |
String |
A human readable name for the client |
[].token_salt |
String |
A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client |
[].createdwith |
String |
What scope the bearer token had when client was created |
[].approvals_deleted |
Boolean |
Were the approvals deleted for the client, and an audit event sent |
[].required_user_groups |
Array |
A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally. |
[].lastModified |
Number |
Epoch (milliseconds) of the moment the client information was last altered |
[].approvals_deleted |
Boolean |
Indicates whether the approvals associated with the client were deleted as a result of this action |
Metadata
Retrieve
$ curl 'http://localhost/oauth/clients/jItmsf0s/meta' -i -X GET \
-H 'Authorization: Bearer b4e977baf8754a8a9056ef658beb4d5c' \
-H 'Accept: application/json'
GET /oauth/clients/jItmsf0s/meta HTTP/1.1
Authorization: Bearer b4e977baf8754a8a9056ef658beb4d5c
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 199
{
"clientId" : "jItmsf0s",
"showOnHomePage" : true,
"appLaunchUrl" : "http://myloginpage.com",
"appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
"createdBy" : "dee58a54-5b44-4f6f-a516-c2e288991f69"
}
Path Parameters
/oauth/clients/{clientId}/meta
| Parameter | Description |
|---|---|
| clientId | Client identifier, unique within identity zone |
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token |
Response Fields
| Path | Type | Description |
|---|---|---|
clientId |
String |
Client identifier, unique within identity zone |
showOnHomePage |
Boolean |
Flag to control visibility on home page |
appLaunchUrl |
String |
URL to which the app is linked to |
appIcon |
String |
Base64 encoded image file |
createdBy |
String |
The user guid of the resource owner who created this client |
| Error Code | Description |
|---|---|
| 404 | Not Found - clientId doesn't exists |
List
$ curl 'http://localhost/oauth/clients/meta' -i -X GET \
-H 'Authorization: Bearer 720198e86bfc4a8b956f98e6c40547ab' \
-H 'Accept: application/json'
GET /oauth/clients/meta HTTP/1.1
Authorization: Bearer 720198e86bfc4a8b956f98e6c40547ab
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2324
[ {
"clientId" : "aBfEjoNs",
"showOnHomePage" : true,
"appLaunchUrl" : "http://myloginpage.com",
"appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
"createdBy" : "dee58a54-5b44-4f6f-a516-c2e288991f69"
}, {
"clientId" : "admin",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "app",
"clientName" : "The Ultimate Oauth App",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "cf",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "client_with_bcrypt_prefix",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "client_without_openid",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "dashboard",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "htwRyjZR",
"showOnHomePage" : true,
"appLaunchUrl" : "http://client3.com/app",
"appIcon" : "Y2xpZW50IDMgaWNvbg=="
}, {
"clientId" : "iUbFZdqO",
"showOnHomePage" : false,
"appLaunchUrl" : "http://changed.app.launch/url",
"appIcon" : "",
"createdBy" : "dee58a54-5b44-4f6f-a516-c2e288991f69"
}, {
"clientId" : "identity",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "jku_test",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "jku_test_without_autoapprove",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "lAtLEhS8",
"showOnHomePage" : false,
"appLaunchUrl" : "http://client4.com/app",
"appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ="
}, {
"clientId" : "login",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "notifications",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_authorization_code",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_client_credentials",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_implicit_grant",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_password_grant",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_saml2_bearer",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "oauth_showcase_user_token",
"showOnHomePage" : false,
"appIcon" : ""
}, {
"clientId" : "some_client_that_contains_redirect_uri_matching_request_param",
"showOnHomePage" : false,
"appIcon" : ""
} ]
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token |
Response Fields
| Path | Type | Description |
|---|---|---|
[].clientId |
String |
Client identifier, unique within identity zone |
[].clientName |
String |
Human readable display name for the client |
[].showOnHomePage |
Boolean |
Flag to control visibility on home page |
[].appLaunchUrl |
String |
URL to which the app is linked to |
[].appIcon |
String |
Base64 encoded image file |
[].createdBy |
String |
The user guid of the resource owner who created this client |
Update
$ curl 'http://localhost/oauth/clients/iUbFZdqO/meta' -i -X PUT \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer 001e379861f7410fb96a661db6b89da5' \
-H 'If-Match: 0' \
-H 'Accept: application/json' \
-d '{"clientId":"iUbFZdqO","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}'
PUT /oauth/clients/iUbFZdqO/meta HTTP/1.1
Content-Type: application/json
Authorization: Bearer 001e379861f7410fb96a661db6b89da5
If-Match: 0
Accept: application/json
Content-Length: 93
Host: localhost
{"clientId":"iUbFZdqO","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 183
{
"clientId" : "iUbFZdqO",
"showOnHomePage" : false,
"appLaunchUrl" : "http://changed.app.launch/url",
"appIcon" : "",
"createdBy" : "dee58a54-5b44-4f6f-a516-c2e288991f69"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin |
X-Identity-Zone-Id |
May include this header to administer another zone if using zones.<zone.id>.admin or uaa.admin scope against the default UAA zone. |
Response Fields
| Path | Type | Description |
|---|---|---|
clientId |
String |
Client identifier, unique within identity zone |
showOnHomePage |
Boolean |
Flag to control visibility on home page |
appLaunchUrl |
String |
URL to which the app is linked to |
appIcon |
String |
Base64 encoded image file |
createdBy |
String |
The user guid of the resource owner who created this client |
| Error Code | Description |
|---|---|
| 404 | Not Found - clientId doesn't exists |
| 400 | Bad Request |
Server Information
The UAA provides several endpoints to describe the server as well as handle various login tasks.
Server Information
This endpoint has two identical endpoints
- /info
- /login
Both return the same result and both support both JSON and HTML output. The HTML output is intended for browser user agents to display a login page.
$ curl 'http://localhost/info?origin=oidc-provider' -i -X GET \
-H 'Accept: application/json'
GET /info?origin=oidc-provider HTTP/1.1
Accept: application/json
Host: localhost
HTTP/1.1 200 OK
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Content-Length: 498
{
"app" : {
"version" : "74.22.0"
},
"links" : {
"uaa" : "http://localhost:8080/uaa",
"passwd" : "/forgot_password",
"login" : "http://localhost:8080/uaa",
"register" : "/create_account"
},
"zone_name" : "uaa",
"entityID" : "cloudfoundry-saml-login",
"commit_id" : "git-metadata-not-found",
"idpDefinitions" : { },
"prompts" : {
"username" : [ "text", "Email" ],
"password" : [ "password", "Password" ]
},
"timestamp" : "2020-07-08T01:20:00+0000"
}
Request Headers
| Name | Description |
|---|---|
Accept |
When set to accept application/json the server will return prompts and server info in JSON format. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| origin | String | Optional | Use the configured prompts of the OpenID Connect Provider with the given origin key in the response. Fallback to zone values if no prompts are configured or origin is invalid. |
Response Fields
| Path | Type | Description |
|---|---|---|
app.version |
String |
The UAA version |
commit_id |
String |
The GIT sha for the UAA version |
timestamp |
String |
JSON timestamp for the commit of the UAA version |
idpDefinitions |
Object |
A list of alias/url pairs of SAML IDP providers configured. Each url is the starting point to initiate the authentication process for the SAML identity provider. |
idpDefinitions.* |
Array |
A list of alias/url pairs of SAML IDP providers configured. Each url is the starting point to initiate the authentication process for the SAML identity provider. |
links |
Object |
A list of alias/url pairs of configured action URLs for the UAA |
links.login |
String |
The link to the login host alias of the UAA |
links.uaa |
String |
The link to the uaa alias host of the UAA |
links.passwd |
String |
The link to the 'Forgot Password' functionality. Can be external or internal to the UAA |
links.register |
String |
The link to the 'Create Account' functionality. Can be external or internal to the UAA |
entityID |
String |
The UAA is always a SAML service provider. This field contains the configured entityID |
prompts |
Object |
A list of name/value pairs of configured prompts that the UAA will login a user. Format for each prompt is [type, display name] where type can be 'text' or 'password' |
prompts.username |
Array |
Information about the username prompt. |
prompts.password |
Array |
Information about the password prompt. |
prompts.passcode |
Array |
If a SAML identity provider is configured, this prompt contains a URL to where the user can initiate the SAML authentication flow. |
zone_name |
String |
The name of the zone invoked |
showLoginLinks |
Boolean |
Set to true if there are SAML or OAUTH/OIDC providers with a visible link on the login page. |
Passcode
A user that has been authenticated, can request a one time authentication code, pass code, to be used during a token password grant. Password grants are often used in non browser environments, and authenticating a user with SAML, may be difficult.
$ curl 'http://localhost/passcode' -i -X GET \
-H 'Accept: application/json' \
-H 'Cookie: JSESSIONID=53'
GET /passcode HTTP/1.1
Accept: application/json
Cookie: JSESSIONID=53
Host: localhost
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=ge4a9hoDYcB7jdG8Uaku5A; Path=/; Max-Age=86400; Expires=Thu, 09 Jul 2020 01:23:18 GMT; HttpOnly
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 12
"q2ZugJjzoV"
Request Headers
| Name | Description |
|---|---|
Cookie |
JSESSIONID cookie to match the server side session of the authenticated user. |
Auto Login
Get authentication code
Similar to /passcode, the difference with an autologin authentication code, is that the authentication of the user takes place during the generation of the temporary authentication code. The autologin authentication code can be used to log the user in with an HTTP redirect. The UAA will establish an authenticated server side session and expire the code. To generate the temporary authentication code, a POST against /autologin is required.
$ curl 'http://localhost/autologin' -i -u 'admin:adminsecret' -X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{"username":"marissa","password":"koala"}'
POST /autologin HTTP/1.1
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW5zZWNyZXQ=
Accept: application/json
Content-Length: 41
Host: localhost
{"username":"marissa","password":"koala"}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 58
{
"code" : "YBhaT8uH2Z",
"path" : "/oauth/authorize"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Basic authorization header for the client making the autologin request |
Content-Type |
Set to application/json |
Accept |
Set to application/json |
Request Body
| Path | Type | Constraints | Description |
|---|---|---|---|
| username | String | Required | The username for the autologin request |
| password | String | Required | The password for the autologin request |
Response Body
| Path | Type | Description |
|---|---|---|
code |
String |
The code used to authenticate the user. |
path |
String |
Not used. Hardcoded to /oauth/authorize |
Perform Login
To exchange the code for an authenticated session, simply issue a redirect to /autologin using the code and client_id. If successful the user will be redirected to the home page, unless the user had tried to access a protected URL and the UAA remembers the URL that was accessed.
$ curl 'http://localhost/autologin?code=ydTHom7sBA&client_id=admin' -i -X GET
GET /autologin?code=ydTHom7sBA&client_id=admin HTTP/1.1
Host: localhost
HTTP/1.1 302 Found
Set-Cookie: Current-User=%7B%22userId%22%3A%226c0a5d62-dda9-4900-bd8d-0ad6cf67d5c7%22%7D; Path=/; Max-Age=1800; Expires=Wed, 08 Jul 2020 01:53:18 GMT
Content-Language: en
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: home
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| code | String | Required | The code generated from the POST /autologin |
| client_id | String | Required | The client_id that generated the autologin code |
External Login Server
The UAA provides endpoints that facilitate the use of an external login server. A server that handles the UI for browser based actions.
Change Password Flow
Request Reset Password Code
This endpoint returns an onetime code that can be used to change a user's password.
The actual password change can take place by invoking an API endpoint, /password_change, or by a UI flow through
the /reset_password endpoint.
$ curl 'http://localhost/password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJhMWM3Nzk4Mjg3ZDA0MmIyOGMwMDJiNTBjY2Y3MmI3NCIsInN1YiI6ImxvZ2luIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiZW1haWxzLndyaXRlIiwic2NpbS51c2VyaWRzIiwicGFzc3dvcmQud3JpdGUiLCJpZHBzLndyaXRlIiwibm90aWZpY2F0aW9ucy53cml0ZSIsIm9hdXRoLmxvZ2luIiwic2NpbS53cml0ZSIsImNyaXRpY2FsX25vdGlmaWNhdGlvbnMud3JpdGUiXSwic2NvcGUiOlsib2F1dGgubG9naW4iXSwiY2xpZW50X2lkIjoibG9naW4iLCJjaWQiOiJsb2dpbiIsImF6cCI6ImxvZ2luIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJlMGU5ODE2MyIsImlhdCI6MTU5NDE3MTM4MywiZXhwIjoxNTk0MjE0NTgzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImxvZ2luIiwib2F1dGgiXX0.WTQWmOyVVKH9T4w_NeK7UhFGcrLN3u0kXICJ1WH385s' \
-H 'Accept: application/json' \
-d '[email protected]'
POST /password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJhMWM3Nzk4Mjg3ZDA0MmIyOGMwMDJiNTBjY2Y3MmI3NCIsInN1YiI6ImxvZ2luIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiZW1haWxzLndyaXRlIiwic2NpbS51c2VyaWRzIiwicGFzc3dvcmQud3JpdGUiLCJpZHBzLndyaXRlIiwibm90aWZpY2F0aW9ucy53cml0ZSIsIm9hdXRoLmxvZ2luIiwic2NpbS53cml0ZSIsImNyaXRpY2FsX25vdGlmaWNhdGlvbnMud3JpdGUiXSwic2NvcGUiOlsib2F1dGgubG9naW4iXSwiY2xpZW50X2lkIjoibG9naW4iLCJjaWQiOiJsb2dpbiIsImF6cCI6ImxvZ2luIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJlMGU5ODE2MyIsImlhdCI6MTU5NDE3MTM4MywiZXhwIjoxNTk0MjE0NTgzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImxvZ2luIiwib2F1dGgiXX0.WTQWmOyVVKH9T4w_NeK7UhFGcrLN3u0kXICJ1WH385s
Accept: application/json
Content-Length: 20
Host: localhost
[email protected]
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 81
{
"code" : "EG0y2UU0JN",
"user_id" : "822b5fa1-b40f-4d97-928b-47cad04bc671"
}
Request Headers
| Name | Description |
|---|---|
Authorization |
Bearer token with the scope oauth.login present. |
X-Identity-Zone-Id |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id. |
X-Identity-Zone-Subdomain |
If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain. |
Request Parameters
| Parameter | Type | Constraints | Description |
|---|---|---|---|
| client_id | String | Optional | Optional client_id |
| redirect_uri | String | Optional | Optional redirect_uri to be used if the /reset_password flow is completed. |
Request Body
The required request body of this request is the user's username, typically an email address, in form of a JSON string.
Response Body
| Path | Type | Description |
|---|---|---|
code |
String |
The code to used to invoke the /password_change endpoint with or to initiate the /reset_password flow. |
user_id |
String |
The UUID identifying the user. |