NAV
  • Overview
  • Authorization
  • Token
  • Introspect Token
  • Check Token
  • Token Key(s)
  • Session Management
  • Identity Zones
  • Identity Providers
  • Service Providers
  • MFA Providers
  • Users
  • Groups
  • Clients
  • Server Information
  • External Login Server
  • Overview

    The User Account and Authentication Service (UAA):

    Authorization

    Authorization Code Grant

    Browser flow

    $ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256 HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=VjMSbU6ODkgSDrrIEAeiqn; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:54 GMT; HttpOnly; SameSite=Lax
    Cache-Control: no-store
    Content-Language: en
    Location: http://localhost/app?code=qXfjgPQ5bm1lmofKdMCjUmzywrKXyOX1
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    code_challenge String Optional UAA 75.5.0 PKCE Code Challenge. When code_challenge is present also a code_challenge_method must be provided. A matching code_verifier parameter must be provided in the subsequent request to get an access_token from /oauth/token
    code_challenge_method String Optional UAA 75.5.0 PKCE Code Challenge Method. S256 and plain methods are supported. S256 method creates a BASE64 URL encoded SHA256 hash of the code_verifier. The plain method is intended for constrained devices unable to calculate SHA256. In this case the code_verifier equals the code_challenge. If possible it is recommended to use S256.
    login_hint String Optional UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider.

    Api flow

    $ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256&state=sCTSBs' -i -X GET \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJkMmUxZjcwYjc4ZWM0ODdmOGVjYWQzNTliYjM4MGFjYyIsInN1YiI6IjAxMzJiYmYxLTEyODEtNGExNC05ZGM1LWRhNTAwMDBhOWI0MyIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIwMTMyYmJmMS0xMjgxLTRhMTQtOWRjNS1kYTUwMDAwYTliNDMiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNjgzMjEyMDMzLCJyZXZfc2lnIjoiZGQ1MDdhNmYiLCJpYXQiOjE2ODMyMTIwMzMsImV4cCI6MTY4MzI1NTIzMywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.lc8jrF8aPVPQL42meVSl1ne8FJGnGfyYDUVrNfDVkpY'
    
    GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256&state=sCTSBs HTTP/1.1
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJkMmUxZjcwYjc4ZWM0ODdmOGVjYWQzNTliYjM4MGFjYyIsInN1YiI6IjAxMzJiYmYxLTEyODEtNGExNC05ZGM1LWRhNTAwMDBhOWI0MyIsInNjb3BlIjpbInVhYS51c2VyIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJhenAiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIwMTMyYmJmMS0xMjgxLTRhMTQtOWRjNS1kYTUwMDAwYTliNDMiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwiYXV0aF90aW1lIjoxNjgzMjEyMDMzLCJyZXZfc2lnIjoiZGQ1MDdhNmYiLCJpYXQiOjE2ODMyMTIwMzMsImV4cCI6MTY4MzI1NTIzMywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjZiIsInVhYSJdfQ.lc8jrF8aPVPQL42meVSl1ne8FJGnGfyYDUVrNfDVkpY
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Content-Language: en
    Location: http://localhost/redirect/cf?code=ZAvM-hTD0Pj95sQbc9QAIlJc4FawVYEd&state=sCTSBs
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, code for requesting an authorization code for an access token, as per OAuth spec
    client_id String Required a unique string representing the registration information provided by the client
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    code_challenge String Optional UAA 75.5.0 PKCE Code Challenge. When code_challenge is present also a code_challenge_method must be provided. A matching code_verifier parameter must be provided in the subsequent request to get an access_token from /oauth/token
    code_challenge_method String Optional UAA 75.5.0 PKCE Code Challenge Method. S256 and plain methods are supported. S256 method creates a BASE64 URL encoded SHA256 hash of the code_verifier. The plain method is intended for constrained devices unable to calculate SHA256. In this case the code_verifier equals the code_challenge. If possible it is recommended to use S256.
    state String Required any random string to be returned in the Location header as a query parameter, used to achieve per-request customization

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.user scope - the authentication for this user

    Implicit Grant

    $ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=09mMqMDhcwHGLMufnB4YA1; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:54 GMT; HttpOnly; SameSite=Lax
    Cache-Control: no-store
    Content-Language: en
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI1MjQ2MzJiNzg5ZDI0YTkyODcxOGY0MjlhMDY2YTA3OCIsInN1YiI6IjAxMzJiYmYxLTEyODEtNGExNC05ZGM1LWRhNTAwMDBhOWI0MyIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoiaW1wbGljaXQiLCJ1c2VyX2lkIjoiMDEzMmJiZjEtMTI4MS00YTE0LTlkYzUtZGE1MDAwMGE5YjQzIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTY4MzIxMjAzMywicmV2X3NpZyI6Ijg0ZjRiOGQ4IiwiaWF0IjoxNjgzMjEyMDM0LCJleHAiOjE2ODMyNTUyMzQsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.wcAkqN9neAJ3U3s2SWiZhFzRoShM506eLDKKI45SYYM&expires_in=43199&jti=524632b789d24a928718f429a066a078
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token, i.e. an access token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    login_hint String Optional UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider.

    Response Headers

    Name Description
    Location Location as defined in the spec includes access_token in the reply fragment if successful

    Implicit Grant with prompt

    $ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#error=login_required&session_state=2de5cc03719631c042df4061e2b1e6653866cb181054592f418891ffd21e88d4.add4d70a169bbb5ecdc402bc391dccc8b05f2e18180e547a3697944cae0172e4
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token, i.e. an access token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    prompt String Optional specifies whether to prompt for user authentication. Only value none is supported.

    Response Headers

    Name Description
    Location Redirect url specified in the request parameters.

    OpenID Connect flow

    OpenID Provider Configuration Request

    An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.

    $ curl 'http://localhost/.well-known/openid-configuration' -i -X GET \
        -H 'Accept: application/json'
    
    GET /.well-known/openid-configuration HTTP/1.1
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Content-Length: 1356
    
    {
      "issuer" : "http://localhost:8080/uaa/oauth/token",
      "authorization_endpoint" : "http://localhost/oauth/authorize",
      "token_endpoint" : "http://localhost/oauth/token",
      "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
      "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "userinfo_endpoint" : "http://localhost/userinfo",
      "jwks_uri" : "http://localhost/token_keys",
      "end_session_endpoint" : "http://localhost/logout.do",
      "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
      "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
      "subject_types_supported" : [ "public" ],
      "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "id_token_encryption_alg_values_supported" : [ "none" ],
      "claim_types_supported" : [ "normal" ],
      "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
      "claims_parameter_supported" : false,
      "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
      "ui_locales_supported" : [ "en-US" ],
      "code_challenge_methods_supported" : [ "S256", "plain" ]
    }
    

    Response Fields

    Path Type Description
    issuer String URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
    authorization_endpoint String URL of authorization endpoint.
    token_endpoint String URL of token endpoint.
    userinfo_endpoint String URL of the OP's UserInfo Endpoint.
    jwks_uri String URL of the OP's JSON Web Key Set document.
    end_session_endpoint String URL of the logout endpoint.
    scopes_supported Array JSON array containing a list of the OAuth 2.0 scope values that this server supports.
    subject_types_supported Array JSON array containing a list of the Subject Identifier types that this OP supports.
    token_endpoint_auth_methods_supported Array JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
    token_endpoint_auth_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms.
    response_types_supported Array JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
    id_token_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
    id_token_encryption_alg_values_supported Array JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
    claim_types_supported Array JSON array containing a list of the Claim Types that the OpenID Provider supports.
    claims_supported Array JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
    claims_parameter_supported Boolean Boolean value specifying whether the OP supports use of the claims parameter.
    service_documentation String URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
    code_challenge_methods_supported Array UAA 75.5.0JSON array containing a list of PKCE code challenge methods supported by this authorization endpoint.
    ui_locales_supported Array Languages and scripts supported for the user interface.

    ID token

    The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.

    $ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=TDl7_4ryT1U6VX7pwj0Qdu; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:54 GMT; HttpOnly; SameSite=Lax
    Cache-Control: no-store
    Content-Language: en
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIwMTMyYmJmMS0xMjgxLTRhMTQtOWRjNS1kYTUwMDAwYTliNDMiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUyMzQsImlhdCI6MTY4MzIxMjAzNCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjlmNTk0ZDM3ZGYwOTQ2MmU5OTg5MTRjYzg0NzAwMWVmIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiODRmNGI4ZDgiLCJ1c2VyX2lkIjoiMDEzMmJiZjEtMTI4MS00YTE0LTlkYzUtZGE1MDAwMGE5YjQzIiwiYXV0aF90aW1lIjoxNjgzMjEyMDM0fQ.vkK2Q3SQnTs4SJGXzDGITaJ1W1a2yJTrKmvNJPh3kyU&expires_in=43199&jti=9f594d37df09462e998914cc847001ef
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, id_token
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    login_hint String Optional UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider.

    Response Headers

    Name Description
    Location Location as defined in the spec includes id_token in the reply fragment if successful

    ID token and Access token

    The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.

    $ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=DiOZDMR9t1CQqj7VAUvFnU; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:54 GMT; HttpOnly; SameSite=Lax
    Cache-Control: no-store
    Content-Language: en
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIyOGJjNWM1Y2FiMTI0MWNlYWNkZTk2Yjc3NmM0Njg3YiIsInN1YiI6IjAxMzJiYmYxLTEyODEtNGExNC05ZGM1LWRhNTAwMDBhOWI0MyIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoiaW1wbGljaXQiLCJ1c2VyX2lkIjoiMDEzMmJiZjEtMTI4MS00YTE0LTlkYzUtZGE1MDAwMGE5YjQzIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibWFyaXNzYSIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImF1dGhfdGltZSI6MTY4MzIxMjAzNCwicmV2X3NpZyI6Ijg0ZjRiOGQ4IiwiaWF0IjoxNjgzMjEyMDM0LCJleHAiOjE2ODMyNTUyMzQsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.2vznUcSwkIBysKczsAlu182cYRncIvU01YNYCsAx0ak&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIwMTMyYmJmMS0xMjgxLTRhMTQtOWRjNS1kYTUwMDAwYTliNDMiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUyMzQsImlhdCI6MTY4MzIxMjAzNCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjI4YmM1YzVjYWIxMjQxY2VhY2RlOTZiNzc2YzQ2ODdiIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiODRmNGI4ZDgiLCJ1c2VyX2lkIjoiMDEzMmJiZjEtMTI4MS00YTE0LTlkYzUtZGE1MDAwMGE5YjQzIiwiYXV0aF90aW1lIjoxNjgzMjEyMDM0fQ.XfiRnyxSLG5XN52q_AvXHJAKsreGUBc6wx10_PN0fX8&expires_in=43199&jti=28bc5c5cab1241ceacde96b776c4687b
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, token id_token, indicating both an access token and an ID token.
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    login_hint String Optional UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider.

    Response Headers

    Name Description
    Location Location as defined in the spec includes access_token and id_token in the reply fragment if successful

    Hybrid flow

    The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.

    $ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
        -H 'Accept: application/x-www-form-urlencoded'
    
    GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
    Accept: application/x-www-form-urlencoded
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=HzewaqlB_8NfCWkqlq1hyh; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:54 GMT; HttpOnly; SameSite=Lax
    Cache-Control: no-store
    Content-Language: en
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIwMTMyYmJmMS0xMjgxLTRhMTQtOWRjNS1kYTUwMDAwYTliNDMiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUyMzQsImlhdCI6MTY4MzIxMjAzNCwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6ImE3ZmVkNDU3NWViMTRjNWM4NGQyYTBmZDlkNzdjOGFjIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwicmV2X3NpZyI6Ijg0ZjRiOGQ4IiwidXNlcl9pZCI6IjAxMzJiYmYxLTEyODEtNGExNC05ZGM1LWRhNTAwMDBhOWI0MyIsImF1dGhfdGltZSI6MTY4MzIxMjAzNH0.sSMOPk5FFX4HoHxvDY36qPFdkNYWjB4SQEpIsaHci1k&code=uW_CGWOKPbVonFTf3r2fjzgT7fY0_ozl&expires_in=43199&jti=a7fed4575eb14c5c84d2a0fd9d77c8ac
    
    

    Request Parameters

    Parameter Type Constraints Description
    response_type String Required Space-delimited list of response types. Here, id_token code, indicating a request for an ID token and an authorization code.
    client_id String Required a unique string representing the registration information provided by the client
    scope String Optional requested scopes, space-delimited
    redirect_uri String Optional redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
    login_hint String Optional UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider.

    Response Headers

    Name Description
    Location Location as defined in the spec includes code and id_token in the reply fragment if successful

    Token

    The /oauth/token endpoint requires client authentication to be accessed. Client Authentication can be passed as as part of the request authorization header, using basic authentication, or as part of the request parameters, using the client_id and client_secret parameter names.

    Authorization Code Grant

    $ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=p6csWj_lIjhPBMQI1NCs3YPq3nIckGPJ&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=p6csWj_lIjhPBMQI1NCs3YPq3nIckGPJ&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1088
    
    {
      "access_token" : "6751d0d016a04084917dc5dd690d7613",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJmMWE5OTJlNC1kYjI2LTQ0ZGQtYmZjYy0zM2Q4YWMwYTdlYTkiLCJhdWQiOlsibG9naW4iXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTY4MzI1NTMzMSwiaWF0IjoxNjgzMjEyMTMxLCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJlbWFpbCI6IkZrQkN4UEB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjY3NTFkMGQwMTZhMDQwODQ5MTdkYzVkZDY5MGQ3NjEzIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImxvZ2luIiwiY2lkIjoibG9naW4iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9uYW1lIjoiRmtCQ3hQQHRlc3Qub3JnIiwicmV2X3NpZyI6ImMyN2U3NzM0IiwidXNlcl9pZCI6ImYxYTk5MmU0LWRiMjYtNDRkZC1iZmNjLTMzZDhhYzBhN2VhOSIsImF1dGhfdGltZSI6MTY4MzIxMjEzMX0.Mgiuq2L3nmF-IHBvU2IYL0V1piiLeKrdbk6oKu09mdw",
      "refresh_token" : "1d67cd20685a4c6d94fb6651c13a287e-r",
      "expires_in" : 43199,
      "scope" : "openid oauth.approvals",
      "jti" : "6751d0d016a04084917dc5dd690d7613"
    }
    

    Request Headers

    Name Description
    Authorization Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters.

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
    code String Required the authorization code, obtained from /oauth/authorize, issued for the user
    grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
    client_secret String Optional UAA 75.21.0 Optional and can be omitted if client has configured allowpublic and PKCE with code_challange_method=S256 is used to create to code.
    code_verifier String Optional UAA 75.5.0 PKCE Code Verifier. A code_verifier parameter must be provided if a code_challenge parameter was present in the previous call to /oauth/authorize. The code_verifier must match the used code_challenge (according to the selected code_challenge_method)
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    Client Credentials Grant

    Without Authorization

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&scope=scim.write&grant_type=client_credentials&token_format=opaque'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&scope=scim.write&grant_type=client_credentials&token_format=opaque
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 180
    
    {
      "access_token" : "90e28ca7ba89448390d7136c415ef6df",
      "token_type" : "bearer",
      "expires_in" : 43199,
      "scope" : "scim.write",
      "jti" : "90e28ca7ba89448390d7136c415ef6df"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized for this client. This list is derived from the authorities configured on the client.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    With Authorization

    $ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'grant_type=client_credentials&scope=scim.write&token_format=opaque'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
    Host: localhost
    
    grant_type=client_credentials&scope=scim.write&token_format=opaque
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 180
    
    {
      "access_token" : "3072cf6d45624654b9ea75f82df05342",
      "token_type" : "bearer",
      "expires_in" : 43199,
      "scope" : "scim.write",
      "jti" : "3072cf6d45624654b9ea75f82df05342"
    }
    

    Request Header

    Name Description
    Authorization Base64 encoded client details in the format: Basic client_id:client_secret

    Request Parameters

    Parameter Type Constraints Description
    grant_type String Required the type of authentication being used to obtain the token, in this case client_credentials
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized for this client. This list is derived from the authorities configured on the client.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    Password Grant

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=SGhgFr%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=app&client_secret=appclientsecret&grant_type=password&username=SGhgFr%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1140
    
    {
      "access_token" : "820921847b7246a8bc290e578f7e59de",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIyNDZiZTZjZi04MDE0LTQ0ZTEtYWU1NS1hZmU1MWVjZDljNTAiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUyNDYsImlhdCI6MTY4MzIxMjA0NiwiYW1yIjpbInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiJTR2hnRnJAdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiI4MjA5MjE4NDdiNzI0NmE4YmMyOTBlNTc4ZjdlNTlkZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJTR2hnRnJAdGVzdC5vcmciLCJyZXZfc2lnIjoiMmJkNTIyNDIiLCJ1c2VyX2lkIjoiMjQ2YmU2Y2YtODAxNC00NGUxLWFlNTUtYWZlNTFlY2Q5YzUwIiwiYXV0aF90aW1lIjoxNjgzMjEyMDQ2fQ.leDjZmGfCp99w0PWV5BGOTmwGC8j2dmjzK1IxFkT1Yk",
      "refresh_token" : "fa04f11b11194bff8d5ad659598d874b-r",
      "expires_in" : 43199,
      "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
      "jti" : "820921847b7246a8bc290e578f7e59de"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required the type of authentication being used to obtain the token, in this case password
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    username String Required the username for the user trying to get a token
    password String Required the password for the user trying to get a token
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.
    login_hint String Optional UAA 75.5.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. Note that this identity provider must support the grant type password.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    Password Grant with MFA

    A password grant can be completed when multi-factor authentication is enabled.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=app&client_secret=appclientsecret&grant_type=password&username=2eqfAt%40test.org&password=secr3T&mfaCode=824736&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=app&client_secret=appclientsecret&grant_type=password&username=2eqfAt%40test.org&password=secr3T&mfaCode=824736&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1156
    
    {
      "access_token" : "5dcf9587cf024136a43fce891b7473f6",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI4NTAzZWQ2OS0zM2VmLTRjOTEtYjliZS1mNGU2ODdlYWY4ZjQiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUzMjUsImlhdCI6MTY4MzIxMjEyNSwiYW1yIjpbIm1mYSIsIm90cCIsInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiIyZXFmQXRAdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiI1ZGNmOTU4N2NmMDI0MTM2YTQzZmNlODkxYjc0NzNmNiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiIyZXFmQXRAdGVzdC5vcmciLCJyZXZfc2lnIjoiNmEwYWU4MTQiLCJ1c2VyX2lkIjoiODUwM2VkNjktMzNlZi00YzkxLWI5YmUtZjRlNjg3ZWFmOGY0IiwiYXV0aF90aW1lIjoxNjgzMjEyMDg0fQ.rmjQB2wAGXD-Eq1zhmHSoMGIvX3I5b-Db4sR3iR2a60",
      "refresh_token" : "14c03c45ccbd4f7a8c89eaf63169eda4-r",
      "expires_in" : 43199,
      "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
      "jti" : "5dcf9587cf024136a43fce891b7473f6"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required the type of authentication being used to obtain the token, in this case password
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    username String Required the username for the user trying to get a token
    password String Required the password for the user trying to get a token
    mfaCode Number Required A one time passcode from a registered multi-factor generator
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.
    login_hint String Optional UAA 75.5.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field origin with value as origin_key of an identity provider. Note that this identity provider must support the grant type password.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    One-time Passcode

    $ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'grant_type=password&passcode=5q3vxv6oka9RdfpVa8aUIGAPsS4AM4CJ&token_format=opaque'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    Host: localhost
    
    grant_type=password&passcode=5q3vxv6oka9RdfpVa8aUIGAPsS4AM4CJ&token_format=opaque
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1081
    
    {
      "access_token" : "70dd2a5ea9af45d78588a5aa622264e5",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIwMTZlMWMyZi01MDRiLTQ3ZDMtOGUxYy0xNjU5MTI3Mzc4NmQiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUyNDUsImlhdCI6MTY4MzIxMjA0NSwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjcwZGQyYTVlYTlhZjQ1ZDc4NTg4YTVhYTYyMjI2NGU1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImFwcCIsImNpZCI6ImFwcCIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJyZXZfc2lnIjoiZmQ5NDcyMDEiLCJ1c2VyX2lkIjoiMDE2ZTFjMmYtNTA0Yi00N2QzLThlMWMtMTY1OTEyNzM3ODZkIn0.sjc3_mG3Rmr_cchXTt8Y3Bz-alwWu5ziqEM89FO9oVU",
      "refresh_token" : "7dcd75be7481421391a6b0650e2fbe0a-r",
      "expires_in" : 43199,
      "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
      "jti" : "70dd2a5ea9af45d78588a5aa622264e5"
    }
    

    Request Header

    Name Description
    Authorization Base64 encoded client details in the format: Basic client_id:client_secret

    Request Parameters

    Parameter Type Constraints Description
    grant_type String Required the type of authentication being used to obtain the token, in this case password
    passcode String Required the one-time passcode for the user which can be retrieved by going to /passcode
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    User Token Grant

    A user_token grant, is a flow that allows the generation of a refresh_token for another client. The requesting client, must have grant_type=user_token and the bearer token for this request must have uaa.user and be a token that represents an authenticated user.

    The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.

    The refresh_token that results from this grant, is opaque, and can only be exchanged by the client it was intended for.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Authorization: Bearer c796fc0ca0464f05a044da25e5a2aea7' \
        -H 'Accept: application/json' \
        -d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer c796fc0ca0464f05a044da25e5a2aea7
    Accept: application/json
    Host: localhost
    
    client_id=app&grant_type=user_token&scope=openid&token_format=jwt
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 206
    
    {
      "access_token" : null,
      "token_type" : "bearer",
      "refresh_token" : "698e966146bc46e5b67ee47ab2c2d260-r",
      "expires_in" : 43199,
      "scope" : "openid",
      "jti" : "698e966146bc46e5b67ee47ab2c2d260-r"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional The client ID of the receiving client, this client must have refresh_token grant type
    grant_type String Required The type of token grant requested, in this case user_token
    token_format String Optional This parameter is ignored. The refresh_token will always be opaque
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

    Response Fields

    Path Type Description
    access_token Null An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    SAML2 Bearer Grant

    The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer. In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.

    This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world. The endpoint of the bearer assertion is /oauth/token/alias/<endityid> so the Recipient attribute in the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token/alias/cloudfoundry-saml-login.

    $ curl 'http://j8fzdv.localhost:8080/uaa/oauth/token/alias/j8fzdv.cloudfoundry-saml-login' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -H 'Host: j8fzdv.localhost' \
        -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientf4mPgf&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTFlN2FqaWcxODU1YjJiNDRqN2g1aDQ3MzlmMDFoMiIgSXNzdWVJbnN0YW50PSIyMDIzLTA1LTA0VDE0OjU0OjEyLjMwNFoiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPmo4Znpkdi5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTFlN2FqaWcxODU1YjJiNDRqN2g1aDQ3MzlmMDFoMiI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPnpZYnFJdk42UktLYUt3L0JNS0pERzc5MU53Yz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-dDZkcDdTMW5nYUdiTVFTdlp5M0ViU1dKaHJDR2xHMWhGLzVldmRIdGo4TTRUZWwrSWpxTCt1UTduYjM2RitiM0pmSGw3SnpGU04wTGhxMGRHS1lyQ01LU1g2azlhK2t2eEVBeDFmb2paeG1SQ2R3QXRFRm9tbGkyMlROT1BhOEI2M3k4eGd6bTFWQk9ReWZ0Y3E2MDNTT0RnTWcyOWkyYmlEZmtERjIyUFJVPTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIzLTA1LTA0VDE1OjU0OjEyLjQ0NloiIFJlY2lwaWVudD0iaHR0cDovL2o4Znpkdi5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvajhmemR2LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMDUtMDRUMTQ6NTQ6MTIuMzMxWiIgTm90T25PckFmdGVyPSIyMDIzLTA1LTA0VDE1OjU0OjEyLjQ0NloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5qOGZ6ZHYuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMy0wNS0wNFQxNDo1NDoxMi4zMDlaIiBTZXNzaW9uSW5kZXg9ImE0YmUxZzk2YWMxMGhoYTI1NzRmMWljNjc2NjIyYjgiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJhdXRob3JpdGllcyI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYS51c2VyPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImVtYWlsIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYUB0ZXN0aW5nLm9yZzwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJpZCI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjI1OTc5YjMyLThhZWUtNGUwNy1hMWZhLTdhODM3MWUwMWE2NDwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJuYW1lIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJvcmlnaW4iPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iem9uZUlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=openid'
    
    POST /uaa/oauth/token/alias/j8fzdv.cloudfoundry-saml-login HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: j8fzdv.localhost
    
    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientf4mPgf&client_secret=secret&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYTFlN2FqaWcxODU1YjJiNDRqN2g1aDQ3MzlmMDFoMiIgSXNzdWVJbnN0YW50PSIyMDIzLTA1LTA0VDE0OjU0OjEyLjMwNFoiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyPmo4Znpkdi5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYTFlN2FqaWcxODU1YjJiNDRqN2g1aDQ3MzlmMDFoMiI-PGRzOlRyYW5zZm9ybXM-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI-PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM-PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8-PGRzOkRpZ2VzdFZhbHVlPnpZYnFJdk42UktLYUt3L0JNS0pERzc5MU53Yz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-dDZkcDdTMW5nYUdiTVFTdlp5M0ViU1dKaHJDR2xHMWhGLzVldmRIdGo4TTRUZWwrSWpxTCt1UTduYjM2RitiM0pmSGw3SnpGU04wTGhxMGRHS1lyQ01LU1g2azlhK2t2eEVBeDFmb2paeG1SQ2R3QXRFRm9tbGkyMlROT1BhOEI2M3k4eGd6bTFWQk9ReWZ0Y3E2MDNTT0RnTWcyOWkyYmlEZmtERjIyUFJVPTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyPC9zYW1sMjpOYW1lSUQ-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIzLTA1LTA0VDE1OjU0OjEyLjQ0NloiIFJlY2lwaWVudD0iaHR0cDovL2o4Znpkdi5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4vYWxpYXMvajhmemR2LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMDUtMDRUMTQ6NTQ6MTIuMzMxWiIgTm90T25PckFmdGVyPSIyMDIzLTA1LTA0VDE1OjU0OjEyLjQ0NloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5qOGZ6ZHYuY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM-PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMy0wNS0wNFQxNDo1NDoxMi4zMDlaIiBTZXNzaW9uSW5kZXg9ImE0YmUxZzk2YWMxMGhoYTI1NzRmMWljNjc2NjIyYjgiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJhdXRob3JpdGllcyI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVhYS51c2VyPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImVtYWlsIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYUB0ZXN0aW5nLm9yZzwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJpZCI-PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjI1OTc5YjMyLThhZWUtNGUwNy1hMWZhLTdhODM3MWUwMWE2NDwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJuYW1lIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-bWFyaXNzYTwvc2FtbDI6QXR0cmlidXRlVmFsdWU-PC9zYW1sMjpBdHRyaWJ1dGU-PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJvcmlnaW4iPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iem9uZUlkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI-dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=openid
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    Content-Disposition: inline;filename=f.txt
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2040
    
    {
      "access_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI0MmMzNWYyMTkzNmQ0NDI0OTcyM2I1NzI3NTU2MWFkOSIsInN1YiI6ImU1Y2M4MWM0LTQ1MGItNGUyMC1hMGZkLWVmZDBlOGRkODQ5MCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50ZjRtUGdmIiwiY2lkIjoidGVzdGNsaWVudGY0bVBnZiIsImF6cCI6InRlc3RjbGllbnRmNG1QZ2YiLCJncmFudF90eXBlIjoidXJuOmlldGY6cGFyYW1zOm9hdXRoOmdyYW50LXR5cGU6c2FtbDItYmVhcmVyIiwidXNlcl9pZCI6ImU1Y2M4MWM0LTQ1MGItNGUyMC1hMGZkLWVmZDBlOGRkODQ5MCIsIm9yaWdpbiI6Imo4Znpkdi5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwiZW1haWwiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlckB0aGlzLWRlZmF1bHQtd2FzLW5vdC1jb25maWd1cmVkLmludmFsaWQiLCJyZXZfc2lnIjoiZjcyZWE2NzUiLCJpYXQiOjE2ODMyMTIwNTUsImV4cCI6MTY4MzIxMjY1NSwiaXNzIjoiaHR0cDovL2o4Znpkdi5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJqOGZ6ZHYiLCJhdWQiOlsidGVzdGNsaWVudGY0bVBnZiIsIm9wZW5pZCJdfQ.tgiZt4p1ULKns_eh23ox5idYjbYRS1eZtYCev2FDWns",
      "token_type" : "bearer",
      "refresh_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiI2NjczMDc4Yzk3Yjg0MTJhODk2YjI5MzEyMTk3NmI4Zi1yIiwic3ViIjoiZTVjYzgxYzQtNDUwYi00ZTIwLWEwZmQtZWZkMGU4ZGQ4NDkwIiwiaWF0IjoxNjgzMjEyMDU1LCJleHAiOjE2ODU4MDQwNTUsImNpZCI6InRlc3RjbGllbnRmNG1QZ2YiLCJjbGllbnRfaWQiOiJ0ZXN0Y2xpZW50ZjRtUGdmIiwiaXNzIjoiaHR0cDovL2o4Znpkdi5sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJqOGZ6ZHYiLCJhdWQiOlsidGVzdGNsaWVudGY0bVBnZiIsIm9wZW5pZCJdLCJncmFudGVkX3Njb3BlcyI6WyJvcGVuaWQiXSwiZ3JhbnRfdHlwZSI6InVybjppZXRmOnBhcmFtczpvYXV0aDpncmFudC10eXBlOnNhbWwyLWJlYXJlciIsInVzZXJfbmFtZSI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyIiwib3JpZ2luIjoiajhmemR2LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIiwidXNlcl9pZCI6ImU1Y2M4MWM0LTQ1MGItNGUyMC1hMGZkLWVmZDBlOGRkODQ5MCIsInJldl9zaWciOiJmNzJlYTY3NSJ9.lV_NvMSO4aQGklkF-lVb7flP_NlbjygcrOv4crz1JkI",
      "expires_in" : 599,
      "scope" : "openid",
      "jti" : "42c35f21936d44249723b57275561ad9"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional The client ID of the receiving client, this client must have urn:ietf:params:oauth:grant-type:saml2-bearer grant type
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    grant_type String Required The type of token grant requested, in this case urn:ietf:params:oauth:grant-type:saml2-bearer
    assertion String Required An XML based SAML 2.0 bearer assertion, which is Base64URl encoded.
    scope String Optional The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    token_type String The type of the access token issued, always bearer
    expires_in Number Number of seconds of lifetime for an access_token, when retrieved
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    JWT Bearer Token Grant

    The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in RFC 7523. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. In addition the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the UAA database. If multiple providers exists that have the same issuer, the grant will fail.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Accept: application/json' \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -d 'client_id=kkx9et2jjqof&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI1MWI2YzJhZC0wMzI4LTQ4NzUtODJmMS1mMDZlNGMwMTI4ZDIiLCJhdWQiOlsiYmJpU3VNbWtiaFllIl0sImlzcyI6Imh0dHA6Ly9tcHMtMWtneTNwZGgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiZXhwIjoxNjgzMjU1NDMzLCJpYXQiOjE2ODMyMTIyMzMsImFtciI6WyJwd2QiXSwiYXpwIjoiYmJpU3VNbWtiaFllIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoiZTRpY2lld2xscGNsQHRlc3Qub3JnIiwiemlkIjoibXBzLTFrZ3kzcGRoIiwib3JpZ2luIjoidWFhIiwianRpIjoiMTMzOTY0ZTZlMmJlNGQ5OWFmYThmMzQ4NGM2MThlMWMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY2xpZW50X2lkIjoiYmJpU3VNbWtiaFllIiwiY2lkIjoiYmJpU3VNbWtiaFllIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoiZTRpY2lld2xscGNsIiwicmV2X3NpZyI6IjkxNTQxOTYwIiwidXNlcl9pZCI6IjUxYjZjMmFkLTAzMjgtNDg3NS04MmYxLWYwNmU0YzAxMjhkMiIsImF1dGhfdGltZSI6MTY4MzIxMjIzM30.6wfOz-A2clBpAZ3HKaOETnw7t73B1CVrX-qwR9h2vxs'
    
    POST /oauth/token HTTP/1.1
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Host: localhost
    
    client_id=kkx9et2jjqof&client_secret=secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI1MWI2YzJhZC0wMzI4LTQ4NzUtODJmMS1mMDZlNGMwMTI4ZDIiLCJhdWQiOlsiYmJpU3VNbWtiaFllIl0sImlzcyI6Imh0dHA6Ly9tcHMtMWtneTNwZGgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiZXhwIjoxNjgzMjU1NDMzLCJpYXQiOjE2ODMyMTIyMzMsImFtciI6WyJwd2QiXSwiYXpwIjoiYmJpU3VNbWtiaFllIiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoiZTRpY2lld2xscGNsQHRlc3Qub3JnIiwiemlkIjoibXBzLTFrZ3kzcGRoIiwib3JpZ2luIjoidWFhIiwianRpIjoiMTMzOTY0ZTZlMmJlNGQ5OWFmYThmMzQ4NGM2MThlMWMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY2xpZW50X2lkIjoiYmJpU3VNbWtiaFllIiwiY2lkIjoiYmJpU3VNbWtiaFllIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoiZTRpY2lld2xscGNsIiwicmV2X3NpZyI6IjkxNTQxOTYwIiwidXNlcl9pZCI6IjUxYjZjMmFkLTAzMjgtNDg3NS04MmYxLWYwNmU0YzAxMjhkMiIsImF1dGhfdGltZSI6MTY4MzIxMjIzM30.6wfOz-A2clBpAZ3HKaOETnw7t73B1CVrX-qwR9h2vxs
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 234
    
    {
      "access_token" : "75648d66fc90478a8fad48be556d3aea",
      "token_type" : "bearer",
      "refresh_token" : "393196acd986431485ca9c0e269964fb-r",
      "expires_in" : 43199,
      "scope" : "openid",
      "jti" : "75648d66fc90478a8fad48be556d3aea"
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

    Request Parameters

    Parameter Type Constraints Description
    assertion String Required JWT token identifying representing the user to be authenticated
    client_id String Required Required, client with
    client_secret String Required Required unless a basic authorization header is used
    grant_type String Required Must be set to urn:ietf:params:oauth:grant-type:jwt-bearer
    scope String Optional Optional parameter to limit the number of scopes in the scope claim of the access token
    response_type String Optional May be set to token or token id_token or id_token
    token_format String Optional May be set to opaque to retrieve revocable and non identifiable access token

    Response Fields

    Path Type Description
    access_token String Access token generated by this grant
    token_type String Will always be bearer
    scope String List of scopes present in the scope claim in the access token
    expires_in Number Number of seconds before this token expires from the time of issuance
    jti String The unique token ID
    refresh_token String Refresh token issued by this grant

    Refresh Token

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=4f41481480b342fdbeb29d95c3f44a4e-r'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=app&client_secret=appclientsecret&grant_type=refresh_token&token_format=opaque&refresh_token=4f41481480b342fdbeb29d95c3f44a4e-r
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1140
    
    {
      "access_token" : "afcc69c7409d437997bd5367f3243485",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJiMWUyYWY3OS1lZWM0LTRhMDYtOTEyNy1kZmI3YzYzMjc5N2IiLCJhdWQiOlsiYXBwIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJleHAiOjE2ODMyNTUzMjgsImlhdCI6MTY4MzIxMjEyOCwiYW1yIjpbInB3ZCJdLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZW1haWwiOiJVSnc1NmlAdGVzdC5vcmciLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJ1YWEiLCJqdGkiOiIxMGQ3MmI2NzY5OWM0ZDI5ODExYWE2NjJhNDlmMDQ1OSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJVSnc1NmlAdGVzdC5vcmciLCJyZXZfc2lnIjoiODJkMmFkNjUiLCJ1c2VyX2lkIjoiYjFlMmFmNzktZWVjNC00YTA2LTkxMjctZGZiN2M2MzI3OTdiIiwiYXV0aF90aW1lIjoxNjgzMjEyMTI4fQ.vurUxOZxHd9bd6rX61ryHM-Qsilg53dgBRP5DRq_9Pw",
      "refresh_token" : "4f41481480b342fdbeb29d95c3f44a4e-r",
      "expires_in" : 43199,
      "scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
      "jti" : "afcc69c7409d437997bd5367f3243485"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    grant_type String Required the type of authentication being used to obtain the token, in this case refresh_token
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    client_secret String Optional The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header.
    refresh_token String Required the refresh_token that was returned along with the access token.
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    OpenID Connect

    The token endpoint can provide an ID token as defined by OpenID Connect.

    $ curl 'http://localhost/oauth/token' -i -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=MUoKCz26eWazOmgNkb7dj6x1RWDltnR3&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'
    
    POST /oauth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    Host: localhost
    
    client_id=login&client_secret=loginsecret&grant_type=authorization_code&code=MUoKCz26eWazOmgNkb7dj6x1RWDltnR3&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1088
    
    {
      "access_token" : "903f2dca5a7741e9a2c865edf57e85cb",
      "token_type" : "bearer",
      "id_token" : "eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJkN2RiZmM4NC1iZTA1LTQ2MjUtOWY3My1hNmI3NzdiOWMyYzQiLCJhdWQiOlsibG9naW4iXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTY4MzI1NTI0NywiaWF0IjoxNjgzMjEyMDQ3LCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJlbWFpbCI6ImdvTGxEcUB0ZXN0Lm9yZyIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6IjkwM2YyZGNhNWE3NzQxZTlhMmM4NjVlZGY1N2U4NWNiIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImxvZ2luIiwiY2lkIjoibG9naW4iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9uYW1lIjoiZ29MbERxQHRlc3Qub3JnIiwicmV2X3NpZyI6ImUyZTU4ZDc3IiwidXNlcl9pZCI6ImQ3ZGJmYzg0LWJlMDUtNDYyNS05ZjczLWE2Yjc3N2I5YzJjNCIsImF1dGhfdGltZSI6MTY4MzIxMjA0N30.9nVYK-6IJafkg7a-uuQj62ens9-aIB3D-6MKa8RbpmM",
      "refresh_token" : "5d7f34d880be44968ebaebbd64c3821e-r",
      "expires_in" : 43199,
      "scope" : "openid oauth.approvals",
      "jti" : "903f2dca5a7741e9a2c865edf57e85cb"
    }
    

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header.
    redirect_uri String Required if provided on authorization request redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
    code String Required the authorization code, obtained from /oauth/authorize, issued for the user
    grant_type String Required the type of authentication being used to obtain the token, in this case authorization_code
    client_secret String Optional UAA 75.21.0 Optional and can be omitted if client has configured allowpublic and PKCE with code_challange_method=S256 is used to create to code.
    code_verifier String Optional UAA 75.5.0 PKCE Code Verifier. A code_verifier parameter must be provided if a code_challenge parameter was present in the previous call to /oauth/authorize. The code_verifier must match the used code_challenge (according to the selected code_challenge_method)
    token_format String Optional Can be set to opaque to retrieve an opaque and revocable token or to jwt to retrieve a JWT token. If not set the zone setting config.tokenPolicy.jwtRevocable is used.

    Response Fields

    Path Type Description
    access_token String An OAuth2 access token. When token_format=opaque is requested this value will be a random string that can only be validated using the UAA's /check_token or /introspect endpoints. When token_format=jwt is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
    id_token String An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope openid, the response_type includes id_token, and the user has granted approval to the client for the openid scope.
    token_type String The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported token_type is bearer.
    expires_in Number The number of seconds until the access token expires.
    scope String A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when autoapprove: true is not configured on the client).
    refresh_token String An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling /oauth/token with grant_type=refresh_token. See here for more information. A refresh token will only be issued to clients that have refresh_token in their list of authorized_grant_types.
    jti String A globally unique identifier for this access token. This identifier is used when revoking tokens.

    Revoke tokens

    Revoke all tokens for a user

    $ curl 'http://localhost/oauth/token/revoke/user/66e8f160-3298-4daf-a63e-a83b83746659' -i -X GET \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIwNmZmNzViZDE5MzM0ZDE0OTY4Y2Y2NzU2OThkODgzZiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTY4MzIxMjEyOSwiZXhwIjoxNjgzMjU1MzI5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.-SQx8o30xOLPeafzpjELjC-u8IJ8YpCfyartoYXKue4'
    
    GET /oauth/token/revoke/user/66e8f160-3298-4daf-a63e-a83b83746659 HTTP/1.1
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIwNmZmNzViZDE5MzM0ZDE0OTY4Y2Y2NzU2OThkODgzZiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTY4MzIxMjEyOSwiZXhwIjoxNjgzMjU1MzI5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.-SQx8o30xOLPeafzpjELjC-u8IJ8YpCfyartoYXKue4
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/user/{userId}

    Parameter Description
    userId The id of the user

    Request Header

    Name Description
    Authorization Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR matching user_id
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Revoke all tokens for a client

    $ curl 'http://localhost/oauth/token/revoke/client/bZoRoD' -i -X GET \
        -H 'Authorization: Bearer 2d0451faec4340b2a0eb4d6515909739'
    
    GET /oauth/token/revoke/client/bZoRoD HTTP/1.1
    Authorization: Bearer 2d0451faec4340b2a0eb4d6515909739
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/client/{clientId}

    Parameter Description
    clientId The id of the client

    Request Header

    Name Description
    Authorization Bearer token with uaa.admin or tokens.revoke scope.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Revoke all tokens for a user and client combination

    $ curl 'http://localhost/oauth/token/revoke/user/4396f6df-2bfa-4ffd-964c-f921c25edb60/client/zG1TRy' -i -X GET \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJmYmI5MWFhZjBiZjY0NzgxYTEyZWNjNzQzOTVmZjE4MiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTY4MzIxMjA0NiwiZXhwIjoxNjgzMjU1MjQ2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.CmYmvNsmlSQebo_Y7f2O0T_faGGhIAa9gJ_Jn-iSwOE'
    
    GET /oauth/token/revoke/user/4396f6df-2bfa-4ffd-964c-f921c25edb60/client/zG1TRy HTTP/1.1
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJmYmI5MWFhZjBiZjY0NzgxYTEyZWNjNzQzOTVmZjE4MiIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI2NTFhN2JmMSIsImlhdCI6MTY4MzIxMjA0NiwiZXhwIjoxNjgzMjU1MjQ2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbGllbnRzIiwidWFhIiwiYWRtaW4iXX0.CmYmvNsmlSQebo_Y7f2O0T_faGGhIAa9gJ_Jn-iSwOE
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/user/{userId}/client/{clientId}

    Parameter Description
    userId The id of the user
    clientId The id of the client

    Request Header

    Name Description
    Authorization Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR (matching user_id AND client_id)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Revoke a single token

    $ curl 'http://localhost/oauth/token/revoke/d68107f88c15470eb2f5424bcec525f5' -i -X DELETE \
        -H 'Authorization: Bearer d68107f88c15470eb2f5424bcec525f5'
    
    DELETE /oauth/token/revoke/d68107f88c15470eb2f5424bcec525f5 HTTP/1.1
    Authorization: Bearer d68107f88c15470eb2f5424bcec525f5
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /oauth/token/revoke/{tokenId}

    Parameter Description
    tokenId The identifier for the token to be revoked. For opaque tokens, use the token itself. For JWT tokens use the jti claim in the token.

    Request Header

    Name Description
    Authorization Bearer token with one of: uaa.admin scope OR tokens.revoke scope OR the token ID to be revoked
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    List tokens

    List all tokens for a user

    The /oauth/token/list/user/{userId} will return all the metadata for tokens that match the user_id in the path parameter. This token requires the tokens.list scope.

    $ curl 'http://localhost/oauth/token/list/user/51508338-c841-4bf0-a11d-d6728cb51d89' -i -X GET \
        -H 'Authorization: Bearer 057ec9dffc71485683a728d6871a6134' \
        -H 'Accept: application/json'
    
    GET /oauth/token/list/user/51508338-c841-4bf0-a11d-d6728cb51d89 HTTP/1.1
    Authorization: Bearer 057ec9dffc71485683a728d6871a6134
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 631
    
    [ {
      "tokenId" : "3f44f7512f3d4a5597afcdb1c293b4e7",
      "clientId" : "8q1Vkv",
      "userId" : "51508338-c841-4bf0-a11d-d6728cb51d89",
      "format" : "opaque",
      "responseType" : "ACCESS_TOKEN",
      "issuedAt" : 1683212132471,
      "expiresAt" : 1683255332445,
      "scope" : "[openid]",
      "value" : null,
      "zoneId" : "uaa"
    }, {
      "tokenId" : "84b2ba0f6dec400facc33ef72e6afe9a-r",
      "clientId" : "8q1Vkv",
      "userId" : "51508338-c841-4bf0-a11d-d6728cb51d89",
      "format" : "opaque",
      "responseType" : "REFRESH_TOKEN",
      "issuedAt" : 1683212132471,
      "expiresAt" : 1685804132436,
      "scope" : "[openid]",
      "value" : null,
      "zoneId" : "uaa"
    } ]
    

    Request Header

    Name Description
    Authorization Bearer token containing the tokens.list scope.
    Accept Set to application/json
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /oauth/token/list/user/{userId}

    Parameter Description
    userId The user ID to retrieve tokens for

    Response Fields

    Path Type Description
    [].zoneId String The zone ID for the token
    [].tokenId String The unique ID for the token
    [].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
    [].userId String User ID for this token, will always match the user_id claim in the access token used for this call
    [].format String What format was requested, possible values OPAQUE or JWT
    [].expiresAt Number Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC.
    [].issuedAt Number Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC.
    [].scope String Comma separated list of scopes this token holds, up to 1000 characters
    [].responseType String Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN
    [].value String Access token value will always be null

    List all tokens for a client

    The /oauth/token/list/client/{clientId} will return all the tokens that match the client_id in the path parameter. This token requires the tokens.list scope.

    $ curl 'http://localhost/oauth/token/list/client/kRkdrY' -i -X GET \
        -H 'Authorization: Bearer 3257b8b05625487aa4e72cf901e4aacd' \
        -H 'Accept: application/json'
    
    GET /oauth/token/list/client/kRkdrY HTTP/1.1
    Authorization: Bearer 3257b8b05625487aa4e72cf901e4aacd
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 286
    
    [ {
      "tokenId" : "3257b8b05625487aa4e72cf901e4aacd",
      "clientId" : "kRkdrY",
      "userId" : null,
      "format" : "opaque",
      "responseType" : "ACCESS_TOKEN",
      "issuedAt" : 1683212130675,
      "expiresAt" : 1683255330639,
      "scope" : "[tokens.list]",
      "value" : null,
      "zoneId" : "uaa"
    } ]
    

    Request Header

    Name Description
    Authorization Bearer token containing the tokens.list scope.
    Accept Set to application/json
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /oauth/token/list/client/{clientId}

    Parameter Description
    clientId The client ID to retrieve tokens for

    Response Fields

    Path Type Description
    [].zoneId String The zone ID for the token
    [].tokenId String The unique ID for the token
    [].clientId String Client ID for this token, will always match the client_id claim in the access token used for this call
    [].userId String User ID for this token, will always match the user_id claim in the access token used for this call
    [].format String What format was requested, possible values OPAQUE or JWT
    [].expiresAt Number Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC.
    [].issuedAt Number Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC.
    [].scope String Comma separated list of scopes this token holds, up to 1000 characters
    [].responseType String Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN
    [].value String Access token value will always be null

    Introspect Token

    Introspect token endpoint is RFC-7662 compliant. Active flag is responsible for showing the validity of the token and not the HTTP status code. Status code will be 200 OK for both valid and invalid tokens.

    $ curl 'http://localhost/introspect' -i -X POST \
        -H 'Authorization: bearer 43d438b5f54c411bb8800821466d70e9' \
        -d 'token=8a31ee1eb79a4de896096f4c719994ef'
    
    POST /introspect HTTP/1.1
    Authorization: bearer 43d438b5f54c411bb8800821466d70e9
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    
    token=8a31ee1eb79a4de896096f4c719994ef
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 706
    
    {
      "user_id" : "31d3c18e-d9bc-4986-adc6-37fb2f771aa8",
      "user_name" : "marissa",
      "email" : "marissa@test.org",
      "client_id" : "app",
      "exp" : 1683255386,
      "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
      "jti" : "8a31ee1eb79a4de896096f4c719994ef",
      "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
      "sub" : "31d3c18e-d9bc-4986-adc6-37fb2f771aa8",
      "iss" : "http://localhost:8080/uaa/oauth/token",
      "iat" : 1683212186,
      "cid" : "app",
      "grant_type" : "password",
      "azp" : "app",
      "auth_time" : 1683212186,
      "zid" : "uaa",
      "rev_sig" : "979c1f00",
      "origin" : "uaa",
      "revocable" : true,
      "active" : true
    }
    

    Request Headers

    Name Description
    Authorization One of the following authentication/authorization mechanisms:
    • Bearer token for a registered client with authority uaa.resource   [Recommended]
    • Basic authentication using client_id / client_secret for a registered client with authority uaa.resource   [Deprecated]
    If both bearer token and basic auth credentials are provided, only the bearer token will be used.

    Request Parameters

    Parameter Type Constraints Description
    token String Required The token

    Response Fields

    Path Type Description
    active Boolean Indicates whether or not the presented token is currently valid (given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity)
    user_id String Only applicable for user tokens
    user_name String Only applicable for user tokens
    email String Only applicable for user tokens
    client_id String A unique string representing the registration information provided by the client
    exp Number Expiration Time Claim
    authorities Array Only applicable for client tokens
    scope Array List of scopes authorized by the user for this client
    jti String JWT ID Claim
    aud Array Audience Claim
    sub String Subject Claim
    iss String Issuer Claim
    iat Number Issued At Claim
    cid String See client_id
    grant_type String The type of authentication being used to obtain the token, in this case password
    azp String Authorized party
    auth_time Number Only applicable for user tokens
    zid String Zone ID
    rev_sig String Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
    origin String Only applicable for user tokens
    revocable Boolean Set to true if this token is revocable

    Check Token

    $ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
        -d 'token=a546238adef5459bbcfe9454c1506af0&scopes=password.write%2Cscim.userids'
    
    POST /check_token HTTP/1.1
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    
    token=a546238adef5459bbcfe9454c1506af0&scopes=password.write%2Cscim.userids
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 687
    
    {
      "user_id" : "f8705929-ab91-4121-b8fb-1a071a9b210e",
      "user_name" : "marissa",
      "email" : "marissa@test.org",
      "client_id" : "app",
      "exp" : 1683255380,
      "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
      "jti" : "a546238adef5459bbcfe9454c1506af0",
      "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
      "sub" : "f8705929-ab91-4121-b8fb-1a071a9b210e",
      "iss" : "http://localhost:8080/uaa/oauth/token",
      "iat" : 1683212180,
      "cid" : "app",
      "grant_type" : "password",
      "azp" : "app",
      "auth_time" : 1683212177,
      "zid" : "uaa",
      "rev_sig" : "20c47e94",
      "origin" : "uaa",
      "revocable" : true
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority

    Request Parameters

    Parameter Type Constraints Description
    token String Required The token
    scopes Array Optional String of comma-separated scopes, for checking presence of scopes on the token

    Response Fields

    Path Type Description
    user_id String Only applicable for user tokens
    user_name String Only applicable for user tokens
    email String Only applicable for user tokens
    client_id String A unique string representing the registration information provided by the client
    exp Number Expiration Time Claim
    authorities Array Only applicable for client tokens
    scope Array List of scopes authorized by the user for this client
    jti String JWT ID Claim
    aud Array Audience Claim
    sub String Subject Claim
    iss String Issuer Claim
    iat Number Issued At Claim
    cid String See client_id
    grant_type String The type of authentication being used to obtain the token, in this case password
    azp String Authorized party
    auth_time Number Only applicable for user tokens
    zid String Zone ID
    rev_sig String Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
    origin String Only applicable for user tokens
    revocable Boolean Set to true if this token is revocable

    Token Key(s)

    Token Key

    An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.

    JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId to use it to sign all new tokens. /introspect will continue to verify tokens signed with the previous signing key for as long as it is present in the keys of the identity zone's token policy. Remove it to invalidate all those tokens.

    Asymmetric

    $ curl 'http://localhost/token_key' -i -X GET \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_key HTTP/1.1
    Accept: application/json
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1683212236140"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 920
    
    {
      "kty" : "RSA",
      "e" : "AQAB",
      "use" : "sig",
      "kid" : "testKey",
      "alg" : "RS256",
      "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
      "n" : "0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d-1PZGbVlNCqnkpIJ8syFppW8ljnWweP7-LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE_uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U_16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5-Pwf21fP-hzf-1WSRHbnYv8uanRO0gZ8ekGaghM_2H6gqJbo2nIJw"
    }
    

    Request Headers

    Name Description
    If-None-Match Optional. See Ref: RFC 2616

    Response Headers

    Name Description
    ETag The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

    Response Fields

    Path Type Description
    kid String Key ID of key to be used for verification of the token.
    alg String Encryption algorithm
    value String Verifier key
    kty String Key type (RSA)
    use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")
    n String RSA key modulus
    e String RSA key public exponent

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret

    Symmetric

    $ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' -X GET \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_key HTTP/1.1
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1683212235712"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 95
    
    {
      "kty" : "MAC",
      "alg" : "HS256",
      "value" : "key",
      "use" : "sig",
      "kid" : "testKey"
    }
    

    Request Headers

    Name Description
    Authorization Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has uaa.resource authority
    If-None-Match Optional. See Ref: RFC 2616

    Response Fields

    Path Type Description
    kid String Key ID of key to be used for verification of the token.
    alg String Encryption algorithm
    value String Verifier key
    kty String Key type (MAC)
    use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret
    403 Forbidden - Not a resource server (missing uaa.resource scope)

    Token Keys

    An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid field, indicating which key should be used for verification of the token.

    $ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' -X GET \
        -H 'Accept: application/json' \
        -H 'If-None-Match: 1501570800000'
    
    GET /token_keys HTTP/1.1
    Accept: application/json
    Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
    If-None-Match: 1501570800000
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1683212235204"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 955
    
    {
      "keys" : [ {
        "kty" : "RSA",
        "e" : "AQAB",
        "use" : "sig",
        "kid" : "testKey",
        "alg" : "RS256",
        "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
        "n" : "0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d-1PZGbVlNCqnkpIJ8syFppW8ljnWweP7-LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE_uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U_16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5-Pwf21fP-hzf-1WSRHbnYv8uanRO0gZ8ekGaghM_2H6gqJbo2nIJw"
      } ]
    }
    

    Request Headers

    Name Description
    Authorization No authorization is required for requesting public keys.
    If-None-Match Optional. See Ref: RFC 2616

    Response Headers

    Name Description
    ETag The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

    Response Fields

    Path Type Description
    keys.[].kid String Key ID of key to be used for verification of the token.
    keys.[].alg String Encryption algorithm
    keys.[].value String Verifier key
    keys.[].kty String Key type (RSA or MAC)
    keys.[].use String Public key use parameter - identifies intended use of the public key. (defaults to "sig")
    keys.[].n String RSA key modulus
    keys.[].e String RSA key public exponent

    Error Codes

    Error Code Description
    401 Unauthorized - Unregistered client or incorrect client secret

    Session Management

    Logout.do

    The logout endpoint is meant to be used by applications to log the user out of the UAA session. UAA will only log a user out of the UAA session if they also hit this endpoint, and may also perform Single Logout with SAML providers if configured to do so. UAA will also log users out of OIDC proxied authenticated sessions based on OpenID Connect Session Management. The recommendation for application authors is to:

    If the chosen redirect URI is not whitelisted, users will land on the UAA login page. This is a security feature intended to prevent open redirects as per RFC 6749.

    $ curl 'http://localhost/logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param&post_logout_redirect_uri=http%3A%2F%2Fredirect.localhost&id_token_hint=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhMGZlMGQ4OS1lZTJjLTRkMjEtYjFjMS0yNTQ2MzZjNzAxMTUiLCJhdWQiOlsic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiYXpwIjoic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJ9.2yS83OUWQ7yWVvGRQieOKuvGtW6Pn8aJX9tRzd0lSpk' -i -X GET
    
    GET /logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param&post_logout_redirect_uri=http%3A%2F%2Fredirect.localhost&id_token_hint=eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhMGZlMGQ4OS1lZTJjLTRkMjEtYjFjMS0yNTQ2MzZjNzAxMTUiLCJhdWQiOlsic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiYXpwIjoic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJ9.2yS83OUWQ7yWVvGRQieOKuvGtW6Pn8aJX9tRzd0lSpk HTTP/1.1
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=8rvf-qfu7IR_fsUGQm9v5j; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:55:34 GMT; HttpOnly; SameSite=Lax
    Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
    Set-Cookie: X-Uaa-Csrf=3CdjeNULTf9fRlxMryXpkv; Path=/; Max-Age=0; Expires=Thu, 1 Jan 1970 00:00:10 GMT; HttpOnly; SameSite=Lax
    Set-Cookie: JSESSIONID=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: http://redirect.localhost
    
    

    Request Parameters

    Parameter Type Constraints Description
    redirect String Optional (defaults to Identity Zone redirect uri) On a successful logout redirect the user to here, provided the URL is whitelisted
    client_id String Optional On a successful logout the client's redirect_uri configuration is used as the redirect uri whitelist. If this value is not provided, the identity zone whitelist will be used instead.
    post_logout_redirect_uri String Optional (defaults to Same as redirect uri, supports OIDC logout) Support the parameter for OIDC applications based on OpenID Connect Session Management.
    id_token_hint String Optional (defaults to Support for OIDC logout) ID token from OIDC authentication. Used to identify the oauth client redirect uri whitelist. If this value is not provided, the identity zone whitelist will be used instead.redirect uri whitelist.

    Response Headers

    Name Description
    Location Redirect URI

    Identity Zones

    The UAA supports multi tenancy. This is referred to as identity zones. An identity zone is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io

    A zone contains a unique identifier as well as a unique subdomain:

    {
        "id":"testzone1",
        "subdomain":"testzone1",
        "name":"The Twiglet Zone[testzone1]",
        "version":0,
        "description":"Like the Twilight Zone but tastier[testzone1].",
        "created":1426258488910,
        "last_modified":1426258488910
    }
    

    The UAA by default creates a default zone. This zone will always be present, the ID will always be uaa, and the subdomain is blank:

    {
        "id": "uaa",
        "subdomain": "",
        "name": "uaa",
        "version": 0,
        "description": "The system zone for backwards compatibility",
        "created": 946710000000,
        "last_modified": 946710000000
    }
    

    Creating an identity zone

    An identity zone is created using a POST with an IdentityZone object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain field of the identity zone. When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.

    $ curl 'http://localhost/identity-zones' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 77bbac5ddbcf4e0ab5f3a1dfb957fa4a' \
        -d '{
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1",
          "keys" : {
            "active-key-1" : {
              "signingKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "signingCert" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
              "signingAlg" : "RS256"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa",
        "defaultIdentityProvider" : "uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1683212242964,
      "active" : true,
      "last_modified" : 1683212242964
    }'
    
    POST /identity-zones HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 77bbac5ddbcf4e0ab5f3a1dfb957fa4a
    Content-Length: 7903
    Host: localhost
    
    {
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1",
          "keys" : {
            "active-key-1" : {
              "signingKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "signingCert" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
              "signingAlg" : "RS256"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa",
        "defaultIdentityProvider" : "uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1683212242964,
      "active" : true,
      "last_modified" : 1683212242964
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 5313
    
    {
      "id" : "twiglet-create",
      "subdomain" : "twiglet-create",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa",
        "defaultIdentityProvider" : "uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but tastier.",
      "created" : 1683212242985,
      "active" : true,
      "last_modified" : 1683212242985
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write or uaa.admin

    Request Fields

    Path Type Constraints Description
    id String Optional Unique ID of the identity zone
    subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Required Human-readable zone name
    description String Optional Description of the zone
    version Number Optional Reserved for future use of E-Tag versioning
    active Boolean Optional Indicates whether the identity zone is active. Defaults to true.
    config.clientSecretPolicy.minLength Number Required when clientSecretPolicy in the config is not null Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Required when clientSecretPolicy in the config is not null Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Required when clientSecretPolicy in the config is not null Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.tokenPolicy Object Optional Various fields pertaining to the JWT access and refresh tokens.
    config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
    config.tokenPolicy.keys.*.signingKey String Key to be used for signing Keys which will be used to sign the token
    config.tokenPolicy.keys.*.signingAlg String Optional. Can only be used in conjunction with keys.<key-id>.signingKey and keys.<key-id>.signingCert Algorithm parameter according to RFC7518
    config.tokenPolicy.keys.*.signingCert String Optional. Can only be used in conjunction with keys.<key-id>.signingKey and keys.<key-id>.signingCert PEM encoded X.509 to be used in x5c, e.g. RFC7517
    config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean Optional If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.samlConfig.disableInResponseToCheck Boolean Optional If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.samlConfig.certificate String Deprecated Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.privateKey String Deprecated Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.privateKeyPassword String Deprecated Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.activeKeyId String Required if a list of keys defined in keys map The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.key String Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.keys.*.passphrase String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.keys.*.certificate String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.links.logout.redirectUrl String Optional Logout redirect url
    config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Optional Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array Optional List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Optional Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Optional Where users are directed upon clicking the password reset link
    config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean Optional This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Optional Issuer of this zone. Must be a valid URL.
    config.defaultIdentityProvider String Optional This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
    config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String Optional This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String Optional This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String Optional The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Optional Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Optional Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String Optional. Must be set if configuring consent. If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String Optional. Can be null if configuring consent. If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Optional Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Optional Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String Required when config.mfaConfig.enabled is true The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Optional Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    active Boolean Indicates whether the identity zone is active. Defaults to true.
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.defaultIdentityProvider String This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Issuer of this zone. Must be a valid URL.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.)
    422 Unprocessable Entity - Invalid zone details

    Sequential example of creating a zone and creating an admin client in that zone:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"
    
    uaac token client get admin -s adminsecret
    
    uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
    
    uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
    
    uaac target http://testzone1.localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac token decode
    

    Retrieving an identity zone

    $ curl 'http://localhost/identity-zones/twiglet-get' -i -X GET \
        -H 'Authorization: Bearer e38b9e830a0943508ae7c03bcd2a4368'
    
    GET /identity-zones/twiglet-get HTTP/1.1
    Authorization: Bearer e38b9e830a0943508ae7c03bcd2a4368
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 5211
    
    {
      "id" : "twiglet-get",
      "subdomain" : "twiglet-get",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1683212242708,
      "active" : true,
      "last_modified" : 1683212242708
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to retrieve

    Request Headers

    Name Description
    Authorization Bearer token containing zones.read or zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin or zones.<zone id>.read can be used.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    active Boolean Indicates whether the identity zone is active. Defaults to true.
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.defaultIdentityProvider String This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Issuer of this zone. Must be a valid URL.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope
    404 Not Found - Zone does not exist

    Retrieving all identity zones

    $ curl 'http://localhost/identity-zones' -i -X GET \
        -H 'Authorization: Bearer 0b456c8903494df09775533861c63163'
    
    GET /identity-zones HTTP/1.1
    Authorization: Bearer 0b456c8903494df09775533861c63163
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 15935
    
    [ {
      "id" : "twiglet-get-1",
      "subdomain" : "twiglet-get-1",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1683212241061,
      "active" : true,
      "last_modified" : 1683212241061
    }, {
      "id" : "twiglet-get-2",
      "subdomain" : "twiglet-get-2",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1683212241273,
      "active" : true,
      "last_modified" : 1683212241273
    }, {
      "id" : "uaa",
      "subdomain" : "",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : 0,
          "maxLength" : 255,
          "requireUpperCaseCharacter" : 0,
          "requireLowerCaseCharacter" : 0,
          "requireDigit" : 0,
          "requireSpecialCharacter" : 0
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 43200,
          "refreshTokenValidity" : 2592000,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : null
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
            }
          },
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code ( Get one at http://localhost:8080/uaa/passcode )"
        } ],
        "idpDiscoveryEnabled" : false,
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "scim.me", "cloud_controller.read", "cloud_controller.write", "cloud_controller_service_permissions.read", "password.write", "scim.userids", "uaa.user", "approvals.me", "oauth.approvals", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        }
      },
      "name" : "uaa",
      "version" : 1,
      "description" : "The system zone for backwards compatibility",
      "created" : 946684800000,
      "active" : true,
      "last_modified" : 1683212240245
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.read or zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    [].id String Unique ID of the identity zone
    [].subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    [].name String Human-readable zone name
    [].description String Description of the zone
    [].version Number Reserved for future use of E-Tag versioning
    [].active Boolean Indicates whether the identity zone is active. Defaults to true.
    [].config.tokenPolicy.activeKeyId Varies The ID for the key that is being used to sign tokens
    [].config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    [].config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    [].config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    [].config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    [].config.tokenPolicy.refreshTokenRotate Boolean If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    [].config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    [].config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    [].config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    [].config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    [].config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    [].config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    [].config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    [].config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    [].config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    [].config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    [].config.samlConfig.entityID String Unique ID of the SAML2 entity
    [].config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    [].config.samlConfig.keys.* Object Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    [].config.links.logout.redirectUrl String Logout redirect url
    [].config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    [].config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    [].config.links.logout.disableRedirectParameter Boolean Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    [].config.links.logout.whitelist Array List of allowed whitelist redirects
    [].config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    [].config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    [].config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    [].config.branding.companyName Varies This name is used on the UAA Pages and in account management related communication in UAA
    [].config.branding.productLogo Varies This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    [].config.branding.squareLogo Varies This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    [].config.branding.footerLegalText Varies This text appears on the footer of all UAA pages
    [].config.branding.footerLinks Object These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    [].config.branding.consent.text String If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    [].config.branding.consent.link String If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    [].config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    [].config.prompts[].name String List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    [].config.prompts[].type String What kind of field this is (e.g. text or password)
    [].config.prompts[].text String Actual text displayed on prompt for field
    [].config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    [].config.accountChooserEnabled Boolean This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    [].config.issuer String Issuer of this zone. Must be a valid URL.
    [].config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    [].config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    [].config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    [].config.branding.footerLegalText String This text appears on the footer of all UAA pages
    [].config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    [].config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    [].config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    [].config.branding.banner.link String The UAA login banner will be a link pointing to this url
    [].config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    [].config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    [].config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    [].config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    [].config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    [].config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    [].config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    [].config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    [].config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    [].config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    [].config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    [].config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    [].config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    [].config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    [].config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    [].config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    [].config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    [].config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    [].config.userConfig.defaultGroups Array Default groups each user in the zone inherits.
    [].config.mfaConfig.enabled Boolean Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    [].config.mfaConfig.providerName String The unique name of the MFA provider to use for this zone.
    [].config.mfaConfig.identityProviders Array Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope

    Updating an Identity Zone

    $ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 009c5ec5c76747cdaf8f4a69b11f169b' \
        -d '{
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "updatedKeyId",
          "keys" : {
            "updatedKeyId" : {
              "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT",
              "signingCert" : null,
              "signingAlg" : "HS256"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1683212242390,
      "active" : true,
      "last_modified" : 1683212242390
    }'
    
    PUT /identity-zones/twiglet-update HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 009c5ec5c76747cdaf8f4a69b11f169b
    Content-Length: 6573
    Host: localhost
    
    {
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "updatedKeyId",
          "keys" : {
            "updatedKeyId" : {
              "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT",
              "signingCert" : null,
              "signingAlg" : "HS256"
            }
          }
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
              "passphrase" : "password",
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "privateKeyPassword" : "password"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 0,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1683212242390,
      "active" : true,
      "last_modified" : 1683212242390
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 5282
    
    {
      "id" : "twiglet-update",
      "subdomain" : "twiglet-update",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : -1,
          "refreshTokenValidity" : -1,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "updatedKeyId"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Updated Twiglet Zone",
      "version" : 1,
      "description" : "Like the Twilight Zone but not tastier.",
      "created" : 1683212242330,
      "active" : true,
      "last_modified" : 1683212242408
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to update

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    subdomain String Required Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Required Human-readable zone name
    description String Optional Description of the zone
    version Number Optional Reserved for future use of E-Tag versioning
    active Boolean Optional Indicates whether the identity zone is active. Defaults to true.
    config.tokenPolicy.activeKeyId String Required if config.tokenPolicy.keys are set The ID for the key that is being used to sign tokens
    config.tokenPolicy.keys.*.signingKey String Key to be used for signing Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained.
    config.tokenPolicy.keys.*.signingAlg String Optional. Can only be used in conjunction with keys.<key-id>.signingKey and keys.<key-id>.signingCert Algorithm parameter according to RFC7518
    config.tokenPolicy.keys.*.signingCert Null Optional. Can only be used in conjunction with keys.<key-id>.signingKey and keys.<key-id>.signingCert PEM encoded X.509 to be used in x5c, e.g. RFC7517
    config.tokenPolicy.accessTokenValidity Number Optional Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Optional Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Optional Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean Optional If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean Optional If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String Optional The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Required when clientSecretPolicy in the config is not null Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Required when clientSecretPolicy in the config is not null Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Required when clientSecretPolicy in the config is not null Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Required when clientSecretPolicy in the config is not null Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean Optional If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean Optional If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Optional Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Optional Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean Optional If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number Optional The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Optional Unique ID of the SAML2 entity
    config.samlConfig.certificate String Deprecated Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.privateKey String Deprecated Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.privateKeyPassword String Deprecated Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.activeKeyId String Required if a list of keys defined in keys map The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.key String Optional. Can only be used in conjunction with keys.<key-id>.passphrase and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key.
    config.samlConfig.keys.*.passphrase String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.certificate Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
    config.samlConfig.keys.*.certificate String Optional. Can only be used in conjunction with keys.<key-id>.key and keys.<key-id>.passphrase Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Optional Logout redirect url
    config.links.homeRedirect String Optional Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Optional Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Optional Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array Optional List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Optional Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Optional Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Optional Where users are directed upon clicking the password reset link
    config.prompts[] Array Optional List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.idpDiscoveryEnabled Boolean Optional IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean Optional This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Optional Issuer of this zone. Must be a valid URL.
    config.branding.companyName String Optional This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String Optional This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String Optional This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String Optional This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String Optional These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String Optional This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String Optional This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String Optional The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Optional Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Optional Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String Optional. Must be set if configuring consent. If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String Optional. Can be null if configuring consent. If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Optional Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Optional Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array Optional The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array Optional The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Optional Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Optional Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Optional Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Optional Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Optional Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Optional Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String Required when config.mfaConfig.enabled is true The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Optional Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    active Boolean Indicates whether the identity zone is active. Defaults to true.
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.defaultIdentityProvider String This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Issuer of this zone. Must be a valid URL.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (zone admins can only update own zone)
    404 Not Found - Update to nonexistent zone
    422 Unprocessable Entity - Invalid zone details

    Deleting an Identity Zone

    $ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 4ef60a14037044b586bcd304a22117e0'
    
    DELETE /identity-zones/twiglet-delete HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 4ef60a14037044b586bcd304a22117e0
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 5217
    
    {
      "id" : "twiglet-delete",
      "subdomain" : "twiglet-delete",
      "config" : {
        "clientSecretPolicy" : {
          "minLength" : -1,
          "maxLength" : -1,
          "requireUpperCaseCharacter" : -1,
          "requireLowerCaseCharacter" : -1,
          "requireDigit" : -1,
          "requireSpecialCharacter" : -1
        },
        "tokenPolicy" : {
          "accessTokenValidity" : 3600,
          "refreshTokenValidity" : 7200,
          "jwtRevocable" : false,
          "refreshTokenUnique" : false,
          "refreshTokenRotate" : false,
          "refreshTokenFormat" : "jwt",
          "activeKeyId" : "active-key-1"
        },
        "samlConfig" : {
          "assertionSigned" : true,
          "requestSigned" : true,
          "wantAssertionSigned" : true,
          "wantAuthnRequestSigned" : false,
          "assertionTimeToLiveSeconds" : 600,
          "activeKeyId" : "legacy-saml-key",
          "keys" : {
            "legacy-saml-key" : {
              "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
            }
          },
          "entityID" : "cloudfoundry-saml-login",
          "disableInResponseToCheck" : false,
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        },
        "corsPolicy" : {
          "xhrConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          },
          "defaultConfiguration" : {
            "allowedOrigins" : [ ".*" ],
            "allowedOriginPatterns" : [ ],
            "allowedUris" : [ ".*" ],
            "allowedUriPatterns" : [ ],
            "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
            "allowedMethods" : [ "GET" ],
            "allowedCredentials" : false,
            "maxAge" : 1728000
          }
        },
        "links" : {
          "logout" : {
            "redirectUrl" : "/login",
            "redirectParameterName" : "redirect",
            "disableRedirectParameter" : false,
            "whitelist" : null
          },
          "homeRedirect" : "http://my.hosted.homepage.com/",
          "selfService" : {
            "selfServiceLinksEnabled" : true,
            "signup" : null,
            "passwd" : null
          }
        },
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ],
        "idpDiscoveryEnabled" : false,
        "branding" : {
          "companyName" : "Test Company",
          "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
          "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
          "footerLegalText" : "Test footer legal text",
          "footerLinks" : {
            "Support" : "http://support.example.com"
          },
          "banner" : {
            "logo" : "VGVzdFByb2R1Y3RMb2dv",
            "text" : "Announcement",
            "textColor" : "#000000",
            "backgroundColor" : "#89cff0",
            "link" : "http://announce.example.com"
          },
          "consent" : {
            "text" : "Some Policy",
            "link" : "http://policy.example.com"
          }
        },
        "accountChooserEnabled" : false,
        "userConfig" : {
          "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ]
        },
        "mfaConfig" : {
          "enabled" : false,
          "identityProviders" : [ "uaa", "ldap" ]
        },
        "issuer" : "http://localhost:8080/uaa"
      },
      "name" : "The Twiglet Zone",
      "version" : 0,
      "created" : 1683212241959,
      "active" : true,
      "last_modified" : 1683212241959
    }
    

    Path Parameters

    /identity-zones/{id}

    Parameter Description
    id Unique ID of the identity zone to delete

    Request Headers

    Name Description
    Authorization Bearer token containing zones.write or uaa.admin. If you use the zone-switching header, bear token containing zones.<zone id>.admin can be used.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    id String Unique ID of the identity zone
    subdomain String Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
    name String Human-readable zone name
    description String Description of the zone
    version Number Reserved for future use of E-Tag versioning
    active Boolean Indicates whether the identity zone is active. Defaults to true.
    config.tokenPolicy.activeKeyId String The ID for the key that is being used to sign tokens
    config.tokenPolicy.accessTokenValidity Number Time in seconds between when a access token is issued and when it expires. Defaults to global accessTokenValidity
    config.tokenPolicy.refreshTokenValidity Number Time in seconds between when a refresh token is issued and when it expires. Defaults to global refreshTokenValidity
    config.tokenPolicy.jwtRevocable Boolean Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
    config.tokenPolicy.refreshTokenUnique Boolean If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to false.
    config.tokenPolicy.refreshTokenRotate Boolean If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to false.
    config.tokenPolicy.refreshTokenFormat String The format for the refresh token. Allowed values are jwt, opaque. Defaults to jwt.
    config.clientSecretPolicy.minLength Number Minimum number of characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.maxLength Number Maximum number of characters required for secret to be considered valid (defaults to 255).
    config.clientSecretPolicy.requireUpperCaseCharacter Number Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireLowerCaseCharacter Number Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireDigit Number Minimum number of digits required for secret to be considered valid (defaults to 0).
    config.clientSecretPolicy.requireSpecialCharacter Number Minimum number of special characters required for secret to be considered valid (defaults to 0).
    config.samlConfig.disableInResponseToCheck Boolean If true, this zone will not validate the InResponseToField part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    config.samlConfig.assertionSigned Boolean If true, the SAML provider will sign all assertions
    config.samlConfig.wantAssertionSigned Boolean Exposed SAML metadata property. If true, all assertions received by the SAML provider must be signed. Defaults to true.
    config.samlConfig.requestSigned Boolean Exposed SAML metadata property. If true, the service provider will sign all outgoing authentication requests. Defaults to true.
    config.samlConfig.wantAuthnRequestSigned Boolean If true, the authentication request from the partner service provider must be signed.
    config.samlConfig.assertionTimeToLiveSeconds Number The lifetime of a SAML assertion in seconds. Defaults to 600.
    config.samlConfig.entityID String Unique ID of the SAML2 entity
    config.samlConfig.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.samlConfig.activeKeyId String The ID of the key that should be used for signing metadata and assertions.
    config.samlConfig.keys.*.certificate String Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
    config.links.logout.redirectUrl String Logout redirect url
    config.links.homeRedirect String Overrides the UAA home page and issues a redirect to this URL when the browser requests / and /home.
    config.links.logout.redirectParameterName String Changes the name of the redirect parameter
    config.links.logout.disableRedirectParameter Boolean Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
    config.links.logout.whitelist Array List of allowed whitelist redirects
    config.links.selfService.selfServiceLinksEnabled Boolean Whether or not users are allowed to sign up or reset their passwords via the UI
    config.links.selfService.signup Null Where users are directed upon clicking the account creation link
    config.links.selfService.passwd Null Where users are directed upon clicking the password reset link
    config.prompts[] Array List of fields that users are prompted for to login. Defaults to username, password, and passcode.
    config.prompts[].name String Name of field
    config.prompts[].type String What kind of field this is (e.g. text or password)
    config.prompts[].text String Actual text displayed on prompt for field
    config.defaultIdentityProvider String This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
    config.idpDiscoveryEnabled Boolean IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
    config.accountChooserEnabled Boolean This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
    config.issuer String Issuer of this zone. Must be a valid URL.
    config.branding.companyName String This name is used on the UAA Pages and in account management related communication in UAA
    config.branding.productLogo String This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
    config.branding.squareLogo String This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
    config.branding.footerLegalText String This text appears on the footer of all UAA pages
    config.branding.footerLinks.* String These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    config.branding.banner.text String This is text displayed in a banner at the top of the UAA login page
    config.branding.banner.logo String This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
    config.branding.banner.link String The UAA login banner will be a link pointing to this url
    config.branding.banner.textColor String Hexadecimal color code for banner text color, does not allow color names
    config.branding.banner.backgroundColor String Hexadecimal color code for banner background color, does not allow color names
    config.branding.consent.text String If set, a checkbox on the registration and invitation pages will appear with the phrase I agree to followed by this text. The checkbox must be selected before the user can continue.
    config.branding.consent.link String If config.branding.consent.text is set, the text after I agree to will be hyperlinked to this location.
    config.corsPolicy.defaultConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.defaultConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.defaultConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.defaultConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.defaultConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.defaultConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.defaultConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.defaultConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.corsPolicy.xhrConfiguration.allowedOrigins Array Access-Control-Allow-Origin header. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
    config.corsPolicy.xhrConfiguration.allowedOriginPatterns Array Indicates whether a resource can be shared based by returning the value of the Origin patterns.
    config.corsPolicy.xhrConfiguration.allowedUris Array The list of allowed URIs.
    config.corsPolicy.xhrConfiguration.allowedUriPatterns Array The list of allowed URI patterns.
    config.corsPolicy.xhrConfiguration.allowedHeaders Array Access-Control-Allow-Headers header. Indicates which header field names can be used during the actual response
    config.corsPolicy.xhrConfiguration.allowedMethods Array Access-Control-Allow-Methods header. Indicates which method will be used in the actual request as part of the preflight request.
    config.corsPolicy.xhrConfiguration.allowedCredentials Boolean Access-Control-Allow-Credentials header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
    config.corsPolicy.xhrConfiguration.maxAge Number Access-Control-Max-Age header. Indicates how long the results of a preflight request can be cached in a preflight result cache
    config.userConfig.defaultGroups Array Default groups each user in the zone inherits.
    config.mfaConfig.enabled Boolean Set true to enable Multi-factor Authentication (MFA) for the current zone. Defaults to false
    config.mfaConfig.providerName String The unique name of the MFA provider to use for this zone.
    config.mfaConfig.identityProviders Array Only trigger MFA when user is using an identity provider whose origin key matches one of these values

    Error Codes

    Error Code Description
    400 Bad Request
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (zone admins can only delete their own zone)
    404 Not Found - Zone does not exist

    Identity Providers

    Create

    SAML

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 00c36e4ee3774cf0bbacb7a7d0146700' \
        -d '{
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAML",
      "name" : "SAML name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 00c36e4ee3774cf0bbacb7a7d0146700
    Content-Length: 2990
    Host: localhost
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAML",
      "name" : "SAML name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 3239
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
        "idpEntityAlias" : "SAML",
        "zoneId" : "uaa",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "id" : "b8895225-d486-44f7-83df-549db37b02f4",
      "originKey" : "SAML",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1683212153216,
      "last_modified" : 1683212153216,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    
    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 00c36e4ee3774cf0bbacb7a7d0146700' \
        -d '{
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>fhanik@pivotal.io</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 00c36e4ee3774cf0bbacb7a7d0146700
    Content-Length: 7617
    Host: localhost
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>fhanik@pivotal.io</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7877
    
    {
      "type" : "saml",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : { },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>fhanik@pivotal.io</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
        "idpEntityAlias" : "SAMLMetadataUrl",
        "zoneId" : "uaa",
        "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
        "assertionConsumerIndex" : 0,
        "metadataTrustCheck" : false,
        "showSamlLink" : false,
        "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
        "iconUrl" : null,
        "groupMappingMode" : "EXPLICITLY_MAPPED",
        "skipSslValidation" : false,
        "authnContext" : null,
        "socketFactoryClassName" : null
      },
      "id" : "e5624f7c-2056-4135-8809-49f42ee6fe52",
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1683212153642,
      "last_modified" : 1683212153642,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required saml
    originKey String Required A unique alias for the SAML provider
    config.skipSslValidation Boolean Optional (defaults to false) Set to true, to skip SSL validation when fetching metadata.
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    config.metaDataLocation String Required SAML Metadata - either an XML string or a URL that will deliver XML content
    config.nameID String Optional The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
    config.assertionConsumerIndex Number Optional SAML assertion consumer index, default is 0
    config.metadataTrustCheck Boolean Optional Should metadata be validated, defaults to false
    config.showSamlLink Boolean Optional Should the SAML login link be displayed on the login page, defaults to false
    config.linkText String Required if the showSamlLink is set to true The link text for the SAML IDP on the login page
    config.groupMappingMode String Optional (defaults to "EXPLICITLY_MAPPED") Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
    config.iconUrl String Optional Reserved for future use
    config.socketFactoryClassName Null Optional Property is deprecated and value is ignored.
    config.authnContext Array Optional List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
    config.attributeMappings.user_name String Optional (defaults to "NameID") Map user_name to the attribute for user name in the provider assertion or token. The default for SAML is NameID.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String saml
    originKey String A unique alias for the SAML provider
    config.skipSslValidation Boolean Set to true, to skip SSL validation when fetching metadata.
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    config.metaDataLocation String SAML Metadata - either an XML string or a URL that will deliver XML content
    config.nameID String The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
    config.assertionConsumerIndex Number SAML assertion consumer index, default is 0
    config.metadataTrustCheck Boolean Should metadata be validated, defaults to false
    config.showSamlLink Boolean Should the SAML login link be displayed on the login page, defaults to false
    config.linkText String The link text for the SAML IDP on the login page
    config.groupMappingMode String Either EXPLICITLY_MAPPED in order to map external groups to OAuth scopes using the group mappings, or AS_SCOPES to use SAML group names as scopes.
    config.iconUrl String Reserved for future use
    config.socketFactoryClassName Null Property is deprecated and value is ignored.
    config.authnContext Array List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
    config.attributeMappings.user_name String Map user_name to the attribute for user name in the provider assertion or token. The default for SAML is NameID.
    config.attributeMappings Object Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    config.additionalConfiguration Object (Unused.)
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date
    config.idpEntityAlias String This will be set to originKey
    config.zoneId String This will be set to the ID of the zone where the provider is being created

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP

    LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are

    Group integration also supports different strategies

    LDAP Simple Bind

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: 9wtcypch' \
        -H 'Authorization: Bearer 06e1a3bb9c774cd89e13d7fc3d22f09f' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: 9wtcypch
    Authorization: Bearer 06e1a3bb9c774cd89e13d7fc3d22f09f
    Content-Length: 1201
    Host: localhost
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1402
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
        "userDNPatternDelimiter" : ";",
        "bindUserDn" : null,
        "userSearchBase" : null,
        "userSearchFilter" : null,
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-null.xml",
        "groupSearchBase" : null,
        "groupSearchFilter" : null,
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 10,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "id" : "a075955c-2138-4e13-ad68-3917f368550a",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1683212161099,
      "last_modified" : 1683212161099,
      "active" : true,
      "identityZoneId" : "9wtcypch"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP Search and Bind

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: wsc1jehh' \
        -H 'Authorization: Bearer 53e5c18c9f344381a113edd13f827b63' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: wsc1jehh
    Authorization: Bearer 53e5c18c9f344381a113edd13f827b63
    Content-Length: 1306
    Host: localhost
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1471
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : null,
        "passwordEncoder" : null,
        "localPasswordCompare" : null,
        "mailAttributeName" : "mail",
        "mailSubstitute" : "{0}@my.org",
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : null,
        "tlsConfiguration" : "none"
      },
      "id" : "6d929455-ac0b-452b-a6dd-a856dd80699e",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1683212154344,
      "last_modified" : 1683212154344,
      "active" : true,
      "identityZoneId" : "wsc1jehh"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    LDAP Search and Compare

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'X-Identity-Zone-Subdomain: jk4cubrh' \
        -H 'Authorization: Bearer 605e4085076c4a78886a91da5e6b634f' \
        -d '{
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    X-Identity-Zone-Subdomain: jk4cubrh
    Authorization: Bearer 605e4085076c4a78886a91da5e6b634f
    Content-Length: 1383
    Host: localhost
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "bindPassword" : "adminsecret",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "originKey" : "ldap",
      "name" : "ldap name",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1548
    
    {
      "type" : "ldap",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
        "baseUrl" : "ldap://localhost:23389",
        "referral" : null,
        "skipSSLVerification" : false,
        "userDNPattern" : null,
        "userDNPatternDelimiter" : null,
        "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
        "userSearchBase" : "dc=test,dc=com",
        "userSearchFilter" : "cn={0}",
        "passwordAttributeName" : "userPassword",
        "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
        "localPasswordCompare" : true,
        "mailAttributeName" : "mail",
        "mailSubstitute" : null,
        "mailSubstituteOverridesLdap" : false,
        "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
        "groupSearchBase" : "ou=scopes,dc=test,dc=com",
        "groupSearchFilter" : "member={0}",
        "groupsIgnorePartialResults" : null,
        "autoAddGroups" : true,
        "groupSearchSubTree" : true,
        "maxGroupSearchDepth" : 3,
        "groupRoleAttribute" : "description",
        "tlsConfiguration" : "none"
      },
      "id" : "a13927fa-6656-4849-8cca-9f9677502408",
      "originKey" : "ldap",
      "name" : "ldap name",
      "version" : 0,
      "created" : 1683212157710,
      "last_modified" : 1683212157710,
      "active" : true,
      "identityZoneId" : "jk4cubrh"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required ldap
    originKey String Required Origin key must be ldap for an LDAP provider
    config.ldapProfileFile String Required The file to be used for configuring the LDAP authentication. Options are: ldap/ldap-simple-bind.xml, ldap/ldap-search-and-bind.xml, ldap/ldap-search-and-compare.xml
    config.ldapGroupFile String Required The file to be used for group integration. Options are: ldap/ldap-groups-null.xml, ldap/ldap-groups-as-scopes.xml, ldap/ldap-groups-map-to-scopes.xml
    config.baseUrl String Required The URL to the ldap server, must start with ldap:// or ldaps://
    config.bindPassword String Required Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
    config.mailAttributeName String Optional (defaults to "mail") The name of the LDAP attribute that contains the user's email address
    config.mailSubstitute String Optional Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
    config.mailSubstituteOverridesLdap Boolean Optional (defaults to false) Set to true if you wish to override an LDAP user email address with a generated one
    config.skipSSLVerification Boolean Optional (defaults to false) Skips validation of the LDAP cert if set to true.
    config.tlsConfiguration String Optional (defaults to "none") Sets the StartTLS options, valid values are none, simple or external
    config.referral String Optional (defaults to "follow") Configures the UAA LDAP referral behavior. The following values are possible:
    • follow → Referrals are followed
    • ignore → Referrals are ignored and the partial result is returned
    • throw → An error is thrown and the authentication is aborted
    Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.user_name String Optional (defaults to "user_name") Map user_name to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
    config.attributeMappings.first_name String Optional (defaults to "givenname") Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional (defaults to "sn") Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional (defaults to "telephonenumber") Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.

    Error Codes

    Error Code Description
    401 Unauthorized - Missing or invalid token
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    OAuth/OIDC

    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 921442e305f2440db5c154dd374f17b7' \
        -d '{
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username"
      },
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 921442e305f2440db5c154dd374f17b7
    Content-Length: 1039
    Host: localhost
    
    {
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username"
      },
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1263
    
    {
      "type" : "oauth2.0",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : "http://auth.url",
        "tokenUrl" : "http://token.url",
        "tokenKeyUrl" : null,
        "tokenKey" : "token-key",
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : false,
        "relyingPartyId" : "uaa",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username",
        "checkTokenUrl" : null
      },
      "id" : "94869ae7-910a-4922-bcf3-eeff398f3e39",
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1683212156659,
      "last_modified" : 1683212156659,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oauth2.0"
    originKey String Required A unique alias for a OAuth provider
    config.authUrl String Required The OAuth 2.0 authorization endpoint URL
    config.tokenUrl String Required The OAuth 2.0 token endpoint URL
    config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
    config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
    config.userInfoUrl String Optional A URL for fetching user info attributes when queried with the obtained token authorization.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth provider
    config.checkTokenUrl Object Optional Reserved for future OAuth use.
    config.logoutUrl Object Optional OAuth 2.0 logout endpoint.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.userPropagationParameter String Optional (defaults to "username") Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
    config.attributeMappings.user_name String Optional (defaults to "sub") Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub
    config.groupMappingMode String Optional (defaults to "EXPLICITLY_MAPPED") Either EXPLICITLY_MAPPED in order to map external claim values to OAuth scopes using the group mappings, or AS_SCOPES to use claim values names as scopes. You need to define also external_groups for the mapping in order to use this feature.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
    config.relyingPartySecret String Deprecated. It is required if the external IdP does not support private_key_jwt. The client secret of the relying party at the external OAuth provider. If not set and jwtClientAuthentication is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method S256. It is recommended to set jwtClientAuthentication:true instead.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oauth2.0"
    originKey String Required A unique alias for a OAuth provider
    config.authUrl String Required The OAuth 2.0 authorization endpoint URL
    config.tokenUrl String Required The OAuth 2.0 token endpoint URL
    config.tokenKeyUrl String Optional The URL of the token key endpoint which renders a verification key for validating token signatures
    config.tokenKey String Optional A verification key for validating token signatures, set to null if a tokenKeyUrl is provided.
    config.userInfoUrl String Optional A URL for fetching user info attributes when queried with the obtained token authorization.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth provider
    config.checkTokenUrl Object Optional Reserved for future OAuth use.
    config.logoutUrl Object Optional OAuth 2.0 logout endpoint.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, will be sent to OAuth server, defaults to code
    config.clientAuthInBody Boolean Optional (defaults to false) Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.userPropagationParameter String Optional (defaults to "username") Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
    config.attributeMappings.user_name String Optional (defaults to "sub") Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub
    config.groupMappingMode String Optional (defaults to "EXPLICITLY_MAPPED") Either EXPLICITLY_MAPPED in order to map external claim values to OAuth scopes using the group mappings, or AS_SCOPES to use claim values names as scopes. You need to define also external_groups for the mapping in order to use this feature.
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
    config.relyingPartySecret String Deprecated. It is required if the external IdP does not support private_key_jwt. The client secret of the relying party at the external OAuth provider. If not set and jwtClientAuthentication is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method S256. It is recommended to set jwtClientAuthentication:true instead.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error
    $ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 15aee654fd3c4c07b6c756d026007b3f' \
        -d '{
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ "uaa.user" ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username",
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
        "passwordGrantEnabled" : false,
        "setForwardHeader" : false,
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ]
      },
      "originKey" : "my-oidc-provider-t26xks",
      "name" : "UAA Provider",
      "active" : true
    }'
    
    POST /identity-providers?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 15aee654fd3c4c07b6c756d026007b3f
    Content-Length: 1532
    Host: localhost
    
    {
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ "uaa.user" ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "relyingPartySecret" : "secret",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username",
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
        "passwordGrantEnabled" : false,
        "setForwardHeader" : false,
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ]
      },
      "originKey" : "my-oidc-provider-t26xks",
      "name" : "UAA Provider",
      "active" : true
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1691
    
    {
      "type" : "oidc1.0",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "externalGroupsWhitelist" : [ "uaa.user" ],
        "attributeMappings" : {
          "email_verified" : "emailVerified",
          "external_groups" : [ "roles" ],
          "user.attribute.department" : "department",
          "phone_number" : "telephone",
          "given_name" : "first_name",
          "family_name" : "last_name",
          "email" : "emailAddress"
        },
        "addShadowUserOnLogin" : true,
        "storeCustomAttributes" : true,
        "authUrl" : null,
        "tokenUrl" : null,
        "tokenKeyUrl" : null,
        "tokenKey" : null,
        "userInfoUrl" : null,
        "logoutUrl" : null,
        "linkText" : null,
        "showLinkText" : false,
        "clientAuthInBody" : false,
        "skipSslValidation" : true,
        "relyingPartyId" : "uaa",
        "scopes" : null,
        "issuer" : null,
        "responseType" : "code",
        "userPropagationParameter" : "username",
        "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
        "passwordGrantEnabled" : false,
        "setForwardHeader" : false,
        "prompts" : [ {
          "name" : "username",
          "type" : "text",
          "text" : "Email"
        }, {
          "name" : "password",
          "type" : "password",
          "text" : "Password"
        }, {
          "name" : "passcode",
          "type" : "password",
          "text" : "Temporary Authentication Code (Get on at /passcode)"
        } ]
      },
      "id" : "70618e49-46b3-4475-b642-8ca957e35e67",
      "originKey" : "my-oidc-provider-t26xks",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1683212156848,
      "last_modified" : 1683212156848,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oidc1.0"
    originKey String Required A unique alias for the OIDC 1.0 provider
    config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
    config.authUrl String Required unless discoveryUrl is set. The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenUrl String Required unless discoveryUrl is set. The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKeyUrl String Required unless discoveryUrl is set. The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKey String Required unless discoveryUrl is set. A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
    config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
    config.clientAuthInBody Boolean Optional (defaults to false) Only effective if relyingPartySecret is defined. Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. It is recommended to set jwtClientAuthentication:true instead.
    config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.logoutUrl Object Optional OIDC logout endpoint. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.userPropagationParameter String Optional (defaults to "username") Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
    config.externalGroupsWhitelist Array Optional JSON Array containing the groups names which need to be populated in the user's id_token or response from /userinfo endpoint. If you don't specify the whitelist no groups will be populated in the id_token or /userinfo response.
    Please note that regex is allowed. Acceptable patterns are
    • * translates to all groups
    • *pattern* Contains pattern
    • pattern* Starts with pattern
    • *pattern Ends with pattern
    config.passwordGrantEnabled Boolean Optional (defaults to false) Enable Resource Owner Password Grant flow for this identity provider.
    config.setForwardHeader Boolean Optional (defaults to false) Only effective if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider.
    config.jwtClientAuthentication Object Optional UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For OIDC, set true. For OAuth2, define custom elements iss and aud.
    config.attributeMappings.user_name String Optional (defaults to "sub") Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub.
    config.prompts[] Array Optional List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
    config.relyingPartySecret String Deprecated. It is required if the external IdP does not support private_key_jwt. The client secret of the relying party at the external OAuth provider. If not set and jwtClientAuthentication is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method S256. It is recommended to set jwtClientAuthentication:true instead.

    Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required "oidc1.0"
    originKey String Required A unique alias for the OIDC 1.0 provider
    config.discoveryUrl String Optional The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
    config.authUrl String Required unless discoveryUrl is set. The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenUrl String Required unless discoveryUrl is set. The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKeyUrl String Required unless discoveryUrl is set. The URL of the token key endpoint which renders a verification key for validating token signatures. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.tokenKey String Required unless discoveryUrl is set. A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.showLinkText Boolean Optional (defaults to true) A flag controlling whether a link to this provider's login will be shown on the UAA login page
    config.linkText String Optional Text to use for the login link to the provider
    config.relyingPartyId String Required The client ID which is registered with the external OAuth provider for use by the UAA
    config.skipSslValidation Boolean Optional A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
    config.scopes Array Optional What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide openid, roles, or profile to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
    config.checkTokenUrl Object Optional Reserved for future OAuth/OIDC use.
    config.clientAuthInBody Boolean Optional (defaults to false) Only effective if relyingPartySecret is defined. Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. It is recommended to set jwtClientAuthentication:true instead.
    config.userInfoUrl Object Optional Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.logoutUrl Object Optional OIDC logout endpoint. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
    config.responseType String Optional (defaults to "code") Response type for the authorize request, defaults to code, but can be code id_token if the OIDC server can return an id_token as a query parameter in the redirect.
    config.issuer String Optional The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
    config.userPropagationParameter String Optional (defaults to "username") Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
    config.externalGroupsWhitelist Array Optional JSON Array containing the groups names which need to be populated in the user's id_token or response from /userinfo endpoint. If you don't specify the whitelist no groups will be populated in the id_token or /userinfo response.
    Please note that regex is allowed. Acceptable patterns are
    • * translates to all groups
    • *pattern* Contains pattern
    • pattern* Starts with pattern
    • *pattern Ends with pattern
    config.passwordGrantEnabled Boolean Optional (defaults to false) Enable Resource Owner Password Grant flow for this identity provider.
    config.setForwardHeader Boolean Optional (defaults to false) Only effective if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider.
    config.jwtClientAuthentication Object Optional UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For OIDC, set true. For OAuth2, define custom elements iss and aud.
    config.attributeMappings.user_name String Optional (defaults to "sub") Map user_name to the attribute for user name in the provider assertion or token. The default for OpenID Connect is sub.
    config.prompts[] Array Optional List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider.
    config.prompts[].name String Optional Name of field
    config.prompts[].type String Optional What kind of field this is (e.g. text or password)
    config.prompts[].text String Optional Actual text displayed on prompt for field
    config.attributeMappings Object Optional Map external attribute to UAA recognized mappings.
    config.attributeMappings.email String Optional Map email to the attribute for email in the provider assertion or token.
    config.attributeMappings.given_name String Optional Map given_name to the attribute for given name in the provider assertion or token.
    config.attributeMappings.family_name String Optional Map family_name to the attribute for family name in the provider assertion or token.
    config.attributeMappings.phone_number String Optional Map phone_number to the attribute for phone number in the provider assertion or token.
    config.attributeMappings.email_verified String Optional Maps the attribute on the assertion to the email_verified user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
    config.attributeMappings.external_groups Array Optional Map external_groups to the attribute for groups in the provider assertion.
    config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
    config.relyingPartySecret String Deprecated. It is required if the external IdP does not support private_key_jwt. The client secret of the relying party at the external OAuth provider. If not set and jwtClientAuthentication is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method S256. It is recommended to set jwtClientAuthentication:true instead.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    409 Conflict - Provider with same origin and zone id exists
    422 Unprocessable Entity - Invalid configuration
    500 Internal Server Error

    Retrieve All

    $ curl 'http://localhost/identity-providers?rawConfig=false' -i -X GET \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 52abcb0c31f0414ab340d5f8dcba194b'
    
    GET /identity-providers?rawConfig=false HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 52abcb0c31f0414ab340d5f8dcba194b
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 15684
    
    [ {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/SAML\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAML\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "b8895225-d486-44f7-83df-549db37b02f4",
      "originKey" : "SAML",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1683212153216,
      "last_modified" : 1683212153216,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\"?>\\n<md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\" entityID=\\\"http://example.com/saml2/idp/metadata.php\\\" ID=\\\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Signature>\\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/>\\n    <ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\\\"/>\\n  <ds:Reference URI=\\\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2001/04/xmlenc#sha256\\\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\\n  <md:IDPSSODescriptor protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\">\\n    <md:KeyDescriptor use=\\\"signing\\\">\\n      <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n        <ds:X509Data>\\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n        </ds:X509Data>\\n      </ds:KeyInfo>\\n    </md:KeyDescriptor>\\n    <md:KeyDescriptor use=\\\"encryption\\\">\\n      <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n        <ds:X509Data>\\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n        </ds:X509Data>\\n      </ds:KeyInfo>\\n    </md:KeyDescriptor>\\n    <md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SingleLogoutService.php\\\"/>\\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\\n    <md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SSOService.php\\\"/>\\n  </md:IDPSSODescriptor>\\n  <md:ContactPerson contactType=\\\"technical\\\">\\n    <md:GivenName>Filip</md:GivenName>\\n    <md:SurName>Hanik</md:SurName>\\n    <md:EmailAddress>fhanik@pivotal.io</md:EmailAddress>\\n  </md:ContactPerson>\\n</md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAMLMetadataUrl\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:transient\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "e5624f7c-2056-4135-8809-49f42ee6fe52",
      "originKey" : "SAMLMetadataUrl",
      "name" : "SAML name",
      "version" : 0,
      "created" : 1683212153642,
      "last_modified" : 1683212153642,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "keystone",
      "config" : "null",
      "id" : "903e3426-7675-4e19-bda6-b3c3d19af105",
      "originKey" : "keystone",
      "name" : "keystone",
      "version" : 0,
      "created" : 946684800000,
      "last_modified" : 946684800000,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "ldap",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"ldapProfileFile\":\"ldap/ldap-search-and-bind.xml\",\"baseUrl\":\"ldap://localhost:389/\",\"referral\":null,\"skipSSLVerification\":false,\"userDNPattern\":null,\"userDNPatternDelimiter\":null,\"bindUserDn\":\"cn=admin,dc=test,dc=com\",\"userSearchBase\":\"dc=test,dc=com\",\"userSearchFilter\":\"cn={0}\",\"passwordAttributeName\":null,\"passwordEncoder\":null,\"localPasswordCompare\":null,\"mailAttributeName\":\"mail\",\"mailSubstitute\":null,\"mailSubstituteOverridesLdap\":false,\"ldapGroupFile\":null,\"groupSearchBase\":null,\"groupSearchFilter\":null,\"groupsIgnorePartialResults\":null,\"autoAddGroups\":true,\"groupSearchSubTree\":true,\"maxGroupSearchDepth\":10,\"groupRoleAttribute\":null,\"tlsConfiguration\":\"none\"}",
      "id" : "8686bd74-04bf-4bc8-9e94-036a73c3a7c5",
      "originKey" : "ldap",
      "name" : "UAA LDAP Provider",
      "version" : 1,
      "created" : 946684800000,
      "last_modified" : 1683212148243,
      "active" : false,
      "identityZoneId" : "uaa"
    }, {
      "type" : "login-server",
      "config" : "null",
      "id" : "1ffa9c49-221b-4b60-97e7-47838b1b3c33",
      "originKey" : "login-server",
      "name" : "login-server",
      "version" : 0,
      "created" : 946684800000,
      "last_modified" : 946684800000,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "oauth2.0",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"userInfoUrl\":null,\"logoutUrl\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"checkTokenUrl\":null}",
      "id" : "94869ae7-910a-4922-bcf3-eeff398f3e39",
      "originKey" : "my-oauth2-provider",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1683212156659,
      "last_modified" : 1683212156659,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "oidc1.0",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[\"uaa.user\"],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":null,\"tokenUrl\":null,\"tokenKeyUrl\":null,\"tokenKey\":null,\"userInfoUrl\":null,\"logoutUrl\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"discoveryUrl\":\"https://accounts.google.com/.well-known/openid-configuration\",\"passwordGrantEnabled\":false,\"setForwardHeader\":false,\"prompts\":[{\"name\":\"username\",\"type\":\"text\",\"text\":\"Email\"},{\"name\":\"password\",\"type\":\"password\",\"text\":\"Password\"},{\"name\":\"passcode\",\"type\":\"password\",\"text\":\"Temporary Authentication Code (Get on at /passcode)\"}]}",
      "id" : "70618e49-46b3-4475-b642-8ca957e35e67",
      "originKey" : "my-oidc-provider-t26xks",
      "name" : "UAA Provider",
      "version" : 0,
      "created" : 1683212156848,
      "last_modified" : 1683212156848,
      "active" : true,
      "identityZoneId" : "uaa"
    }, {
      "type" : "uaa",
      "config" : "null",
      "id" : "0f0a4b99-eea5-4398-aad8-56e7264f3640",
      "originKey" : "uaa",
      "name" : "uaa",
      "version" : 3,
      "created" : 946684800000,
      "last_modified" : 1683212157163,
      "active" : true,
      "identityZoneId" : "uaa"
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    [].type String Type of the identity provider.
    [].originKey String Unique identifier for the identity provider.
    [].name String Human-readable name for this provider
    [].config String Json config for the Identity Provider
    [].version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    [].active Boolean Defaults to true.
    [].id String Unique identifier for this provider - GUID generated by the UAA
    [].identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    [].created Number UAA sets the creation date
    [].last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Retrieve

    $ curl 'http://localhost/identity-providers/fb2cc2eb-f4c2-4051-87ec-d67c59ecfd01?rawConfig=false' -i -X GET \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 7b2dae3435c148d7a161df47ed729872'
    
    GET /identity-providers/fb2cc2eb-f4c2-4051-87ec-d67c59ecfd01?rawConfig=false HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 7b2dae3435c148d7a161df47ed729872
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 3207
    
    {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-get\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-get\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-get\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "fb2cc2eb-f4c2-4051-87ec-d67c59ecfd01",
      "originKey" : "saml-for-get",
      "name" : "saml-for-get name",
      "version" : 0,
      "created" : 1683212156407,
      "last_modified" : 1683212156407,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or zones.<zone id>.idps.read or uaa.admin or idps.read (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or zones.<zone id>.idps.read or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Type of the identity provider.
    originKey String Unique identifier for the identity provider.
    config String Various configuration properties for the identity provider.
    config.additionalConfiguration Object (Unused.)
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Update

    $ curl 'http://localhost/identity-providers/0f0a4b99-eea5-4398-aad8-56e7264f3640?rawConfig=true' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c9594cc00bfe4fbead9cc5d16bf56ccd' \
        -d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}'
    
    PUT /identity-providers/0f0a4b99-eea5-4398-aad8-56e7264f3640?rawConfig=true HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c9594cc00bfe4fbead9cc5d16bf56ccd
    Content-Length: 280
    Host: localhost
    
    {"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true}
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 559
    
    {
      "type" : "uaa",
      "config" : {
        "emailDomain" : null,
        "additionalConfiguration" : null,
        "providerDescription" : null,
        "passwordPolicy" : null,
        "lockoutPolicy" : {
          "lockoutPeriodSeconds" : 8,
          "lockoutAfterFailures" : 8,
          "countFailuresWithin" : 8
        },
        "disableInternalUserManagement" : false
      },
      "id" : "0f0a4b99-eea5-4398-aad8-56e7264f3640",
      "originKey" : "uaa",
      "name" : "uaa",
      "version" : 4,
      "created" : 946684800000,
      "last_modified" : 1683212159633,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Request and Response Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider
    config.providerDescription String Optional Human readable name/description of this provider
    config.emailDomain Array Optional List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Optional Defaults to true.
    config.addShadowUserOnLogin Boolean Optional (defaults to true) Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Optional (defaults to true) Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Required uaa
    originKey String Required A unique identifier for the IDP. Cannot be updated.
    version Number Required Version of the identity provider data. Clients can use this to protect against conflicting updates
    config.passwordPolicy.minLength Number Required when passwordPolicy in the config is not null Minimum number of characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.maxLength Number Required when passwordPolicy in the config is not null Maximum number of characters required for password to be considered valid (defaults to 255).
    config.passwordPolicy.requireUpperCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of uppercase characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireLowerCaseCharacter Number Required when passwordPolicy in the config is not null Minimum number of lowercase characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireDigit Number Required when passwordPolicy in the config is not null Minimum number of digits required for password to be considered valid (defaults to 0).
    config.passwordPolicy.requireSpecialCharacter Number Required when passwordPolicy in the config is not null Minimum number of special characters required for password to be considered valid (defaults to 0).
    config.passwordPolicy.expirePasswordInMonths Number Required when passwordPolicy in the config is not null Number of months after which current password expires (defaults to 0).
    config.passwordPolicy.passwordNewerThan Number Required when passwordPolicy in the config is not null This timestamp value can be used to force change password for every user. If the user's passwordLastModified is older than this value, the password is expired (defaults to null).
    config.lockoutPolicy.lockoutPeriodSeconds Number Required when LockoutPolicy in the config is not null Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
    config.lockoutPolicy.lockoutAfterFailures Number Required when LockoutPolicy in the config is not null Number of allowed failures before account is locked (defaults to 5).
    config.lockoutPolicy.countFailuresWithin Number Required when LockoutPolicy in the config is not null Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
    config.disableInternalUserManagement Boolean Optional When set to true, user management is disabled for this provider, defaults to false

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity - Invalid config

    Delete

    $ curl 'http://localhost/identity-providers/aa14cf3d-bf10-47f1-9df6-5bc8948545c3?rawConfig=false' -i -X DELETE \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 5a2ab0cb8de74fa1b9ba3737916ad4ce'
    
    DELETE /identity-providers/aa14cf3d-bf10-47f1-9df6-5bc8948545c3?rawConfig=false HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 5a2ab0cb8de74fa1b9ba3737916ad4ce
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 3222
    
    {
      "type" : "saml",
      "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-delete\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-delete\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-delete\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
      "id" : "aa14cf3d-bf10-47f1-9df6-5bc8948545c3",
      "originKey" : "saml-for-delete",
      "name" : "saml-for-delete name",
      "version" : 0,
      "created" : 1683212159286,
      "last_modified" : 1683212159286,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Path Parameters

    /identity-providers/{id}

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    rawConfig Boolean Optional (defaults to false) UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the config field of the IDP, rather than the default behavior of encoding the JSON as a string.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider
    config.providerDescription String Human readable name/description of this provider
    config.emailDomain Array List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
    active Boolean Defaults to true.
    config.addShadowUserOnLogin Boolean Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
    config.storeCustomAttributes Boolean Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
    type String Type of the identity provider.
    originKey String Unique identifier for the identity provider.
    config String Various configuration properties for the identity provider.
    config.additionalConfiguration Object (Unused.)
    version Number Version of the identity provider data. Clients can use this to protect against conflicting updates
    id String Unique identifier for this provider - GUID generated by the UAA
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
    created Number UAA sets the creation date
    last_modified Number UAA sets the modification date

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity

    Force password change for Users

    $ curl 'http://localhost/identity-providers/0f0a4b99-eea5-4398-aad8-56e7264f3640/status' -i -X PATCH \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer e8855557ecd14102bc3e87dd4782f13d' \
        -d '{"requirePasswordChange":true}'
    
    PATCH /identity-providers/0f0a4b99-eea5-4398-aad8-56e7264f3640/status HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer e8855557ecd14102bc3e87dd4782f13d
    Content-Length: 30
    Host: localhost
    
    {"requirePasswordChange":true}
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 36
    
    {
      "requirePasswordChange" : true
    }
    

    Path Parameters

    /identity-providers/{id}/status

    Parameter Description
    id Unique identifier for this provider - GUID generated by the UAA

    Request Headers

    Name Description
    Authorization Bearer token containing zones.<zone id>.admin or uaa.admin or idps.write (only in the same zone that you are a user of)
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request and Response Fields

    Path Type Constraints Description
    requirePasswordChange Boolean Required Set to true in order to force password change for all users. The passwordNewerThan property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user's passwordLastModified is older than this value, the password is expired.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity - Invalid config

    Service Providers

    UAA is capable of acting as a SAML Identity Provider (IdP). When UAA receives a SAML authentication request from a recognized SAML Service Provider (SP), UAA will authenticate the user then send a SAML authentication response back to the SAML SP. If UAA succesfully authenticated the user the SAML authentication response will contain a SAML assertion as per specification.

    Obtaining the UAA SAML IdP metadata:

    In order to establish trust, a SAML IdP and SAML SP exchange SAML metadata which contains pulbic certificates as well as the endpoints used to communicate amongst each other. Your SAML SP will likely require the UAA SAML IdP metadata in order to make authentication requests to UAA. You can obtain this metadata by making a GET request to the /saml/idp/metadata endpoint.

    GET http://localhost:8080/uaa/saml/idp/metadata

    Initiate IDP Login Flow

    When the UAA is an IdP, you can initiate the login flow to the Service Provider, SP, by using the initiate endpoint This is a browser flow.

    $ curl 'http://a54xg8s6tiamgyfdn5lgwteh.localhost/saml/idp/initiate?sp=889W4pzCXo.cloudfoundry-saml-login' -i -X GET
    
    GET /saml/idp/initiate?sp=889W4pzCXo.cloudfoundry-saml-login HTTP/1.1
    Host: a54xg8s6tiamgyfdn5lgwteh.localhost
    
    
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
        <head>
        </head>
        <body onload="document.forms[0].submit()">
            <noscript>
                <p>
                    <strong>Note:</strong> Since your browser does not support JavaScript,
                    you must press the Continue button once to proceed.
                </p>
            </noscript>
    
            <form action="http&#x3a;&#x2f;&#x2f;889W4pzCXo.localhost&#x3a;8080&#x2f;uaa&#x2f;saml&#x2f;SSO&#x2f;alias&#x2f;889W4pzCXo.cloudfoundry-saml-login" method="post">
                <div>
    
    
    <input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cDovLzg4OVc0cHpDWG8ubG9jYWxob3N0OjgwODAvdWFhL3NhbWwvU1NPL2FsaWFzLzg4OVc0cHpDWG8uY2xvdWRmb3VuZHJ5LXNhbWwtbG9naW4iIElEPSJhMjFpajIxNDVqNDFjaGYzZjVpaGNkamkwOGgwaWIiIElzc3VlSW5zdGFudD0iMjAyMy0wNS0wNFQxNDo1NzoyNC43NTRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmE1NHhnOHM2dGlhbWd5ZmRuNWxnd3RlaC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJhNDM5NTBlMTdqM2ljMDZpMWQ0OTJiajU4aTJhNjhhIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDUtMDRUMTQ6NTc6MjQuNzEzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXI+YTU0eGc4czZ0aWFtZ3lmZG41bGd3dGVoLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNhNDM5NTBlMTdqM2ljMDZpMWQ0OTJiajU4aTJhNjhhIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJ4cyIvPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+TUcxcG40cGxkT0dxM0pXWmttNkl4V2NsaitnPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5pUlBWTUhEQ21ZUnVMTHRzZVNBaFhCUnlJd1JRWUIwSTczNzY0ZVZCbnVRMVBxenkzaUhRQWdEeXpTMnZGaXpTZlhRQ0tRcVB6NjMwNFlOM29LSTA4OXhnS3hySXlqOVo5d3FDc25Nay9uRkYzazdkWHA4Z3Fua1hCWFhCZGhHc1h2MEhibEtUc1JTLzRHanFOTVNhUXFOYnRXVVkwS211NTRMQlpxRTZ6Wmc9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEU1RDQ0FyS2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUVFGQURCOE1Rc3dDUVlEVlFRR0V3SmhkekVPTUF3R0ExVUVDQk1GCllYSjFZbUV4RGpBTUJnTlZCQW9UQldGeWRXSmhNUTR3REFZRFZRUUhFd1ZoY25WaVlURU9NQXdHQTFVRUN4TUZZWEoxWW1FeERqQU0KQmdOVkJBTVRCV0Z5ZFdKaE1SMHdHd1lKS29aSWh2Y05BUWtCRmc1aGNuVmlZVUJoY25WaVlTNWhjakFlRncweE5URXhNakF5TWpJMgpNamRhRncweE5qRXhNVGt5TWpJMk1qZGFNSHd4Q3pBSkJnTlZCQVlUQW1GM01RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFCkNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXgKSFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeU1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQgpnUURIdEM1Z1VYeEJLcEVxWlRMa052RndOR25OSWtnZ05Pd09RVk5icE8wV1ZISWl2aWc1TDM5V3FTOXUwaG5BK083TUNBL0tsckFSCjRiWGFlVlZod2ZVUFlCS0lwYWFUV0ZRUjVjVFIxVUZaSkwvT0Y5dkFmcE93em5vRDY2RERDblFWcGJDanREWVdYK3g2aW14bjhIQ1kKeGhNb2w2Wm5UYlNzRlc2VlpqRk1qUUlEQVFBQm80SGFNSUhYTUIwR0ExVWREZ1FXQkJUeDBsRHpqSC9pT0JuT1NRYVNFV1FMeDFzeQpHRENCcHdZRFZSMGpCSUdmTUlHY2dCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3lHS0dCZ0tSK01Id3hDekFKQmdOVkJBWVRBbUYzCk1RNHdEQVlEVlFRSUV3VmhjblZpWVRFT01Bd0dBMVVFQ2hNRllYSjFZbUV4RGpBTUJnTlZCQWNUQldGeWRXSmhNUTR3REFZRFZRUUwKRXdWaGNuVmlZVEVPTUF3R0ExVUVBeE1GWVhKMVltRXhIVEFiQmdrcWhraUc5dzBCQ1FFV0RtRnlkV0poUUdGeWRXSmhMbUZ5Z2dFQQpNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUVCUUFEZ1lFQVl2QkowSE9aYmJIQ2xYbUdVakdzK0dTK3hDMUZPL2FtCjJzdUNTWXFOQjlkeU1YZk9XaUoxK1RMSmsrby9ZWnQ4dnV4Q0tkY1pZZ2w0bC9MNlB4Sjk4MlNSaGM4M1pXMmRrQVpJNE0wL1VkM28KZVBlODRrOGptM0E3RXZINXdpNWh2Q2tLUnB1UkJ3bjNFaStqQ1JvdXhUYnpLUHN1Q1ZCKzFzTnl4TVRYemYwPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+bWFyaXNzYTwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wNS0wNFQxNDo1NzoyNC43MTVaIiBSZWNpcGllbnQ9Imh0dHA6Ly84ODlXNHB6Q1hvLmxvY2FsaG9zdDo4MDgwL3VhYS9zYW1sL1NTTy9hbGlhcy84ODlXNHB6Q1hvLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMDUtMDRUMTQ6NTc6MjQuNzE0WiIgTm90T25PckFmdGVyPSIyMDIzLTA1LTA0VDE0OjU3OjI0LjcxNFoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT44ODlXNHB6Q1hvLmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMDUtMDRUMTQ6NTc6MjQuNzEzWiIgU2Vzc2lvbkluZGV4PSJhMTRjYmpiYjUzZTU3MTk4NTcxZ2UzYmVmYjgzNGkwIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iYXV0aG9yaXRpZXMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj51YWEudXNlcjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2FAdGVzdC5vcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iaWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5iZWNhZjQ4NS05NTRhLTRkOGYtYTg0Zi1hY2U1N2U0YWRiMzc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2E8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ib3JpZ2luIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dWFhPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InpvbmVJZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmE1NHhnOHM2dGlhbWd5ZmRuNWxnd3RlaDwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJvcmdhbml6YXRpb24tZW1haWxzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Y29udGFjdEBkZW1vb3JnLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmluZm9AZGVtby5vcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ib3JnYW5pemF0aW9uLW5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5UaGUgRGVtbyBPcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0icHJpbWFyeS1lbWFpbCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hcmlzc2FAdGVzdC5vcmc8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg=="/>                
                </div>
                <noscript>
                    <div>
                        <input type="submit" value="Continue"/>
                    </div>
                </noscript>
            </form>
        </body>
    </html>
    

    Request Parameters

    Parameter Type Constraints Description
    sp String required The entity ID of a configured and active the service provider.

    Error Codes

    Error Code Description
    400 If IDP initiated login is not enabled, the SP parameter is incorrect or SP is disabled.

    List

    $ curl 'http://localhost/saml/service-providers' -i -X GET \
        -H 'Authorization: Bearer 850ba2f459f14e5780965941f900935a'
    
    GET /saml/service-providers HTTP/1.1
    Authorization: Bearer 850ba2f459f14e5780965941f900935a
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7326
    
    [ {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"WRwPPpQKg5.cloudfoundry-saml-login\\\" entityID=\\\"WRwPPpQKg5.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#WRwPPpQKg5.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://WRwPPpQKg5.localhost:8080/uaa/saml/SingleLogout/alias/WRwPPpQKg5.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://WRwPPpQKg5.localhost:8080/uaa/saml/SingleLogout/alias/WRwPPpQKg5.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://WRwPPpQKg5.localhost:8080/uaa/saml/SSO/alias/WRwPPpQKg5.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://WRwPPpQKg5.localhost:8080/uaa/saml/SSO/alias/WRwPPpQKg5.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : "85594eeb-6fce-41d8-8812-47b391db9c91",
      "entityId" : "WRwPPpQKg5.cloudfoundry-saml-login",
      "name" : "WRwPPpQKg5",
      "version" : 0,
      "created" : 1683212245047,
      "lastModified" : 1683212245047,
      "active" : true,
      "identityZoneId" : "uaa"
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.read
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    [].id String Unique identifier for this provider - GUID generated by the UAA.
    [].name String Human readable name for the SAML SP.
    [].entityId String The entity id of the SAML SP.
    [].active Boolean Defaults to true.
    [].created Number UAA sets this to the UTC creation date.
    [].identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    [].lastModified Number UAA sets this to the UTC last date of modification.
    [].version Number Version of the identity provider data. Clients can use this.
    [].config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    [].config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    [].config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Get

    $ curl 'http://localhost/saml/service-providers/bc4a9e13-0610-435c-b3e6-bffb366bb2ab' -i -X GET \
        -H 'Authorization: Bearer 3d34c86165a446b8afa23ddaf215d1d7'
    
    GET /saml/service-providers/bc4a9e13-0610-435c-b3e6-bffb366bb2ab HTTP/1.1
    Authorization: Bearer 3d34c86165a446b8afa23ddaf215d1d7
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7322
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"T6GlajpQzu.cloudfoundry-saml-login\\\" entityID=\\\"T6GlajpQzu.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#T6GlajpQzu.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://T6GlajpQzu.localhost:8080/uaa/saml/SingleLogout/alias/T6GlajpQzu.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://T6GlajpQzu.localhost:8080/uaa/saml/SingleLogout/alias/T6GlajpQzu.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://T6GlajpQzu.localhost:8080/uaa/saml/SSO/alias/T6GlajpQzu.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://T6GlajpQzu.localhost:8080/uaa/saml/SSO/alias/T6GlajpQzu.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : "bc4a9e13-0610-435c-b3e6-bffb366bb2ab",
      "entityId" : "T6GlajpQzu.cloudfoundry-saml-login",
      "name" : "T6GlajpQzu",
      "version" : 0,
      "created" : 1683212245165,
      "lastModified" : 1683212245165,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.read
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Map email value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    Create

    $ curl 'http://localhost/saml/service-providers' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer be5a00bcfa944c60a763c1aa58da6918' \
        -d '{
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\" entityID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : null,
      "entityId" : "ua72D3aqgK.cloudfoundry-saml-login",
      "name" : "ua72D3aqgK",
      "version" : 0,
      "created" : null,
      "lastModified" : null,
      "active" : true,
      "identityZoneId" : null
    }'
    
    POST /saml/service-providers HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer be5a00bcfa944c60a763c1aa58da6918
    Content-Length: 7269
    Host: localhost
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\" entityID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : null,
      "entityId" : "ua72D3aqgK.cloudfoundry-saml-login",
      "name" : "ua72D3aqgK",
      "version" : 0,
      "created" : null,
      "lastModified" : null,
      "active" : true,
      "identityZoneId" : null
    }
    
    HTTP/1.1 201 Created
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7322
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\" entityID=\\\"ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#ua72D3aqgK.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SingleLogout/alias/ua72D3aqgK.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://ua72D3aqgK.localhost:8080/uaa/saml/SSO/alias/ua72D3aqgK.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : "9be0fae5-6c71-4879-bc2b-1159f5171b01",
      "entityId" : "ua72D3aqgK.cloudfoundry-saml-login",
      "name" : "ua72D3aqgK",
      "version" : 0,
      "created" : 1683212245406,
      "lastModified" : 1683212245406,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    name String Required Human readable name for the SAML SP.
    entityId String Optional If provided, it should match the entityId in the SP metadata.
    active Boolean Optional Defaults to true
    config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
    config.attributeMappings.given_name String Optional Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Optional Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Optional Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Optional Map email value within UAA to a specified assertion in the SAML response.
    config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.
    config.enableIdpInitiatedSso Boolean Optional When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object Optional A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Map email value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity
    409 Conflict - A provider with the same entity id and zone id exists.

    Update

    $ curl 'http://localhost/saml/service-providers/3f71b042-9df4-429e-a0c7-6acda509fc54' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 77c4ba21f705410a8d0909eb6d870664' \
        -d '{
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\" entityID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
      "id" : null,
      "entityId" : "M1XeUO2yoj.cloudfoundry-saml-login",
      "name" : "M1XeUO2yoj",
      "version" : 0,
      "created" : null,
      "lastModified" : null,
      "active" : true,
      "identityZoneId" : null
    }'
    
    PUT /saml/service-providers/3f71b042-9df4-429e-a0c7-6acda509fc54 HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 77c4ba21f705410a8d0909eb6d870664
    Content-Length: 7300
    Host: localhost
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\" entityID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
      "id" : null,
      "entityId" : "M1XeUO2yoj.cloudfoundry-saml-login",
      "name" : "M1XeUO2yoj",
      "version" : 0,
      "created" : null,
      "lastModified" : null,
      "active" : true,
      "identityZoneId" : null
    }
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7353
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\" entityID=\\\"M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#M1XeUO2yoj.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SingleLogout/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://M1XeUO2yoj.localhost:8080/uaa/saml/SSO/alias/M1XeUO2yoj.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"portal-id\":\"346-asd-3412\",\"organization-name\":\"The Demo Org\"}}",
      "id" : "3f71b042-9df4-429e-a0c7-6acda509fc54",
      "entityId" : "M1XeUO2yoj.cloudfoundry-saml-login",
      "name" : "M1XeUO2yoj",
      "version" : 1,
      "created" : 1683212245554,
      "lastModified" : 1683212245629,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    name String Required Human readable name for the SAML SP.
    entityId String Optional If provided, it should match the entityId in the SP metadata.
    active Boolean Optional Defaults to true
    config String Required Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String Required The SAML SP Metadata - either an XML string or a URL that
    config.attributeMappings.given_name String Optional Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Optional Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Optional Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Optional Map email value within UAA to a specified assertion in the SAML response.
    config.metadataTrustCheck Boolean Optional Determines whether UAA should validate the SAML SP metadata.
    config.enableIdpInitiatedSso Boolean Optional When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object Optional A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Map email value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope
    422 Unprocessable Entity
    409 Conflict - A provider with the same entity id and zone id exists.

    Delete

    $ curl 'http://localhost/saml/service-providers/d5a20ca7-1fab-44b5-9d4d-9fece4449539' -i -X DELETE \
        -H 'Authorization: Bearer 5bb8d0939c9a4c1081517bc107dcf366' \
        -H 'Accept: application/json'
    
    DELETE /saml/service-providers/d5a20ca7-1fab-44b5-9d4d-9fece4449539 HTTP/1.1
    Authorization: Bearer 5bb8d0939c9a4c1081517bc107dcf366
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 7322
    
    {
      "config" : "{\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" ID=\\\"d8VEvdm9l4.cloudfoundry-saml-login\\\" entityID=\\\"d8VEvdm9l4.cloudfoundry-saml-login\\\"><ds:Signature xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/><ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\\\"/><ds:Reference URI=\\\"#d8VEvdm9l4.cloudfoundry-saml-login\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#sha1\\\"/><ds:DigestValue>zALgjEFJ7jJSwn2AOBH5H8CX93U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Rp5XH8eT0ek/vlFGzHgIFOeESchOwSYZ9oh4JA9WqQ0jJtvNQ9IttY2QY9XK3n6TbbtPcEKVgljyTfwD5ymp+oMKfIYQC9JsN8mPADN5rjLFgC+xGceWLbcjoNsCJ7x2ZjyWRblSxoOU5qnzxEA3k3Bu+OkV+ZXcSbmgMWoQACg=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned=\\\"true\\\" WantAssertionsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\\\"encryption\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\\nYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\\nBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\\nMjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\\nChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\\nHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\\ngQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\\n4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\\nxhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\\nGDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\\nMQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\\nEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\\nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\\n2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\\nePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://d8VEvdm9l4.localhost:8080/uaa/saml/SingleLogout/alias/d8VEvdm9l4.cloudfoundry-saml-login\\\"/><md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://d8VEvdm9l4.localhost:8080/uaa/saml/SingleLogout/alias/d8VEvdm9l4.cloudfoundry-saml-login\\\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"http://d8VEvdm9l4.localhost:8080/uaa/saml/SSO/alias/d8VEvdm9l4.cloudfoundry-saml-login\\\" index=\\\"0\\\" isDefault=\\\"true\\\"/><md:AssertionConsumerService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\\\" Location=\\\"http://d8VEvdm9l4.localhost:8080/uaa/saml/SSO/alias/d8VEvdm9l4.cloudfoundry-saml-login\\\" index=\\\"1\\\"/></md:SPSSODescriptor></md:EntityDescriptor>\",\"singleSignOnServiceIndex\":0,\"metadataTrustCheck\":true,\"skipSslValidation\":false,\"attributeMappings\":{\"given_name\":\"firstname\",\"family_name\":\"lastname\",\"phone_number\":\"phone\",\"email\":\"primary-email\"},\"enableIdpInitiatedSso\":true,\"staticCustomAttributes\":{\"organization-emails\":[\"contact@demoorg.com\",\"info@demo.org\"],\"organization-name\":\"The Demo Org\"}}",
      "id" : "d5a20ca7-1fab-44b5-9d4d-9fece4449539",
      "entityId" : "d8VEvdm9l4.cloudfoundry-saml-login",
      "name" : "d8VEvdm9l4",
      "version" : 0,
      "created" : 1683212245297,
      "lastModified" : 1683212245297,
      "active" : true,
      "identityZoneId" : "uaa"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing sps.write
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Path Parameters

    /saml/service-providers/{id}

    Parameter Description
    id Unique ID of the service provider

    Response Fields

    Path Type Description
    id String Unique identifier for this provider - GUID generated by the UAA.
    name String Human readable name for the SAML SP.
    entityId String The entity id of the SAML SP.
    active Boolean Defaults to true.
    created Number UAA sets this to the UTC creation date.
    identityZoneId String Set to the zone that this provider will be active in. Determined by either.
    lastModified Number UAA sets this to the UTC last date of modification.
    version Number Version of the identity provider data. Clients can use this.
    config String Contains metaDataLocation and metadataTrustCheck fields as json fields.
    config.metaDataLocation String The SAML SP Metadata - either an XML string or a URL that.
    config.metadataTrustCheck Boolean Determines whether UAA should validate the SAML SP metadata.
    config.attributeMappings.given_name String Map given_name value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.family_name String Map family_name value within UAA to a specified assertion in the SAML response
    config.attributeMappings.phone_number String Map phone_number value within UAA to a specified assertion in the SAML response.
    config.attributeMappings.email String Map email value within UAA to a specified assertion in the SAML response.
    config.enableIdpInitiatedSso Boolean When set to true, default is false, the service provider supports IDP initiated SSO at the endpoint /saml/idp/initiate?sp=sp_entity_id
    config.staticCustomAttributes Object A map of static attributes that will be sent with every assertion.

    The key is the name of the attribute and the value is the attribute value. If the value is a list, multiple attribute values will be sent with the same named attribute. Currently only xs:string type values are supported.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope

    MFA Providers

    Create

    $ curl 'http://localhost/mfa-providers' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 37c53731b1be4913af53fa485352bb5f' \
        -d '{
      "name" : "sampleGoogleMfaProviderud3eeV",
      "config" : {
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator"
    }'
    
    POST /mfa-providers HTTP/1.1
    Content-Type: application/json
    Accept: application/json
    Authorization: Bearer 37c53731b1be4913af53fa485352bb5f
    Content-Length: 159
    Host: localhost
    
    {
      "name" : "sampleGoogleMfaProviderud3eeV",
      "config" : {
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator"
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 322
    
    {
      "id" : "b946a8cf-324b-4b7b-a301-3d2acc245453",
      "name" : "sampleGoogleMfaProviderud3eeV",
      "identityZoneId" : "uaa",
      "config" : {
        "issuer" : "uaa",
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator",
      "created" : 1683212142827,
      "last_modified" : 1683212142827
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.admin or zones.<zoneId>.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Request Fields

    Path Type Constraints Description
    name String Required Human-readable name for this provider. Must be alphanumeric.
    type String Required Type of MFA provider. Available types include google-authenticator.
    config Object Optional Human-readable provider description. Object with optional providerDescription and issue properties.
    config.providerDescription String Optional Human-readable provider description. Only for backend description purposes.
    config.issuer String Optional Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider. Must be alphanumeric.
    type String Type of MFA provider. Available types include google-authenticator.
    config Object Human-readable provider description. Object with optional providerDescription and issue properties.
    config.providerDescription String Human-readable provider description. Only for backend description purposes.
    config.issuer String Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone.
    id String Unique identifier for this provider. This is a GUID generated by UAA.
    created Number UAA sets the creation date.
    last_modified Number UAA sets the last modification date.
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.

    Error Codes

    Error Code Description
    400 Bad Request - JSON body was malformed or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider)
    422 Unprocessable Entity - Some values in the MFA configuration are invalid

    Update

    Error Codes

    Error Code Description
    405 Method Not Allowed

    Get

    $ curl 'http://localhost/mfa-providers/587a5884-d4da-4217-ade8-6d64ab0368fd' -i -X GET \
        -H 'Authorization: Bearer 21b839528be44db4964fab889301f90e' \
        -H 'Accept: application/json'
    
    GET /mfa-providers/587a5884-d4da-4217-ade8-6d64ab0368fd HTTP/1.1
    Authorization: Bearer 21b839528be44db4964fab889301f90e
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 322
    
    {
      "id" : "587a5884-d4da-4217-ade8-6d64ab0368fd",
      "name" : "sampleGoogleMfaProvider8ygPH5",
      "identityZoneId" : "uaa",
      "config" : {
        "issuer" : "uaa",
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator",
      "created" : 1683212144069,
      "last_modified" : 1683212144070
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.admin or zones.<zoneId>.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider. Must be alphanumeric.
    type String Type of MFA provider. Available types include google-authenticator.
    config Object Human-readable provider description. Object with optional providerDescription and issue properties.
    config.providerDescription String Human-readable provider description. Only for backend description purposes.
    config.issuer String Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone.
    id String Unique identifier for this provider. This is a GUID generated by UAA.
    created Number UAA sets the creation date.
    last_modified Number UAA sets the last modification date.
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.

    Error Codes

    Error Code Description
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider)
    404 Not Found - Provider id not found

    Delete

    $ curl 'http://localhost/mfa-providers/02839e31-4e76-4bcc-b58f-9712c288eebc' -i -X DELETE \
        -H 'Authorization: Bearer 3648051720d045ab9b3a73da4ea1f09c' \
        -H 'Accept: application/json'
    
    DELETE /mfa-providers/02839e31-4e76-4bcc-b58f-9712c288eebc HTTP/1.1
    Authorization: Bearer 3648051720d045ab9b3a73da4ea1f09c
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 322
    
    {
      "id" : "02839e31-4e76-4bcc-b58f-9712c288eebc",
      "name" : "sampleGoogleMfaProvider2Ydt61",
      "identityZoneId" : "uaa",
      "config" : {
        "issuer" : "uaa",
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator",
      "created" : 1683212143599,
      "last_modified" : 1683212143599
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.admin or zones.<zoneId>.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    name String Human-readable name for this provider. Must be alphanumeric.
    type String Type of MFA provider. Available types include google-authenticator.
    config Object Human-readable provider description. Object with optional providerDescription and issue properties.
    config.providerDescription String Human-readable provider description. Only for backend description purposes.
    config.issuer String Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone.
    id String Unique identifier for this provider. This is a GUID generated by UAA.
    created Number UAA sets the creation date.
    last_modified Number UAA sets the last modification date.
    identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.

    Error Codes

    Error Code Description
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider)
    404 Not Found - Provider id not found

    List

    $ curl 'http://localhost/mfa-providers' -i -X GET \
        -H 'Authorization: Bearer 50df09f2a82a41f6a077e8790a00ee81' \
        -H 'Accept: application/json'
    
    GET /mfa-providers HTTP/1.1
    Authorization: Bearer 50df09f2a82a41f6a077e8790a00ee81
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 650
    
    [ {
      "id" : "92f4f70f-0080-46bd-ba23-7311447751e3",
      "name" : "sampleGoogleMfaProviderRvVorW",
      "identityZoneId" : "uaa",
      "config" : {
        "issuer" : "uaa",
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator",
      "created" : 1683212143097,
      "last_modified" : 1683212143097
    }, {
      "id" : "b946a8cf-324b-4b7b-a301-3d2acc245453",
      "name" : "sampleGoogleMfaProviderud3eeV",
      "identityZoneId" : "uaa",
      "config" : {
        "issuer" : "uaa",
        "providerDescription" : "Google MFA for default zone"
      },
      "type" : "google-authenticator",
      "created" : 1683212142827,
      "last_modified" : 1683212142827
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing uaa.admin or zones.<zoneId>.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    [].name String Human-readable name for this provider. Must be alphanumeric.
    [].type String Type of MFA provider. Available types include google-authenticator.
    [].config Object Human-readable provider description. Object with optional providerDescription and issue properties.
    [].config.providerDescription String Human-readable provider description. Only for backend description purposes.
    [].config.issuer String Human-readable tag for display purposes on MFA devices. Defaults to name of identity zone.
    [].id String Unique identifier for this provider. This is a GUID generated by UAA.
    [].created Number UAA sets the creation date.
    [].last_modified Number UAA sets the last modification date.
    [].identityZoneId String Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.

    Error Codes

    Error Code Description
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (uaa.admin or zones.<zoneId>.admin is required to create a MFA provider)

    Users

    Users can be queried, created and updated via the /Users endpoint.

    Get

    $ curl 'http://localhost/Users/5c407a07-d388-4994-a96b-1f7e34db5450' -i -X GET \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 755104ed78f5407b9f4ce47a44b254f0' \
        -H 'Content-Type: application/json' \
        -H 'If-Match: 0'
    
    GET /Users/5c407a07-d388-4994-a96b-1f7e34db5450 HTTP/1.1
    Accept: application/json
    Authorization: Bearer 755104ed78f5407b9f4ce47a44b254f0
    Content-Type: application/json
    If-Match: 0
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "0"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2880
    
    {
      "id" : "5c407a07-d388-4994-a96b-1f7e34db5450",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:42.340Z",
        "lastModified" : "2023-05-04T14:57:42.340Z"
      },
      "userName" : "hrGdaU@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "hrGdaU@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "0676dd38-6403-4448-a304-37f6060f926e",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "5a663a35-3758-401d-964e-0ce467b10088",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ {
        "userId" : "5c407a07-d388-4994-a96b-1f7e34db5450",
        "clientId" : "identity",
        "scope" : "uaa.user",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:58:12.354Z",
        "expiresAt" : "2023-05-04T14:58:12.354Z"
      }, {
        "userId" : "5c407a07-d388-4994-a96b-1f7e34db5450",
        "clientId" : "client id",
        "scope" : "scim.read",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:57:42.351Z",
        "expiresAt" : "2023-05-04T14:57:52.351Z"
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:42.000Z",
      "previousLogonTime" : 1683212262355,
      "lastLogonTime" : 1683212262356,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scope scim.read, uaa.admin, or zones.uaa.admin required
    If-Match The version of the SCIM object to be deleted. Optional.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    id String A guid generated by the UAA to uniquely identity this user.
    userName String User name of the user, typically an email address.
    name Object A map with the user's first name and last name.
    name.familyName String The user's last name.
    name.givenName String The user's first name.
    phoneNumbers Array The user's phone numbers.
    phoneNumbers[].value String The phone number.
    emails Array The user's email addresses.
    emails[].value String The email address.
    emails[].primary Boolean Set to true if this is the user's primary email address.
    groups Array A list of groups the user belongs to.
    groups[].value String A guid generated by the UAA to uniquely identity this group.
    groups[].display String The group display name, also referred to as scope during authorization.
    groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    approvals[].userId String The user id on the approval. Will be the same as the id field.
    approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
    approvals[].scope String The scope on the approval. Will be a group display value.
    approvals[].status String The status of the approval. Status may be either APPROVED or DENIED.
    approvals[].lastUpdatedAt String Date this approval was last updated.
    approvals[].expiresAt String Date this approval will expire.
    active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    passwordLastModified String The timestamp when this user's password was last changed.
    lastLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    previousLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    externalId String External user ID if authenticated through an external identity provider.
    meta Object SCIM object meta data.
    meta.version Number Object version.
    meta.lastModified String Object last modified date.
    meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.read is required to retrieve a user)
    404 Not Found - User id not found

    Example using uaac to get users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac user get testuser
    

    List

    Listing users supports SCIM filtering on the available attributes. By default users are returned with their group memberships and approvals, a rather expensive operation. To avoid this, perform the search by including the attributes parameter to reduce the results.

    $ curl 'http://localhost/Users?filter=id+eq+%2234871539-ee11-46a7-977c-f6f3b14de490%22+or+email+eq+%22m5qxXy%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 5ec244d2f19b4834b81cc5118baecc67'
    
    GET /Users?filter=id+eq+%2234871539-ee11-46a7-977c-f6f3b14de490%22+or+email+eq+%22m5qxXy%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
    Accept: application/json
    Authorization: Bearer 5ec244d2f19b4834b81cc5118baecc67
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2962
    
    {
      "resources" : [ {
        "id" : "34871539-ee11-46a7-977c-f6f3b14de490",
        "externalId" : "test-user",
        "meta" : {
          "version" : 0,
          "created" : "2023-05-04T14:57:43.197Z",
          "lastModified" : "2023-05-04T14:57:43.197Z"
        },
        "userName" : "m5qxXy@test.org",
        "name" : {
          "familyName" : "family name",
          "givenName" : "given name"
        },
        "emails" : [ {
          "value" : "m5qxXy@test.org",
          "primary" : false
        } ],
        "groups" : [ {
          "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
          "display" : "cloud_controller.read",
          "type" : "DIRECT"
        }, {
          "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
          "display" : "password.write",
          "type" : "DIRECT"
        }, {
          "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
          "display" : "cloud_controller_service_permissions.read",
          "type" : "DIRECT"
        }, {
          "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
          "display" : "user_attributes",
          "type" : "DIRECT"
        }, {
          "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
          "display" : "scim.me",
          "type" : "DIRECT"
        }, {
          "value" : "0676dd38-6403-4448-a304-37f6060f926e",
          "display" : "openid",
          "type" : "DIRECT"
        }, {
          "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
          "display" : "profile",
          "type" : "DIRECT"
        }, {
          "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
          "display" : "oauth.approvals",
          "type" : "DIRECT"
        }, {
          "value" : "5a663a35-3758-401d-964e-0ce467b10088",
          "display" : "scim.userids",
          "type" : "DIRECT"
        }, {
          "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
          "display" : "uaa.offline_token",
          "type" : "DIRECT"
        }, {
          "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
          "display" : "roles",
          "type" : "DIRECT"
        }, {
          "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
          "display" : "uaa.user",
          "type" : "DIRECT"
        }, {
          "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
          "display" : "cloud_controller.write",
          "type" : "DIRECT"
        }, {
          "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
          "display" : "approvals.me",
          "type" : "DIRECT"
        } ],
        "approvals" : [ {
          "userId" : "34871539-ee11-46a7-977c-f6f3b14de490",
          "clientId" : "client id",
          "scope" : "scim.read",
          "status" : "APPROVED",
          "lastUpdatedAt" : "2023-05-04T14:57:43.237Z",
          "expiresAt" : "2023-05-04T14:57:53.237Z"
        } ],
        "phoneNumbers" : [ {
          "value" : "5555555555"
        } ],
        "active" : true,
        "verified" : true,
        "origin" : "uaa",
        "zoneId" : "uaa",
        "passwordLastModified" : "2023-05-04T14:57:43.000Z",
        "previousLogonTime" : 1683212263240,
        "lastLogonTime" : 1683212263240,
        "schemas" : [ "urn:scim:schemas:core:1.0" ]
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 5,
      "totalResults" : 1,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.read or uaa.admin required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    filter String Optional SCIM filter for searching
    sortBy String Optional (defaults to created) Sorting field name, like email or id
    sortOrder String Optional (defaults to ascending) Sort order, ascending/descending
    startIndex Number Optional (defaults to 1) The starting index of the search results when paginated. Index starts with 1.
    count Number Optional (defaults to 100) Max number of results to be returned

    Response Fields

    Path Type Description
    startIndex Number The starting index of the search results when paginated. Index starts with 1.
    itemsPerPage Number The maximum number of items returned per request.
    totalResults Number Number of results in result set.
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    resources Array A list of SCIM user objects retrieved by the search.
    resources[].schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    resources[].id String A guid generated by the UAA to uniquely identity this user.
    resources[].userName String User name of the user, typically an email address.
    resources[].name Object A map with the user's first name and last name.
    resources[].name.familyName String The user's last name.
    resources[].name.givenName String The user's first name.
    resources[].phoneNumbers Array The user's phone numbers.
    resources[].phoneNumbers[].value String The phone number.
    resources[].emails Array The user's email addresses.
    resources[].emails[].value String The email address.
    resources[].emails[].primary Boolean Set to true if this is the user's primary email address.
    resources[].groups Array A list of groups the user belongs to.
    resources[].groups[].value String A guid generated by the UAA to uniquely identity this group.
    resources[].groups[].display String The group display name, also referred to as scope during authorization.
    resources[].groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    resources[].approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    resources[].approvals[].userId String The user id on the approval. Will be the same as the id field.
    resources[].approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
    resources[].approvals[].scope String The scope on the approval. Will be a group display value.
    resources[].approvals[].status String The status of the approval. Status may be either APPROVED or DENIED.
    resources[].approvals[].lastUpdatedAt String Date this approval was last updated.
    resources[].approvals[].expiresAt String Date this approval will expire.
    resources[].active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    resources[].lastLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    resources[].previousLogonTime Number The unix epoch timestamp in milliseconds of 2nd to last successful user authentication. This field will only be included in the response once the user has authenticated two or more times.
    resources[].verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    resources[].origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    resources[].zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    resources[].passwordLastModified String The timestamp when this user's password was last changed.
    resources[].externalId String External user ID if authenticated through an external identity provider.
    resources[].meta Object SCIM object meta data.
    resources[].meta.version Number Object version.
    resources[].meta.lastModified String Object last modified date.
    resources[].meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.read is required to search users)

    Example using uaac to view users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac users
    

    List with Attribute Filtering

    Listing users supports SCIM filtering on the available attributes. When users are searched we can return only selected amount of data using filtering. The attribute groups will cause the UAA to query the group memberships and include them in the result making the operation more expensive. The attribute approvals will cause the UAA to query the user approvals and include them in the result making the operation more expensive.

    $ curl 'http://localhost/Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%22b72aa253-8549-422f-b94c-d061faec7cc5%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer c78983bf2e564defad47a0ad766bff87'
    
    GET /Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%22b72aa253-8549-422f-b94c-d061faec7cc5%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
    Accept: application/json
    Authorization: Bearer c78983bf2e564defad47a0ad766bff87
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 334
    
    {
      "resources" : [ {
        "emails" : [ {
          "value" : "vrD8AA@test.org",
          "primary" : false
        } ],
        "active" : true,
        "id" : "b72aa253-8549-422f-b94c-d061faec7cc5",
        "userName" : "vrD8AA@test.org"
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 5,
      "totalResults" : 1,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.read or uaa.admin required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    filter String Optional SCIM filter for searching
    sortBy String Optional (defaults to created) Sorting field name, like email or id
    sortOrder String Optional (defaults to ascending) Sort order, ascending/descending
    startIndex Number Optional (defaults to 1) The starting index of the search results when paginated. Index starts with 1.
    count Number Optional (defaults to 100) Max number of results to be returned
    attributes String Optional Comma separated list of attribute names to be returned.

    Response Fields

    Path Type Description
    startIndex Number The starting index of the search results when paginated. Index starts with 1.
    itemsPerPage Number The maximum number of items returned per request.
    totalResults Number Number of results in result set.
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    resources Array A list of SCIM user objects retrieved by the search.
    resources[].id String A guid generated by the UAA to uniquely identity this user.
    resources[].userName String User name of the user, typically an email address.
    resources[].emails Array The user's email addresses.
    resources[].emails[].value String The email address.
    resources[].emails[].primary Boolean Set to true if this is the user's primary email address.
    resources[].active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.

    Create

    $ curl 'http://localhost/Users' -i -X POST \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 149412ce7c144d42bd7231427523ab1c' \
        -H 'Content-Type: application/json' \
        -d '{
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:45.064Z"
      },
      "userName" : "8dxdXL@test.org",
      "name" : {
        "formatted" : "given name family name",
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8dxdXL@test.org",
        "primary" : true
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "",
      "password" : "secret",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }'
    
    POST /Users HTTP/1.1
    Accept: application/json
    Authorization: Bearer 149412ce7c144d42bd7231427523ab1c
    Content-Type: application/json
    Content-Length: 537
    Host: localhost
    
    {
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:45.064Z"
      },
      "userName" : "8dxdXL@test.org",
      "name" : {
        "formatted" : "given name family name",
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8dxdXL@test.org",
        "primary" : true
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "",
      "password" : "secret",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    ETag: "0"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2327
    
    {
      "id" : "8bd0077a-eaed-4e7c-9c50-be9ca7361650",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:45.126Z",
        "lastModified" : "2023-05-04T14:57:45.126Z"
      },
      "userName" : "8dxdXL@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8dxdXL@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "0676dd38-6403-4448-a304-37f6060f926e",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "5a663a35-3758-401d-964e-0ce467b10088",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:45.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.write or uaa.admin scope required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    userName String Required User name of the user, typically an email address.
    password String Optional User's password, required if origin is set to uaa. May be be subject to validations if the UAA is configured with a password policy.
    name Object Required A map with the user's first name and last name.
    name.familyName String Optional The user's last name.
    name.givenName String Optional The user's first name.
    phoneNumbers Array Optional The user's phone numbers.
    phoneNumbers[].value String Optional The phone number.
    emails Array Required The user's email addresses.
    emails[].value String Required The email address.
    emails[].primary Boolean Required Set to true if this is the user's primary email address.
    active Boolean Optional (defaults to true) Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean Optional (defaults to true) New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String Optional (defaults to "uaa") The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    externalId String Optional External user ID if authenticated through an external identity provider.

    Response Fields

    Path Type Description
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    id String A guid generated by the UAA to uniquely identity this user.
    userName String User name of the user, typically an email address.
    name Object A map with the user's first name and last name.
    name.familyName String The user's last name.
    name.givenName String The user's first name.
    phoneNumbers Array The user's phone numbers.
    phoneNumbers[].value String The phone number.
    emails Array The user's email addresses.
    emails[].value String The email address.
    emails[].primary Boolean Set to true if this is the user's primary email address.
    groups Array A list of groups the user belongs to.
    groups[].value String A guid generated by the UAA to uniquely identity this group.
    groups[].display String The group display name, also referred to as scope during authorization.
    groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    passwordLastModified String The timestamp when this user's password was last changed.
    externalId String External user ID if authenticated through an external identity provider.
    meta Object SCIM object meta data.
    meta.version Number Object version.
    meta.lastModified String Object last modified date.
    meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write is required to create a user)
    409 Conflict - Username already exists

    Example using uaac to view users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac user add testuser --given_name About --family_name Schmidt --emails testuser@test.org --password secret
    

    Update

    $ curl 'http://localhost/Users/3be303b1-bfab-4762-8db4-ed2907c228fb' -i -X PUT \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 89d5fa655ee547ab83cf5c4ec7d99be5' \
        -H 'Content-Type: application/json' \
        -H 'If-Match: 0' \
        -d '{
      "id" : "3be303b1-bfab-4762-8db4-ed2907c228fb",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:43.994Z",
        "lastModified" : "2023-05-04T14:57:43.994Z"
      },
      "userName" : "EtERnf@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "EtERnf@test.org",
        "primary" : false
      } ],
      "groups" : [ ],
      "approvals" : [ ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:43.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }'
    
    PUT /Users/3be303b1-bfab-4762-8db4-ed2907c228fb HTTP/1.1
    Accept: application/json
    Authorization: Bearer 89d5fa655ee547ab83cf5c4ec7d99be5
    Content-Type: application/json
    If-Match: 0
    Content-Length: 684
    Host: localhost
    
    {
      "id" : "3be303b1-bfab-4762-8db4-ed2907c228fb",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:43.994Z",
        "lastModified" : "2023-05-04T14:57:43.994Z"
      },
      "userName" : "EtERnf@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "EtERnf@test.org",
        "primary" : false
      } ],
      "groups" : [ ],
      "approvals" : [ ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:43.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2804
    
    {
      "id" : "3be303b1-bfab-4762-8db4-ed2907c228fb",
      "externalId" : "test-user",
      "meta" : {
        "version" : 1,
        "created" : "2023-05-04T14:57:43.994Z",
        "lastModified" : "2023-05-04T14:57:44.224Z"
      },
      "userName" : "EtERnf@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "EtERnf@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "0676dd38-6403-4448-a304-37f6060f926e",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "5a663a35-3758-401d-964e-0ce467b10088",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ {
        "userId" : "3be303b1-bfab-4762-8db4-ed2907c228fb",
        "clientId" : "client id",
        "scope" : "scim.read",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:57:44.030Z",
        "expiresAt" : "2023-05-04T14:57:54.030Z"
      }, {
        "userId" : "3be303b1-bfab-4762-8db4-ed2907c228fb",
        "clientId" : "identity",
        "scope" : "uaa.user",
        "status" : "DENIED",
        "lastUpdatedAt" : "2023-05-04T14:58:14.042Z",
        "expiresAt" : "2023-05-04T14:58:14.042Z"
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:43.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.write, uaa.admin, or openid required. The openid scope only allows the user to update their own first and last name, when origin is uaa.
    If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    userName String Required User name of the user, typically an email address.
    name Object Required A map with the user's first name and last name.
    name.familyName String Required The user's last name.
    name.givenName String Required The user's first name.
    phoneNumbers Array Optional The user's phone numbers.
    phoneNumbers[].value String Optional The phone number.
    emails Array Required The user's email addresses.
    emails[].value String Required The email address.
    emails[].primary Boolean Required Set to true if this is the user's primary email address.
    active Boolean Optional (defaults to true) Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean Optional (defaults to true) New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String Optional (defaults to "uaa") The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    externalId String Optional External user ID if authenticated through an external identity provider.

    Response Fields

    Path Type Description
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    id String A guid generated by the UAA to uniquely identity this user.
    userName String User name of the user, typically an email address.
    name Object A map with the user's first name and last name.
    name.familyName String The user's last name.
    name.givenName String The user's first name.
    phoneNumbers Array The user's phone numbers.
    phoneNumbers[].value String The phone number.
    emails Array The user's email addresses.
    emails[].value String The email address.
    emails[].primary Boolean Set to true if this is the user's primary email address.
    groups Array A list of groups the user belongs to.
    groups[].value String A guid generated by the UAA to uniquely identity this group.
    groups[].display String The group display name, also referred to as scope during authorization.
    groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    approvals[].userId String The user id on the approval. Will be the same as the id field.
    approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
    approvals[].scope String The scope on the approval. Will be a group display value.
    approvals[].status String The status of the approval. Status may be either APPROVED or DENIED.
    approvals[].lastUpdatedAt String Date this approval was last updated.
    approvals[].expiresAt String Date this approval will expire.
    active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    passwordLastModified String The timestamp when this user's password was last changed.
    lastLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    previousLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    externalId String External user ID if authenticated through an external identity provider.
    meta Object SCIM object meta data.
    meta.version Number Object version.
    meta.lastModified String Object last modified date.
    meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write is required to update a user)
    404 Not Found - User id not found

    Example using uaac to view users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212
    

    Patch

    $ curl 'http://localhost/Users/e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc' -i -X PATCH \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer e5ff4f53282d4b31b15a9dfdd1f46e6a' \
        -H 'Content-Type: application/json' \
        -H 'If-Match: 0' \
        -d '{
      "id" : "e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:46.213Z",
        "lastModified" : "2023-05-04T14:57:46.213Z"
      },
      "userName" : "8md5cs@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8md5cs@test.org",
        "primary" : false
      } ],
      "groups" : [ ],
      "approvals" : [ ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:46.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }'
    
    PATCH /Users/e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc HTTP/1.1
    Accept: application/json
    Authorization: Bearer e5ff4f53282d4b31b15a9dfdd1f46e6a
    Content-Type: application/json
    If-Match: 0
    Content-Length: 684
    Host: localhost
    
    {
      "id" : "e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:46.213Z",
        "lastModified" : "2023-05-04T14:57:46.213Z"
      },
      "userName" : "8md5cs@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8md5cs@test.org",
        "primary" : false
      } ],
      "groups" : [ ],
      "approvals" : [ ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:46.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2804
    
    {
      "id" : "e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc",
      "externalId" : "test-user",
      "meta" : {
        "version" : 1,
        "created" : "2023-05-04T14:57:46.213Z",
        "lastModified" : "2023-05-04T14:57:46.289Z"
      },
      "userName" : "8md5cs@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "8md5cs@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "0676dd38-6403-4448-a304-37f6060f926e",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "5a663a35-3758-401d-964e-0ce467b10088",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ {
        "userId" : "e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc",
        "clientId" : "identity",
        "scope" : "uaa.user",
        "status" : "DENIED",
        "lastUpdatedAt" : "2023-05-04T14:58:16.236Z",
        "expiresAt" : "2023-05-04T14:58:16.236Z"
      }, {
        "userId" : "e1a4ff8b-e901-4e68-bc4e-2d18bc3ba5bc",
        "clientId" : "client id",
        "scope" : "scim.read",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:57:46.228Z",
        "expiresAt" : "2023-05-04T14:57:56.228Z"
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:46.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.write, uaa.admin, or openid required. The openid scope only allows the user to update their own first and last name, when origin is uaa.
    If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.

    Request Fields

    Path Type Constraints Description
    userName String Required User name of the user, typically an email address.
    name Object Required A map with the user's first name and last name.
    name.familyName String Required The user's last name.
    name.givenName String Required The user's first name.
    phoneNumbers Array Optional The user's phone numbers.
    phoneNumbers[].value String Optional The phone number.
    emails Array Required The user's email addresses.
    emails[].value String Required The email address.
    emails[].primary Boolean Required Set to true if this is the user's primary email address.
    active Boolean Optional (defaults to true) Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean Optional (defaults to true) New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String Optional (defaults to "uaa") The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    externalId String Optional External user ID if authenticated through an external identity provider.
    meta.attributes Array Optional Names of attributes that shall be deleted

    Response Fields

    Path Type Description
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    id String A guid generated by the UAA to uniquely identity this user.
    userName String User name of the user, typically an email address.
    name Object A map with the user's first name and last name.
    name.familyName String The user's last name.
    name.givenName String The user's first name.
    phoneNumbers Array The user's phone numbers.
    phoneNumbers[].value String The phone number.
    emails Array The user's email addresses.
    emails[].value String The email address.
    emails[].primary Boolean Set to true if this is the user's primary email address.
    groups Array A list of groups the user belongs to.
    groups[].value String A guid generated by the UAA to uniquely identity this group.
    groups[].display String The group display name, also referred to as scope during authorization.
    groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    approvals[].userId String The user id on the approval. Will be the same as the id field.
    approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
    approvals[].scope String The scope on the approval. Will be a group display value.
    approvals[].status String The status of the approval. Status may be either APPROVED or DENIED.
    approvals[].lastUpdatedAt String Date this approval was last updated.
    approvals[].expiresAt String Date this approval will expire.
    active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    passwordLastModified String The timestamp when this user's password was last changed.
    lastLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    previousLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    externalId String External user ID if authenticated through an external identity provider.
    meta Object SCIM object meta data.
    meta.version Number Object version.
    meta.lastModified String Object last modified date.
    meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write is required to update a user)
    404 Not Found - User id not found

    Example using uaac to patch users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac user update testuser --given_name About --family_name Schmidt --emails testuser@test.org --phones 415-555-1212
    

    Delete

    $ curl 'http://localhost/Users/f6213b9a-1d3e-4358-a622-42c106f66607' -i -X DELETE \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer 75066bbf304f47498a0dc095f849b48d' \
        -H 'Content-Type: application/json' \
        -H 'If-Match: 0'
    
    DELETE /Users/f6213b9a-1d3e-4358-a622-42c106f66607 HTTP/1.1
    Accept: application/json
    Authorization: Bearer 75066bbf304f47498a0dc095f849b48d
    Content-Type: application/json
    If-Match: 0
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "0"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2806
    
    {
      "id" : "f6213b9a-1d3e-4358-a622-42c106f66607",
      "externalId" : "test-user",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:41.926Z",
        "lastModified" : "2023-05-04T14:57:41.926Z"
      },
      "userName" : "tTAkw3@test.org",
      "name" : {
        "familyName" : "family name",
        "givenName" : "given name"
      },
      "emails" : [ {
        "value" : "tTAkw3@test.org",
        "primary" : false
      } ],
      "groups" : [ {
        "value" : "a8ecbef0-214e-4597-a4ed-14a978a2ecb5",
        "display" : "cloud_controller.read",
        "type" : "DIRECT"
      }, {
        "value" : "ebf1811d-23f6-4bd8-8471-4663563f0315",
        "display" : "password.write",
        "type" : "DIRECT"
      }, {
        "value" : "5af8b49c-7e87-453a-87ef-cbdcdfdd027e",
        "display" : "cloud_controller_service_permissions.read",
        "type" : "DIRECT"
      }, {
        "value" : "01adcaa6-81e6-4521-854e-2af8176be50a",
        "display" : "user_attributes",
        "type" : "DIRECT"
      }, {
        "value" : "6daf43cd-dfb2-4b9d-8e92-f1351303ab93",
        "display" : "scim.me",
        "type" : "DIRECT"
      }, {
        "value" : "0676dd38-6403-4448-a304-37f6060f926e",
        "display" : "openid",
        "type" : "DIRECT"
      }, {
        "value" : "b725c5c0-ab97-4355-b61c-ba6b9548c426",
        "display" : "profile",
        "type" : "DIRECT"
      }, {
        "value" : "8c0313f6-f994-4c25-80b6-20a3113a88a8",
        "display" : "oauth.approvals",
        "type" : "DIRECT"
      }, {
        "value" : "5a663a35-3758-401d-964e-0ce467b10088",
        "display" : "scim.userids",
        "type" : "DIRECT"
      }, {
        "value" : "0408673a-4a85-4279-bcbe-47637dbe290a",
        "display" : "uaa.offline_token",
        "type" : "DIRECT"
      }, {
        "value" : "6df2e74b-8e14-4d77-a33d-056aaf8541dc",
        "display" : "roles",
        "type" : "DIRECT"
      }, {
        "value" : "100e07cf-8f45-4dfe-8cb0-4eabf591be95",
        "display" : "uaa.user",
        "type" : "DIRECT"
      }, {
        "value" : "122c928d-1adc-4941-a5ea-8cb1623323e3",
        "display" : "cloud_controller.write",
        "type" : "DIRECT"
      }, {
        "value" : "fd656520-a9d3-4882-b3d6-2aac659e0369",
        "display" : "approvals.me",
        "type" : "DIRECT"
      } ],
      "approvals" : [ {
        "userId" : "f6213b9a-1d3e-4358-a622-42c106f66607",
        "clientId" : "identity",
        "scope" : "uaa.user",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:58:11.962Z",
        "expiresAt" : "2023-05-04T14:58:11.962Z"
      }, {
        "userId" : "f6213b9a-1d3e-4358-a622-42c106f66607",
        "clientId" : "client id",
        "scope" : "scim.read",
        "status" : "APPROVED",
        "lastUpdatedAt" : "2023-05-04T14:57:41.957Z",
        "expiresAt" : "2023-05-04T14:57:51.957Z"
      } ],
      "phoneNumbers" : [ {
        "value" : "5555555555"
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:41.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Access token with scim.write or uaa.admin required
    If-Match The version of the SCIM object to be deleted. Optional.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    schemas Array SCIM schemas used, currently always set to [ "urn:scim:schemas:core:1.0" ]
    id String A guid generated by the UAA to uniquely identity this user.
    userName String User name of the user, typically an email address.
    name Object A map with the user's first name and last name.
    name.familyName String The user's last name.
    name.givenName String The user's first name.
    phoneNumbers Array The user's phone numbers.
    phoneNumbers[].value String The phone number.
    emails Array The user's email addresses.
    emails[].value String The email address.
    emails[].primary Boolean Set to true if this is the user's primary email address.
    groups Array A list of groups the user belongs to.
    groups[].value String A guid generated by the UAA to uniquely identity this group.
    groups[].display String The group display name, also referred to as scope during authorization.
    groups[].type String Membership type. DIRECT means the user is directly associated with the group. INDIRECT means that the membership is derived from a nested group.
    approvals Array A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
    approvals[].userId String The user id on the approval. Will be the same as the id field.
    approvals[].clientId String The client id on the approval. Represents the application this approval or denial was for.
    approvals[].scope String The scope on the approval. Will be a group display value.
    approvals[].status String The status of the approval. Status may be either APPROVED or DENIED.
    approvals[].lastUpdatedAt String Date this approval was last updated.
    approvals[].expiresAt String Date this approval will expire.
    active Boolean Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
    verified Boolean New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
    origin String The alias of the Identity Provider that authenticated this user. The value uaa indicates a user from the UAA's internal user store.
    zoneId String The Identity Zone this user belongs to. The value uaa refers to the default zone.
    passwordLastModified String The timestamp when this user's password was last changed.
    lastLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    previousLogonTime Number The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
    externalId String External user ID if authenticated through an external identity provider.
    meta Object SCIM object meta data.
    meta.version Number Object version.
    meta.lastModified String Object last modified date.
    meta.created String Object created date.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write is required to delete a user)
    404 Not Found - User id not found

    Example using uaac to delete users:

    uaac target http://localhost:8080/uaa
    
    uaac token client get admin -s adminsecret
    
    uaac user delete testuser
    

    User Info

    An OAuth2 protected resource and an OpenID Connect endpoint. Given an appropriate access_token, returns information about a user. Defined fields include various standard user profile fields. The response may include other user information such as group membership.

    $ curl 'http://localhost/userinfo' -i -X GET \
        -H 'Authorization: Bearer 7023375266b8468eb70b73b6a4ebcacc'
    
    GET /userinfo HTTP/1.1
    Authorization: Bearer 7023375266b8468eb70b73b6a4ebcacc
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 411
    
    {
      "user_id" : "e52caac2-5e28-46b4-a49a-489f0dd80786",
      "user_name" : "65S5eH@test.org",
      "given_name" : "PasswordResetUserFirst",
      "family_name" : "PasswordResetUserLast",
      "phone_number" : "+15558880000",
      "email" : "65S5eH@test.org",
      "email_verified" : true,
      "previous_logon_time" : null,
      "name" : "PasswordResetUserFirst PasswordResetUserLast",
      "sub" : "e52caac2-5e28-46b4-a49a-489f0dd80786"
    }
    

    Request Headers

    Name Description
    Authorization Access token with openid required. If the user_attributes scope is in the token, the response object will contain custom attributes, if mapped to the external identity provider.If the roles scope is present, the response object will contain group memberships from the external identity provider.

    Response Fields

    Path Type Description
    sub String Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
    user_id String Unique user identifier.
    email String The user's email address.
    email_verified Boolean Indicates whether the user has verified their email address.
    user_name String User name of the user, typically an email address.
    given_name String The user's first name.
    family_name String The user's last name.
    name String A map with the user's first name and last name.
    phone_number String The user's phone number.
    previous_logon_time Null The unix epoch timestamp in milliseconds of 2nd to last successful user authentication.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (openid is required to get the user info)

    Example using uaac to view user info:

    uaac target http://localhost:8080/uaa
    
    uaac token authcode get admin -s adminsecret
    
    uaac curl -X GET /userinfo -k
    

    Change user password

    $ curl 'http://localhost/Users/9af2b6b2-6aef-492f-8da2-3ec5f4964268/password' -i -X PUT \
        -H 'Accept: application/json' \
        -H 'Authorization: Bearer fe2e540ead94411789098ea7145acec0' \
        -H 'Content-Type: application/json' \
        -d '{
      "oldPassword" : "secret",
      "password" : "newsecret"
    }'
    
    PUT /Users/9af2b6b2-6aef-492f-8da2-3ec5f4964268/password HTTP/1.1
    Accept: application/json
    Authorization: Bearer fe2e540ead94411789098ea7145acec0
    Content-Type: application/json
    Content-Length: 58
    Host: localhost
    
    {
      "oldPassword" : "secret",
      "password" : "newsecret"
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 55
    
    {
      "status" : "ok",
      "message" : "password updated"
    }
    

    Request Headers

    Name Description
    Authorization Access token with password.write or uaa.admin required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    oldPassword String Required Old password. Optional when resetting another users password as an admin with uaa.admin scope
    password String Required New password.

    Response Fields

    Path Type Description
    status String Will be 'ok' if password changed successfully.
    message String Will be 'password updated' if password changed successfully.

    Error Codes

    Error Code Description
    400 Bad Request - Invalid JSON format or missing fields
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write or a token containing the user id is required)
    404 Not Found - User id not found

    Example using uaac to view users:

    uaac target http://localhost:8080/uaa
    
    uaac token owner get cf testuser -s "" -p "secret"
    
    uaac password change -o secret -p newsecret
    

    Unlock Account

    $ curl 'http://localhost/Users/71c6e987-90de-4263-9642-e85032ae95ee/status' -i -X PATCH \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 49470c9b09be4c94aed30ceadbf7c373' \
        -H 'Accept: application/json' \
        -d '{
      "locked" : false
    }'
    
    PATCH /Users/71c6e987-90de-4263-9642-e85032ae95ee/status HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 49470c9b09be4c94aed30ceadbf7c373
    Accept: application/json
    Content-Length: 22
    Host: localhost
    
    {
      "locked" : false
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Language: en
    Content-Type: application/json;charset=UTF-8
    Cache-Control: no-store
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 22
    
    {
      "locked" : false
    }
    

    Path Parameters

    /Users/{userId}/status

    Parameter Description
    userId A guid generated by the UAA to uniquely identity this user.

    Request Headers

    Name Description
    Authorization Access token with scim.write, uaa.account_status.write, or uaa.admin required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    locked Boolean Optional Set to false in order to unlock the user when they have been locked out according to the password lock-out policy. Setting to true will produce an error, as the user cannot be locked out via the API.

    Response Fields

    Path Type Description
    locked Boolean The locked value given in the request.

    Error Codes

    Error Code Description
    400 Bad Request - invalid JSON format or illegal value
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write or uaa.account_status.write)
    404 User id not found

    Force user password to expire

    $ curl 'http://localhost/Users/c2fa1fc7-4e89-4c82-a7ea-460b00469e38/status' -i -X PATCH \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 2a42538e74ea4cebbd93254b9a758eab' \
        -H 'Accept: application/json' \
        -d '{
      "passwordChangeRequired" : true
    }'
    
    PATCH /Users/c2fa1fc7-4e89-4c82-a7ea-460b00469e38/status HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 2a42538e74ea4cebbd93254b9a758eab
    Accept: application/json
    Content-Length: 37
    Host: localhost
    
    {
      "passwordChangeRequired" : true
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Language: en
    Content-Type: application/json;charset=UTF-8
    Cache-Control: no-store
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 37
    
    {
      "passwordChangeRequired" : true
    }
    

    Path Parameters

    /Users/{userId}/status

    Parameter Description
    userId A guid generated by the UAA to uniquely identity this user.

    Request Headers

    Name Description
    Authorization Access token with scim.write, uaa.account_status.write, or uaa.admin required
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    passwordChangeRequired Boolean Optional Set to true in order to force internal user’s password to expire

    Response Fields

    Path Type Description
    passwordChangeRequired Boolean The passwordChangeRequired value given in the request.

    Error Codes

    Error Code Description
    400 Bad Request - invalid JSON format or illegal value
    401 Unauthorized - Invalid token
    403 Forbidden - Insufficient scope (scim.write or uaa.account_status.write required)
    404 Not Found - User id not found
    $ curl 'http://localhost/Users/893b4beb-f76a-41e4-95ae-e0bc69cf9406/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp' -i -X GET \
        -H 'Authorization: Bearer 7f182699cfd246cd9813f6966084e105' \
        -H 'Accept: application/json'
    
    GET /Users/893b4beb-f76a-41e4-95ae-e0bc69cf9406/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp HTTP/1.1
    Authorization: Bearer 7f182699cfd246cd9813f6966084e105
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 90
    
    {
      "verify_link" : "http://localhost/verify_user?code=S7kNaxuR60kc47DbABOawyXpXQbCWo0Y"
    }
    

    Path Parameters

    /Users/{userId}/verify-link

    Parameter Description
    userId The ID of the user to verify

    Request Headers

    Name Description
    Authorization The bearer token, with a pre-amble of Bearer
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    redirect_uri String Required Location where the user will be redirected after verifying by clicking the verification link

    Response Fields

    Path Type Description
    verify_link String Location the user must visit and authenticate to verify

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope or internal user management disabled
    404 Not Found - User not found

    Verify user

    $ curl 'http://localhost/Users/c3ba9bf6-a059-49aa-a59c-18a5799319c8/verify' -i -X GET \
        -H 'Authorization: Bearer 1684bd126aa646b1a44750c5d43c4f9e' \
        -H 'If-Match: 12' \
        -H 'Accept: application/json'
    
    GET /Users/c3ba9bf6-a059-49aa-a59c-18a5799319c8/verify HTTP/1.1
    Authorization: Bearer 1684bd126aa646b1a44750c5d43c4f9e
    If-Match: 12
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "12"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 561
    
    {
      "id" : "c3ba9bf6-a059-49aa-a59c-18a5799319c8",
      "meta" : {
        "version" : 12,
        "created" : "2023-05-04T14:57:41.311Z",
        "lastModified" : "2023-05-04T14:57:41.311Z"
      },
      "userName" : "billy_o@example.com",
      "name" : {
        "familyName" : "d'Orange",
        "givenName" : "William"
      },
      "emails" : [ {
        "value" : "billy_o@example.com",
        "primary" : false
      } ],
      "active" : true,
      "verified" : true,
      "origin" : "uaa",
      "zoneId" : "uaa",
      "passwordLastModified" : "2023-05-04T14:57:41.000Z",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Users/{userId}/verify

    Parameter Description
    userId The ID of the user to verify

    Request Headers

    Name Description
    Authorization The bearer token, with a pre-amble of Bearer
    If-Match (Optional) The expected current version of the user, which will prevent update if the version does not match
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Error Codes

    Error Code Description
    400 Bad Request - Incorrect version supplied in If-Match header
    403 Forbidden - Insufficient scope or internal user management disabled
    404 Not Found - User not found

    Delete MFA registration

    $ curl 'http://localhost/Users/3436101a-0a9b-4694-acbd-d71fc4fbfdfb/mfa' -i -X DELETE \
        -H 'Authorization: Bearer c88b5a17e84044af8b9c9f00c17eb1a3'
    
    DELETE /Users/3436101a-0a9b-4694-acbd-d71fc4fbfdfb/mfa HTTP/1.1
    Authorization: Bearer c88b5a17e84044af8b9c9f00c17eb1a3
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    
    

    Path Parameters

    /Users/{userId}/mfa

    Parameter Description
    userId Unique user identifier.

    Request Headers

    Name Description
    Authorization Access token with zones.<zoneId>.admin or uaa.admin required.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

    Error Codes

    Error Code Description
    403 Forbidden - Insufficient scope or internal user management disabled
    404 Not Found - User not found

    Lookup User IDs/Usernames

    $ curl 'http://localhost/ids/Users?filter=userName+eq+%22bobmYOjAC%40test.org%22+or+id+eq+%226e6fb6a9-8aaf-4d31-b332-ba3b5e546578%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true' -i -X GET \
        -H 'Authorization: Bearer b256297b1fd34711a8314cb10178bfcd'
    
    GET /ids/Users?filter=userName+eq+%22bobmYOjAC%40test.org%22+or+id+eq+%226e6fb6a9-8aaf-4d31-b332-ba3b5e546578%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true HTTP/1.1
    Authorization: Bearer b256297b1fd34711a8314cb10178bfcd
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 372
    
    {
      "resources" : [ {
        "origin" : "uaa",
        "id" : "6e6fb6a9-8aaf-4d31-b332-ba3b5e546578",
        "userName" : "dwayneWiHltj@test.org"
      }, {
        "origin" : "uaa",
        "id" : "1aee20bb-cb9e-40e1-9708-e3ee773f0986",
        "userName" : "bobmYOjAC@test.org"
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 5,
      "totalResults" : 2,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with authorization for scim.userids scope

    Request Parameters

    Parameter Type Constraints Description
    filter String Required SCIM filter for users over userName, id, and origin, using only the eq comparison operator
    sortOrder String Optional (defaults to ascending) sort by username in ascending or descending order
    startIndex Number Optional (defaults to 1) display paged results beginning at specified index
    count Number Optional (defaults to 100) number of results to return per page
    includeInactive Boolean Optional (defaults to false) include users from inactive identity providers

    Response Fields

    Path Type Description
    totalResults Number The number of results which matched the filter
    startIndex Number The index of the first item of this page of results
    itemsPerPage Number The page size used in producing this page of results
    schemas Array ["urn:scim:schemas:core:1.0"]
    resources[].id String The globally unique identifier for this user
    resources[].userName String The username
    resources[].origin String The origin of the user, e.g. an identity provider alias

    Error Codes

    Error Code Description
    400 Bad Request - Request was invalid or unparseable
    403 Forbidden - Insufficient scope

    Invite users

    $ curl 'http://localhost/invite_users?client_id=eabtio&redirect_uri=example.com' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer f51419f291aa4e25bf980b8b442b969d' \
        -d '{
      "emails" : [ "user1@lxvooo.com", "user2@lxvooo.com" ]
    }'
    
    POST /invite_users?client_id=eabtio&redirect_uri=example.com HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer f51419f291aa4e25bf980b8b442b969d
    Content-Length: 59
    Host: localhost
    
    {
      "emails" : [ "user1@lxvooo.com", "user2@lxvooo.com" ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 622
    
    {
      "new_invites" : [ {
        "email" : "user1@lxvooo.com",
        "userId" : "036ab29a-ccd8-4e8b-af5a-417f15cafd33",
        "origin" : "uaa",
        "success" : true,
        "errorCode" : null,
        "errorMessage" : null,
        "inviteLink" : "http://localhost/invitations/accept?code=I20Sa_WkgD-bBOdcBVNt7QmYzbUQtCTz"
      }, {
        "email" : "user2@lxvooo.com",
        "userId" : "3a10e566-2155-40ba-b218-2457ad7b56ea",
        "origin" : "uaa",
        "success" : true,
        "errorCode" : null,
        "errorMessage" : null,
        "inviteLink" : "http://localhost/invitations/accept?code=VGFKzWys4aSLNQmT8TnyZf93ZmOV8qOX"
      } ],
      "failed_invites" : [ ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing scim.invite
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    emails Array Required User is invited by providing an email address. More than one email addresses can be provided.

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional A unique string representing the registration information provided by the client
    redirect_uri String Required The user will be redirected to this uri, when user accepts the invitation. The redirect_uri will be validated against allowed redirect_uri for the client.

    Response Fields

    Path Type Description
    new_invites[].email String Primary email id of the invited user
    new_invites[].userId String A unique string for the invited user
    new_invites[].origin String Unique alias of the provider
    new_invites[].success Boolean Flag to determine whether the invitation was sent successfully
    new_invites[].errorCode String Error code in case of failure to send invitation
    new_invites[].errorMessage String Error message in case of failure to send invitation
    new_invites[].inviteLink String Invitation link to invite users
    failed_invites Array List of invites having exception in sending the invitation
    Error Code Description
    403 Forbidden - Insufficient scope

    Groups

    Create

    $ curl 'http://localhost/Groups' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229' \
        -d '{
      "displayName" : "Cool Group Name",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }'
    
    POST /Groups HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    Content-Length: 196
    Host: localhost
    
    {
      "displayName" : "Cool Group Name",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    ETag: "0"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 441
    
    {
      "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:36.624Z",
        "lastModified" : "2023-05-04T14:57:36.624Z"
      },
      "displayName" : "Cool Group Name",
      "zoneId" : "uaa",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ],
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    displayName String Required An identifier, unique within the identity zone
    description String Optional Human readable description of the group, displayed e.g. when approving scopes
    members Array Optional Members to be included in the group
    members[].value String Required for each item in members The globally-unique ID of the member entity, either a user ID or another group ID
    members[].type String Optional (defaults to "USER") Either "USER" or "GROUP"
    members[].origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.

    Response Fields

    Path Type Description
    id String The globally unique group ID
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    description String Human readable description of the group, displayed e.g. when approving scopes
    members Array Array of group members
    members[].value String Globally unique identifier of the member, either a user ID or another group ID
    members[].type String Either "USER" or "GROUP"
    members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    zoneId String Identifier for the identity zone to which the group belongs
    meta.version Number The version of the group entity
    meta.created String The time the group was created
    meta.lastModified String The time the group was last updated
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    400 Bad Request - Invalid member ID
    403 Forbidden - Insufficient scope

    Retrieve

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca' -i -X GET \
        -H 'Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3'
    
    GET /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca HTTP/1.1
    Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "2"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 454
    
    {
      "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
      "meta" : {
        "version" : 2,
        "created" : "2023-05-04T14:57:36.624Z",
        "lastModified" : "2023-05-04T14:57:37.065Z"
      },
      "displayName" : "Cooler Group Name for Update",
      "zoneId" : "uaa",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ],
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/{groupId}

    Parameter Description
    groupId Globally unique identifier of the group to retrieve

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.read
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    id String The globally unique group ID
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    description String Human readable description of the group, displayed e.g. when approving scopes
    members Array Array of group members
    members[].value String Globally unique identifier of the member, either a user ID or another group ID
    members[].type String Either "USER" or "GROUP"
    members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    zoneId String Identifier for the identity zone to which the group belongs
    meta.version Number The version of the group entity
    meta.created String The time the group was created
    meta.lastModified String The time the group was last updated
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    403 Forbidden - Insufficient scope

    Update

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229' \
        -H 'If-Match: 0' \
        -d '{
      "displayName" : "Cooler Group Name for Update",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }'
    
    PUT /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    If-Match: 0
    Content-Length: 209
    Host: localhost
    
    {
      "displayName" : "Cooler Group Name for Update",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "1"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 454
    
    {
      "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
      "meta" : {
        "version" : 1,
        "created" : "2023-05-04T14:57:36.624Z",
        "lastModified" : "2023-05-04T14:57:36.831Z"
      },
      "displayName" : "Cooler Group Name for Update",
      "zoneId" : "uaa",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ],
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/{groupId}

    Parameter Description
    groupId Globally unique identifier of the group to update

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write or groups.update
    If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    displayName String Required An identifier, unique within the identity zone
    description String Optional Human readable description of the group, displayed e.g. when approving scopes
    members Array Optional Members to be included in the group
    members[].value String Required for each item in members The globally-unique ID of the member entity, either a user ID or another group ID
    members[].type String Optional (defaults to "USER") Either "USER" or "GROUP"
    members[].origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.

    Response Fields

    Path Type Description
    id String The globally unique group ID
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    description String Human readable description of the group, displayed e.g. when approving scopes
    members Array Array of group members
    members[].value String Globally unique identifier of the member, either a user ID or another group ID
    members[].type String Either "USER" or "GROUP"
    members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    zoneId String Identifier for the identity zone to which the group belongs
    meta.version Number The version of the group entity
    meta.created String The time the group was created
    meta.lastModified String The time the group was last updated
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    400 Bad Request - Incorrect version supplied in If-Match header
    403 Forbidden - Insufficient scope
    409 Conflict

    Patch

    Updating partial elements of a group is documented at SCIM Specification

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca' -i -X PATCH \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229' \
        -H 'If-Match: *' \
        -d '{
      "displayName" : "Cooler Group Name for Update",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }'
    
    PATCH /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    If-Match: *
    Content-Length: 209
    Host: localhost
    
    {
      "displayName" : "Cooler Group Name for Update",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "2"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 454
    
    {
      "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
      "meta" : {
        "version" : 2,
        "created" : "2023-05-04T14:57:36.624Z",
        "lastModified" : "2023-05-04T14:57:37.065Z"
      },
      "displayName" : "Cooler Group Name for Update",
      "zoneId" : "uaa",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ],
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/{groupId}

    Parameter Description
    groupId Globally unique identifier of the group to update

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write or groups.update
    If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.

    Request Fields

    Path Type Constraints Description
    displayName String Required An identifier, unique within the identity zone
    description String Optional Human readable description of the group, displayed e.g. when approving scopes
    members Array Optional Members to be included in the group
    members[].value String Required for each item in members The globally-unique ID of the member entity, either a user ID or another group ID
    members[].type String Optional (defaults to "USER") Either "USER" or "GROUP"
    members[].origin String Optional (defaults to "uaa") The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.
    members[].operation String Optional "delete" if the corresponding member shall be deleted
    meta.attributes Array Optional Names of attributes that shall be deleted

    Response Fields

    Path Type Description
    id String The globally unique group ID
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    description String Human readable description of the group, displayed e.g. when approving scopes
    members Array Array of group members
    members[].value String Globally unique identifier of the member, either a user ID or another group ID
    members[].type String Either "USER" or "GROUP"
    members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    zoneId String Identifier for the identity zone to which the group belongs
    meta.version Number The version of the group entity
    meta.created String The time the group was created
    meta.lastModified String The time the group was last updated
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    400 Bad Request - Incorrect version supplied in If-Match header
    403 Forbidden - Insufficient scope
    409 Conflict

    Delete

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca' -i -X DELETE \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229'
    
    DELETE /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca HTTP/1.1
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    ETag: "2"
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 454
    
    {
      "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
      "meta" : {
        "version" : 2,
        "created" : "2023-05-04T14:57:36.624Z",
        "lastModified" : "2023-05-04T14:57:37.065Z"
      },
      "displayName" : "Cooler Group Name for Update",
      "zoneId" : "uaa",
      "description" : "the cool group",
      "members" : [ {
        "origin" : "uaa",
        "type" : "USER",
        "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
      } ],
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/{groupId}

    Parameter Description
    groupId The globally unique identifier of the group

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write
    If-Match The version of the SCIM object to be updated. Wildcard (*) accepted.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    id String The globally unique group ID
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    description String Human readable description of the group, displayed e.g. when approving scopes
    members Array Array of group members
    members[].value String Globally unique identifier of the member, either a user ID or another group ID
    members[].type String Either "USER" or "GROUP"
    members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    zoneId String Identifier for the identity zone to which the group belongs
    meta.version Number The version of the group entity
    meta.created String The time the group was created
    meta.lastModified String The time the group was last updated
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    400 Bad Request - Incorrect version supplied in If-Match header
    403 Forbidden - Insufficient scope
    409 Conflict

    List

    $ curl 'http://localhost/Groups?filter=id+eq+%22e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1' -i -X GET \
        -H 'Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3'
    
    GET /Groups?filter=id+eq+%22e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1 HTTP/1.1
    Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 621
    
    {
      "resources" : [ {
        "id" : "e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca",
        "meta" : {
          "version" : 2,
          "created" : "2023-05-04T14:57:36.624Z",
          "lastModified" : "2023-05-04T14:57:37.065Z"
        },
        "displayName" : "Cooler Group Name for Update",
        "zoneId" : "uaa",
        "description" : "the cool group",
        "members" : [ {
          "origin" : "uaa",
          "type" : "USER",
          "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
        } ],
        "schemas" : [ "urn:scim:schemas:core:1.0" ]
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 5,
      "totalResults" : 1,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.read
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    filter String Optional (defaults to id pr) A SCIM filter over groups
    sortBy String Optional (defaults to created) The field of the SCIM group to sort by
    sortOrder Number Optional (defaults to ascending) Sort in ascending or descending order
    startIndex Number Optional (defaults to 1) The index of the first result of this page within all matches
    count Number Optional (defaults to 100) Maximum number of results to return in a single page

    Response Fields

    Path Type Description
    resources[].id String The globally unique group ID
    resources[].displayName String The identifier specified upon creation of the group, unique within the identity zone
    resources[].description String Human readable description of the group, displayed e.g. when approving scopes
    resources[].members Array Array of group members
    resources[].members[].value String Globally unique identifier of the member, either a user ID or another group ID
    resources[].members[].type String Either "USER" or "GROUP"
    resources[].members[].origin String The alias of the identity provider that authenticated this user. "uaa" is an internal UAA user.
    resources[].zoneId String Identifier for the identity zone to which the group belongs
    resources[].meta.version Number The version of the group entity
    resources[].meta.created String The time the group was created
    resources[].meta.lastModified String The time the group was last updated
    resources[].schemas Array [ "urn:scim:schemas:core:1.0" ]
    itemsPerPage Number The page-size used to produce the current page of results
    startIndex Number The index of the first result of this page within all matches
    totalResults Number The number of groups that matched the given filter
    schemas Array [ "urn:scim:schemas:core:1.0" ]
    Error Code Description
    400 Bad Request - Invalid attributes
    403 Forbidden - Insufficient scope

    Check Membership

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members/2f586010-238b-46a7-9fbc-cdcd62092303' -i -X GET \
        -H 'Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3'
    
    GET /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members/2f586010-238b-46a7-9fbc-cdcd62092303 HTTP/1.1
    Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 93
    
    {
      "origin" : "uaa",
      "type" : "USER",
      "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
    }
    

    Path Parameters

    /Groups/{groupId}/members/{memberId}

    Parameter Description
    groupId The globally unique identifier of the group
    memberId The globally unique identifier the user or group which is a member of the specified by groupId

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.read
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    value String The globally unique identifier the user or group which is a member of the specified by groupId
    type String Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID
    origin String The originating IDP of the entity, or "uaa" for groups and internal users
    Error Code Description
    400 Bad Request - Invalid member ID
    403 Forbidden - Insufficient scope
    404 Not Found - Group does not exist, or the entity is not a member

    Add Member

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229' \
        -d '{"origin":"uaa","type":"USER","value":"2f586010-238b-46a7-9fbc-cdcd62092303"}'
    
    POST /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    Content-Length: 77
    Host: localhost
    
    {"origin":"uaa","type":"USER","value":"2f586010-238b-46a7-9fbc-cdcd62092303"}
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 93
    
    {
      "origin" : "uaa",
      "type" : "USER",
      "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
    }
    

    Path Parameters

    /Groups/{groupId}/members

    Parameter Description
    groupId The globally unique identifier of the group

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    value String Required The globally unique identifier the user or group which is a member of the specified by groupId
    type String Required Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID
    origin String Required The originating IDP of the entity, or "uaa" for groups and internal users

    Response Fields

    Path Type Description
    value String The globally unique identifier the user or group which is a member of the specified by groupId
    type String Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID
    origin String The originating IDP of the entity, or "uaa" for groups and internal users
    Error Code Description
    400 Bad Request - Invalid member ID
    403 Forbidden - Insufficient scope
    404 Not Found - Specified group or member entity does not exist

    Remove Member

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members/2f586010-238b-46a7-9fbc-cdcd62092303' -i -X DELETE \
        -H 'Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229'
    
    DELETE /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members/2f586010-238b-46a7-9fbc-cdcd62092303 HTTP/1.1
    Authorization: Bearer 1911cd7d504e481ebf65aa34d6a53229
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 93
    
    {
      "origin" : "uaa",
      "type" : "USER",
      "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
    }
    

    Path Parameters

    /Groups/{groupId}/members/{memberId}

    Parameter Description
    groupId The globally unique identifier of the group
    memberId The globally unique identifier of the entity, i.e. the user or group, to be removed from membership in the group specified by groupId

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.write
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    origin String The originating IDP of the entity
    type String Either "USER" or "GROUP", indicating what type of entity the group membership refers to
    value String The globally unique identifier of the user or group which has been removed from the group specified by groupId
    Error Code Description
    400 Bad Request - Incorrect version supplied in If-Match header
    403 Forbidden - Insufficient scope
    404 Not Found - Group does not exist, or the entity is not a member
    409 Conflict

    List Members

    $ curl 'http://localhost/Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members?returnEntities=true' -i -X GET \
        -H 'Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3'
    
    GET /Groups/e81a25d4-a1e0-4d7e-8f6e-e90f721f0dca/members?returnEntities=true HTTP/1.1
    Authorization: Bearer 929ebc226b224cebaec1c7c7f1e5f6c3
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 707
    
    [ {
      "origin" : "uaa",
      "type" : "USER",
      "entity" : {
        "id" : "2f586010-238b-46a7-9fbc-cdcd62092303",
        "meta" : {
          "version" : 0,
          "created" : "2023-05-04T14:57:36.339Z",
          "lastModified" : "2023-05-04T14:57:36.339Z"
        },
        "userName" : "UEH65C",
        "name" : {
          "familyName" : "cool-familyName",
          "givenName" : "cool-name"
        },
        "emails" : [ {
          "value" : "cool@chill.com",
          "primary" : false
        } ],
        "active" : true,
        "verified" : true,
        "origin" : "uaa",
        "zoneId" : "uaa",
        "passwordLastModified" : "2023-05-04T14:57:36.000Z",
        "schemas" : [ "urn:scim:schemas:core:1.0" ]
      },
      "value" : "2f586010-238b-46a7-9fbc-cdcd62092303"
    } ]
    

    Path Parameters

    /Groups/{groupId}/members

    Parameter Description
    groupId The globally unique identifier of the group

    Request Headers

    Name Description
    Authorization Bearer token with scope scim.read
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    returnEntities Boolean Optional (defaults to false) Set to true to return the SCIM entities which have membership in the group

    Response Fields

    Path Type Description
    [].value String The globally unique identifier the user or group which is a member of the specified by groupId
    [].type String Either "USER" or "GROUP", indicating what type of entity the group membership refers to, and whether value denotes a user ID or group ID
    [].origin String The originating IDP of the entity, or "uaa" for groups and internal users
    [].entity.* Varies Present only if requested with returnEntities; user or group details for each entity that is a member of this group
    Error Code Description
    400 Bad Request - Invalid attributes
    403 Forbidden - Insufficient scope
    404 Not Found - Specified group does not exist

    External Group Mappings

    Map

    $ curl 'http://localhost/Groups/External' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 83f24535ee45448e87fcbd141cada7d0' \
        -d '{
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:33.284Z"
      },
      "groupId" : "a93839bf-fed0-4694-bd6d-6cccf14aa41f",
      "externalGroup" : "External group",
      "origin" : "ldap",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }'
    
    POST /Groups/External HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 83f24535ee45448e87fcbd141cada7d0
    Content-Length: 242
    Host: localhost
    
    {
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:33.284Z"
      },
      "groupId" : "a93839bf-fed0-4694-bd6d-6cccf14aa41f",
      "externalGroup" : "External group",
      "origin" : "ldap",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 362
    
    {
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:33.326Z",
        "lastModified" : "2023-05-04T14:57:33.326Z"
      },
      "groupId" : "a93839bf-fed0-4694-bd6d-6cccf14aa41f",
      "externalGroup" : "external group",
      "displayName" : "Group For Testing Creating External Group Mapping",
      "origin" : "ldap",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with authorization for scim.write scope
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Request Fields

    Path Type Constraints Description
    groupId String Required The globally unique group ID
    externalGroup String Required The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    origin String Optional (defaults to "ldap") Unique alias of the identity provider
    meta.version Number Optional (defaults to 0) The version of the group entity

    Response Fields

    Path Type Description
    groupId String The globally unique group ID
    externalGroup String The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    origin String Unique alias of the identity provider
    meta.version Number The version of the group entity
    meta.created String The time the group mapping was created
    meta.lastModified String The time the group mapping was last updated
    schemas Array ["urn:scim:schemas:core:1.0"]
    Error Code Description
    400 Bad Request - External group or origin should not be null
    403 Forbidden - Insufficient scope
    404 Not Found - Incorrect group ID provided

    Unmap

    By group ID

    $ curl 'http://localhost/Groups/External/groupId/78cc5a02-bd0c-4dc3-aff7-fbd1aa0ca835/externalGroup/external%20group/origin/ldap' -i -X DELETE \
        -H 'Authorization: Bearer acccb27edc914f60b42791f054ce0c3c'
    
    DELETE /Groups/External/groupId/78cc5a02-bd0c-4dc3-aff7-fbd1aa0ca835/externalGroup/external%20group/origin/ldap HTTP/1.1
    Authorization: Bearer acccb27edc914f60b42791f054ce0c3c
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 362
    
    {
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:31.072Z",
        "lastModified" : "2023-05-04T14:57:31.072Z"
      },
      "groupId" : "78cc5a02-bd0c-4dc3-aff7-fbd1aa0ca835",
      "externalGroup" : "external group",
      "displayName" : "Group For Testing Deleting External Group Mapping",
      "origin" : "ldap",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/External/groupId/{groupId}/externalGroup/{externalGroup}/origin/{origin}

    Parameter Description
    groupId The globally unique group ID
    externalGroup The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    origin Unique alias of the identity provider

    Request Headers

    Name Description
    Authorization Bearer token with authorization for scim.write scope
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    groupId String The globally unique group ID
    externalGroup String The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    origin String Unique alias of the identity provider
    meta.version Number The version of the group entity
    meta.created String The time the group mapping was created
    meta.lastModified String The time the group mapping was last updated
    schemas Array ["urn:scim:schemas:core:1.0"]
    Error Code Description
    403 Forbidden - Insufficient scope
    404 Not Found - No such group ID, external group, origin combination

    By group display name

    $ curl 'http://localhost/Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap' -i -X DELETE \
        -H 'Authorization: Bearer b44677bf4c224bc7aeb461d7ec063a27'
    
    DELETE /Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap HTTP/1.1
    Authorization: Bearer b44677bf4c224bc7aeb461d7ec063a27
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 370
    
    {
      "meta" : {
        "version" : 0,
        "created" : "2023-05-04T14:57:33.885Z",
        "lastModified" : "2023-05-04T14:57:33.885Z"
      },
      "groupId" : "57af7c8b-d883-4345-8cf8-0420072d73a6",
      "externalGroup" : "external group",
      "displayName" : "Group For Testing Deleting External Group Mapping By Name",
      "origin" : "ldap",
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Path Parameters

    /Groups/External/displayName/{displayName}/externalGroup/{externalGroup}/origin/{origin}

    Parameter Description
    displayName The identifier specified upon creation of the group, unique within the identity zone
    externalGroup The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    origin Unique alias of the identity provider

    Request Headers

    Name Description
    Authorization Bearer token with authorization for scim.write scope
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    groupId String The globally unique group ID
    externalGroup String The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    displayName String The identifier specified upon creation of the group, unique within the identity zone
    origin String Unique alias of the identity provider
    meta.version Number The version of the group entity
    meta.created String The time the group mapping was created
    meta.lastModified String The time the group mapping was last updated
    schemas Array ["urn:scim:schemas:core:1.0"]
    Error Code Description
    403 Forbidden - Insufficient scope
    404 Not Found - No such group display name, external group, origin combination

    List

    $ curl 'http://localhost/Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter=' -i -X GET \
        -H 'Authorization: Bearer 5a304864606e4895ae7be3165cc9d124'
    
    GET /Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter= HTTP/1.1
    Authorization: Bearer 5a304864606e4895ae7be3165cc9d124
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1284
    
    {
      "resources" : [ {
        "displayName" : "internal.read",
        "externalGroup" : "cn=developers,ou=scopes,dc=test,dc=com",
        "groupId" : "09867fcb-f4f1-471e-aee9-708e783aa93f",
        "origin" : "ldap"
      }, {
        "displayName" : "internal.superuser",
        "externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
        "groupId" : "17b5c62d-aeb8-46f6-bd7c-93f90625a8a1",
        "origin" : "ldap"
      }, {
        "displayName" : "internal.everything",
        "externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
        "groupId" : "1bf1b723-020e-4735-afd7-048e32610ed4",
        "origin" : "ldap"
      }, {
        "displayName" : "internal.write",
        "externalGroup" : "cn=operators,ou=scopes,dc=test,dc=com",
        "groupId" : "877d9f17-00cf-4555-9933-ced0f334e841",
        "origin" : "ldap"
      }, {
        "displayName" : "organizations.acme",
        "externalGroup" : "cn=test_org,ou=people,o=springsource,o=org",
        "groupId" : "f4eeb894-4068-4f13-984f-3bbdd77a345b",
        "origin" : "ldap"
      }, {
        "displayName" : "Group For Testing Retrieving External Group Mappings",
        "externalGroup" : "external group",
        "groupId" : "f94e48b4-953e-4647-9303-2ad6e8955a6e",
        "origin" : "ldap"
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 6,
      "totalResults" : 6,
      "schemas" : [ "urn:scim:schemas:core:1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with authorization for scim.read scope
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.

    Response Fields

    Path Type Description
    resources[].groupId String The globally unique group ID
    resources[].displayName String The identifier specified upon creation of the group, unique within the identity zone
    resources[].externalGroup String The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
    resources[].origin String Unique alias of the identity provider
    startIndex Number The index of the first item of this page of results
    itemsPerPage Number The page size used in producing this page of results
    totalResults Number The number of results which matched the filter
    schemas Array ["urn:scim:schemas:core:1.0"]
    Error Code Description
    400 Bad Request - Invalid request parameters
    403 Forbidden - Insufficient scope

    Clients

    Create

    $ curl 'http://localhost/oauth/clients' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 1f89e3fe65ad4c21a17a95e43603bf74' \
        -H 'Accept: application/json' \
        -d '{
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "VXjwxw",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "DCzqBJ",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }'
    
    POST /oauth/clients HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 1f89e3fe65ad4c21a17a95e43603bf74
    Accept: application/json
    Content-Length: 468
    Host: localhost
    
    {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "VXjwxw",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "DCzqBJ",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 517
    
    {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "VXjwxw",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "DCzqBJ",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212139665,
      "required_user_groups" : [ ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    client_id String Required Client identifier, unique within identity zone
    authorized_grant_types Array Optional List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Optional Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Optional (defaults to "uaa.none") Scopes allowed for the client
    resource_ids Array Optional (defaults to []) Resources the client is allowed access to
    authorities Array Optional (defaults to "uaa.none") Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Optional (defaults to []) Scopes that do not require user approval
    allowpublic Boolean Optional (defaults to false) If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number Optional time in seconds to access token expiration after it is issued
    refresh_token_validity Number Optional time in seconds to refresh token expiration after it is issued
    allowedproviders Array Optional A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String Optional A human readable name for the client
    token_salt String Optional A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String Optional What scope the bearer token had when client was created
    approvals_deleted Boolean Optional Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array Optional A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    client_secret String Required if the client allows authorization_code or client_credentials grant type A secret string used for authenticating as this client.
    secondary_client_secret String Optional An optional, secondary secret string used for authenticating as this client to support secret rotation.

    Response Fields

    Path Type Description
    client_id String Client identifier, unique within identity zone
    authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Scopes allowed for the client
    resource_ids Array Resources the client is allowed access to
    authorities Array Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Scopes that do not require user approval
    allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number time in seconds to access token expiration after it is issued
    refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String A human readable name for the client
    token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String What scope the bearer token had when client was created
    approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Retrieve

    $ curl 'http://localhost/oauth/clients/B8zY45' -i -X GET \
        -H 'Authorization: Bearer a14434d572464267bebdb5f11e0d7975' \
        -H 'Accept: application/json'
    
    GET /oauth/clients/B8zY45 HTTP/1.1
    Authorization: Bearer a14434d572464267bebdb5f11e0d7975
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 517
    
    {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B8zY45",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "wSF44i",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212140506,
      "required_user_groups" : [ ]
    }
    

    Path Parameters

    /oauth/clients/{client_id}

    Parameter Description
    client_id Client identifier, unique within identity zone

    Request Headers

    Name Description
    Authorization Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    client_id String Client identifier, unique within identity zone
    authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Scopes allowed for the client
    resource_ids Array Resources the client is allowed access to
    authorities Array Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Scopes that do not require user approval
    allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number time in seconds to access token expiration after it is issued
    refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String A human readable name for the client
    token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String What scope the bearer token had when client was created
    approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Update

    $ curl 'http://localhost/oauth/clients/BnLy1D' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 44b34095b4534e6d9257e499a1d0da17' \
        -H 'Accept: application/json' \
        -d '{
      "scope" : [ "clients.new", "clients.autoapprove" ],
      "client_id" : "BnLy1D",
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://redirect.url" ],
      "autoapprove" : [ "clients.autoapprove" ]
    }'
    
    PUT /oauth/clients/BnLy1D HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 44b34095b4534e6d9257e499a1d0da17
    Accept: application/json
    Content-Length: 228
    Host: localhost
    
    {
      "scope" : [ "clients.new", "clients.autoapprove" ],
      "client_id" : "BnLy1D",
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://redirect.url" ],
      "autoapprove" : [ "clients.autoapprove" ]
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 498
    
    {
      "scope" : [ "clients.new", "clients.autoapprove" ],
      "client_id" : "BnLy1D",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://redirect.url" ],
      "autoapprove" : [ "clients.autoapprove" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "zRZHZh",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212137586,
      "required_user_groups" : [ ]
    }
    

    Path Parameters

    /oauth/clients/{client_id}

    Parameter Description
    client_id Client identifier, unique within identity zone

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    client_id String Required Client identifier, unique within identity zone
    authorized_grant_types Array Optional List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Optional Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Optional (defaults to "uaa.none") Scopes allowed for the client
    resource_ids Array Optional (defaults to []) Resources the client is allowed access to
    authorities Array Optional (defaults to "uaa.none") Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Optional (defaults to []) Scopes that do not require user approval
    allowpublic Boolean Optional (defaults to false) If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number Optional time in seconds to access token expiration after it is issued
    refresh_token_validity Number Optional time in seconds to refresh token expiration after it is issued
    allowedproviders Array Optional A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String Optional A human readable name for the client
    token_salt String Optional A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String Optional What scope the bearer token had when client was created
    approvals_deleted Boolean Optional Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array Optional A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.

    Response Fields

    Path Type Description
    client_id String Client identifier, unique within identity zone
    authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Scopes allowed for the client
    resource_ids Array Resources the client is allowed access to
    authorities Array Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Scopes that do not require user approval
    allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number time in seconds to access token expiration after it is issued
    refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String A human readable name for the client
    token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String What scope the bearer token had when client was created
    approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Delete

    $ curl 'http://localhost/oauth/clients/hB4J6j' -i -X DELETE \
        -H 'Authorization: Bearer fdd9c7e16a0d440e8e6105cbf0906f0d' \
        -H 'Accept: application/json'
    
    DELETE /oauth/clients/hB4J6j HTTP/1.1
    Authorization: Bearer fdd9c7e16a0d440e8e6105cbf0906f0d
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 517
    
    {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "hB4J6j",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "sDpio4",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138170,
      "required_user_groups" : [ ]
    }
    

    Path Parameters

    /oauth/clients/{client_id}

    Parameter Description
    client_id Client identifier, unique within identity zone

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Response Fields

    Path Type Description
    client_id String Client identifier, unique within identity zone
    authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    scope Array Scopes allowed for the client
    resource_ids Array Resources the client is allowed access to
    authorities Array Scopes which the client is able to grant when creating a client
    autoapprove [Boolean, Array] Scopes that do not require user approval
    allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    access_token_validity Number time in seconds to access token expiration after it is issued
    refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    name String A human readable name for the client
    token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    createdwith String What scope the bearer token had when client was created
    approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Change Secret

    $ curl 'http://localhost/oauth/clients/lZ_nyj/secret' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 230152b42f7c49b3a03564c70ca8e00e' \
        -H 'Accept: application/json' \
        -d '{
      "clientId" : "lZ_nyj",
      "secret" : "new_secret"
    }'
    
    PUT /oauth/clients/lZ_nyj/secret HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 230152b42f7c49b3a03564c70ca8e00e
    Accept: application/json
    Content-Length: 54
    Host: localhost
    
    {
      "clientId" : "lZ_nyj",
      "secret" : "new_secret"
    }
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 53
    
    {
      "status" : "ok",
      "message" : "secret updated"
    }
    

    Path Parameters

    /oauth/clients/{client_id}/secret

    Parameter Description
    client_id Client identifier, unique within identity zone

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    clientId String Required Client identifier, unique within identity zone
    oldSecret String Optional if authenticated as an admin client. Required otherwise. A valid client secret before updating
    secret String Required The new client secret
    changeMode String Optional (defaults to "UPDATE") If change mode is set to ADD, the new secret will be added to the existing one and if the change mode is set to DELETE, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time.

    List

    $ curl 'http://localhost/oauth/clients?filter=client_id+eq+%22EzAdsV%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10' -i -X GET \
        -H 'Authorization: Bearer 275e7bee8fef4e3185f1637f9c8083c7' \
        -H 'Accept: application/json'
    
    GET /oauth/clients?filter=client_id+eq+%22EzAdsV%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10 HTTP/1.1
    Authorization: Bearer 275e7bee8fef4e3185f1637f9c8083c7
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 672
    
    {
      "resources" : [ {
        "scope" : [ "clients.read", "clients.write" ],
        "client_id" : "EzAdsV",
        "resource_ids" : [ "none" ],
        "authorized_grant_types" : [ "client_credentials" ],
        "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
        "autoapprove" : [ "true" ],
        "authorities" : [ "clients.read", "clients.write" ],
        "token_salt" : "HgQq4I",
        "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
        "name" : "My Client Name",
        "lastModified" : 1683212139948
      } ],
      "startIndex" : 1,
      "itemsPerPage" : 1,
      "totalResults" : 1,
      "schemas" : [ "http://cloudfoundry.org/schema/scim/oauth-clients-1.0" ]
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    filter String Optional (defaults to client_id pr) SCIM filter for querying clients
    sortBy String Optional (defaults to client_id) Field to sort results by
    sortOrder String Optional (defaults to ascending) Sort results in ascending or descending order
    startIndex Number Optional (defaults to 1) Index of the first result on which to begin the page
    count Number Optional (defaults to 100) Number of results per page

    Response Fields

    Path Type Description
    resources[].client_id String Client identifier, unique within identity zone
    resources[].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    resources[].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    resources[].scope Array Scopes allowed for the client
    resources[].resource_ids Array Resources the client is allowed access to
    resources[].authorities Array Scopes which the client is able to grant when creating a client
    resources[].autoapprove [Boolean, Array] Scopes that do not require user approval
    resources[].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    resources[].access_token_validity Number time in seconds to access token expiration after it is issued
    resources[].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    resources[].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    resources[].name String A human readable name for the client
    resources[].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    resources[].createdwith String What scope the bearer token had when client was created
    resources[].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    resources[].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    resources[].lastModified Number Epoch (milliseconds) of the moment the client information was last altered
    startIndex Number Index of the first result on this page
    itemsPerPage Number Number of results per page
    totalResults Number Total number of results that matched the query
    schemas Array ["urn:scim:schemas:core:1.0"]

    Batch Create

    $ curl 'http://localhost/oauth/clients/tx' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49' \
        -H 'Accept: application/json' \
        -d '[ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "CweF7y",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    } ]'
    
    POST /oauth/clients/tx HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49
    Accept: application/json
    Content-Length: 942
    Host: localhost
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "CweF7y",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    } ]
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1040
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138615,
      "required_user_groups" : [ ]
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "CweF7y",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138632,
      "required_user_groups" : [ ]
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    [].client_id String Required Client identifier, unique within identity zone
    [].authorized_grant_types Array Optional List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Optional Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Optional (defaults to "uaa.none") Scopes allowed for the client
    [].resource_ids Array Optional (defaults to []) Resources the client is allowed access to
    [].authorities Array Optional (defaults to "uaa.none") Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Optional (defaults to []) Scopes that do not require user approval
    [].allowpublic Boolean Optional (defaults to false) If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number Optional time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number Optional time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array Optional A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String Optional A human readable name for the client
    [].token_salt String Optional A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String Optional What scope the bearer token had when client was created
    [].approvals_deleted Boolean Optional Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array Optional A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].client_secret String Required if the client allows authorization_code or client_credentials grant type A secret string used for authenticating as this client.

    Response Fields

    Path Type Description
    [].client_id String Client identifier, unique within identity zone
    [].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Scopes allowed for the client
    [].resource_ids Array Resources the client is allowed access to
    [].authorities Array Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Scopes that do not require user approval
    [].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String A human readable name for the client
    [].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String What scope the bearer token had when client was created
    [].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Batch Update

    $ curl 'http://localhost/oauth/clients/tx' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49' \
        -H 'Accept: application/json' \
        -d '[ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "new.authority", "clients.write" ],
      "token_salt" : "CweF7y",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    } ]'
    
    PUT /oauth/clients/tx HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49
    Accept: application/json
    Content-Length: 899
    Host: localhost
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "authorities" : [ "clients.read", "new.authority", "clients.write" ],
      "token_salt" : "CweF7y",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name"
    } ]
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1057
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138615,
      "required_user_groups" : [ ]
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "new.authority", "clients.write" ],
      "token_salt" : "CweF7y",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138632,
      "required_user_groups" : [ ]
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    [].client_id String Required Client identifier, unique within identity zone
    [].authorized_grant_types Array Optional List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Optional Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Optional (defaults to "uaa.none") Scopes allowed for the client
    [].resource_ids Array Optional (defaults to []) Resources the client is allowed access to
    [].authorities Array Optional (defaults to "uaa.none") Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Optional (defaults to []) Scopes that do not require user approval
    [].allowpublic Boolean Optional (defaults to false) If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number Optional time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number Optional time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array Optional A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String Optional A human readable name for the client
    [].token_salt String Optional A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String Optional What scope the bearer token had when client was created
    [].approvals_deleted Boolean Optional Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array Optional A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.

    Response Fields

    Path Type Description
    [].client_id String Client identifier, unique within identity zone
    [].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Scopes allowed for the client
    [].resource_ids Array Resources the client is allowed access to
    [].authorities Array Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Scopes that do not require user approval
    [].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String A human readable name for the client
    [].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String What scope the bearer token had when client was created
    [].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].lastModified Number Epoch (milliseconds) of the moment the client information was last altered

    Batch Secret Change

    $ curl 'http://localhost/oauth/clients/tx/secret' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49' \
        -H 'Accept: application/json' \
        -d '[ {
      "clientId" : "le2Jqw",
      "secret" : "new_secret"
    }, {
      "clientId" : "B6F9fE",
      "secret" : "new_secret"
    } ]'
    
    POST /oauth/clients/tx/secret HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49
    Accept: application/json
    Content-Length: 114
    Host: localhost
    
    [ {
      "clientId" : "le2Jqw",
      "secret" : "new_secret"
    }, {
      "clientId" : "B6F9fE",
      "secret" : "new_secret"
    } ]
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1117
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138839,
      "required_user_groups" : [ ],
      "approvals_deleted" : true
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "new.authority", "clients.write" ],
      "token_salt" : "CweF7y",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138840,
      "required_user_groups" : [ ],
      "approvals_deleted" : true
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    [].clientId String Required Client identifier, unique within identity zone
    [].oldSecret String Optional if authenticated as an admin client. Required otherwise. A valid client secret before updating
    [].secret String Required The new client secret
    [].changeMode String Optional (defaults to "UPDATE") If change mode is set to ADD, the new secret will be added to the existing one and if the change mode is set to DELETE, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time.

    Response Fields

    Path Type Description
    [].client_id String Client identifier, unique within identity zone
    [].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Scopes allowed for the client
    [].resource_ids Array Resources the client is allowed access to
    [].authorities Array Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Scopes that do not require user approval
    [].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String A human readable name for the client
    [].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String What scope the bearer token had when client was created
    [].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].lastModified Number Epoch (milliseconds) of the moment the client information was last altered
    [].approvals_deleted Boolean Indicates whether the approvals associated with the client were deleted as a result of this action

    Mixed Actions

    $ curl 'http://localhost/oauth/clients/tx/modify' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49' \
        -H 'Accept: application/json' \
        -d '[ {
      "action" : "secret",
      "client_secret" : "new_secret",
      "client_id" : "le2Jqw"
    }, {
      "action" : "delete",
      "client_id" : "B6F9fE"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "fVUSY_",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "action" : "add",
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "t6ec3d",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "approvals_deleted" : false
    } ]'
    
    POST /oauth/clients/tx/modify HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49
    Accept: application/json
    Content-Length: 663
    Host: localhost
    
    [ {
      "action" : "secret",
      "client_secret" : "new_secret",
      "client_id" : "le2Jqw"
    }, {
      "action" : "delete",
      "client_id" : "B6F9fE"
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "fVUSY_",
      "client_secret" : "secret",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
      "action" : "add",
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "t6ec3d",
      "autoapprove" : true,
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "approvals_deleted" : false
    } ]
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1343
    
    [ {
      "scope" : [ ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ ],
      "authorized_grant_types" : [ ],
      "action" : "secret",
      "authorities" : [ ],
      "approvals_deleted" : false
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "B6F9fE",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "action" : "delete",
      "authorities" : [ "clients.read", "new.authority", "clients.write" ],
      "token_salt" : "CweF7y",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138840,
      "required_user_groups" : [ ],
      "approvals_deleted" : true
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "fVUSY_",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "action" : "add",
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "t6ec3d",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "approvals_deleted" : false,
      "lastModified" : 1683212139195,
      "required_user_groups" : [ ]
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    [].client_id String Required Client identifier, unique within identity zone
    [].authorized_grant_types Array Optional List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Optional Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Optional (defaults to "uaa.none") Scopes allowed for the client
    [].resource_ids Array Optional (defaults to []) Resources the client is allowed access to
    [].authorities Array Optional (defaults to "uaa.none") Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Optional (defaults to []) Scopes that do not require user approval
    [].allowpublic Boolean Optional (defaults to false) If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number Optional time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number Optional time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array Optional A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String Optional A human readable name for the client
    [].token_salt String Optional A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String Optional What scope the bearer token had when client was created
    [].approvals_deleted Boolean Optional Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array Optional A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].client_secret String Required if the client allows authorization_code or client_credentials grant type A secret string used for authenticating as this client.
    [].action String Always required. Set to secret to change client secret, delete to delete the client or add to add the client

    Response Fields

    Path Type Description
    [].client_id String Client identifier, unique within identity zone
    [].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Scopes allowed for the client
    [].resource_ids Array Resources the client is allowed access to
    [].authorities Array Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Scopes that do not require user approval
    [].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String A human readable name for the client
    [].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String What scope the bearer token had when client was created
    [].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].lastModified Number Epoch (milliseconds) of the moment the client information was last altered
    [].action String Set to secret to change client secret, delete to delete the client or add to add the client

    Batch Delete

    $ curl 'http://localhost/oauth/clients/tx/delete' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49' \
        -H 'Accept: application/json' \
        -d '[ {
      "client_id" : "le2Jqw"
    }, {
      "client_id" : "fVUSY_"
    } ]'
    
    POST /oauth/clients/tx/delete HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer c0927b5c77cc4959be40e2d2119aec49
    Accept: application/json
    Content-Length: 62
    Host: localhost
    
    [ {
      "client_id" : "le2Jqw"
    }, {
      "client_id" : "fVUSY_"
    } ]
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 1100
    
    [ {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "le2Jqw",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "7AXTCV",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "lastModified" : 1683212138839,
      "required_user_groups" : [ ],
      "approvals_deleted" : true
    }, {
      "scope" : [ "clients.read", "clients.write" ],
      "client_id" : "fVUSY_",
      "resource_ids" : [ "none" ],
      "authorized_grant_types" : [ "client_credentials" ],
      "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
      "autoapprove" : [ "true" ],
      "authorities" : [ "clients.read", "clients.write" ],
      "token_salt" : "t6ec3d",
      "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
      "name" : "My Client Name",
      "approvals_deleted" : true,
      "lastModified" : 1683212139195,
      "required_user_groups" : [ ]
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.write, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Fields

    Path Type Constraints Description
    [].client_id String Required Client identifier, unique within identity zone

    Response Fields

    Path Type Description
    [].client_id String Client identifier, unique within identity zone
    [].authorized_grant_types Array List of grant types that can be used to obtain a token with this client. Can include authorization_code, password, implicit, and/or client_credentials.
    [].redirect_uri Array Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
    [].scope Array Scopes allowed for the client
    [].resource_ids Array Resources the client is allowed access to
    [].authorities Array Scopes which the client is able to grant when creating a client
    [].autoapprove [Boolean, Array] Scopes that do not require user approval
    [].allowpublic Boolean If true, allow to omit client_secret for authorization_code flow in combination with PKCE
    [].access_token_validity Number time in seconds to access token expiration after it is issued
    [].refresh_token_validity Number time in seconds to refresh token expiration after it is issued
    [].allowedproviders Array A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
    [].name String A human readable name for the client
    [].token_salt String A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
    [].createdwith String What scope the bearer token had when client was created
    [].approvals_deleted Boolean Were the approvals deleted for the client, and an audit event sent
    [].required_user_groups Array A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
    [].lastModified Number Epoch (milliseconds) of the moment the client information was last altered
    [].approvals_deleted Boolean Indicates whether the approvals associated with the client were deleted as a result of this action

    Metadata

    Retrieve

    $ curl 'http://localhost/oauth/clients/PZZx05rH/meta' -i -X GET \
        -H 'Authorization: Bearer c4ac12326cdc4cb6a05a5a85b9d9f24b' \
        -H 'Accept: application/json'
    
    GET /oauth/clients/PZZx05rH/meta HTTP/1.1
    Authorization: Bearer c4ac12326cdc4cb6a05a5a85b9d9f24b
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 199
    
    {
      "clientId" : "PZZx05rH",
      "showOnHomePage" : true,
      "appLaunchUrl" : "http://myloginpage.com",
      "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
      "createdBy" : "e8b87b7e-bbfa-42e8-9c5d-d316d224d115"
    }
    

    Path Parameters

    /oauth/clients/{clientId}/meta

    Parameter Description
    clientId Client identifier, unique within identity zone

    Request Headers

    Name Description
    Authorization Bearer token

    Response Fields

    Path Type Description
    clientId String Client identifier, unique within identity zone
    showOnHomePage Boolean Flag to control visibility on home page
    appLaunchUrl String URL to which the app is linked to
    appIcon String Base64 encoded image file
    createdBy String The user guid of the resource owner who created this client
    Error Code Description
    404 Not Found - clientId doesn't exists

    List

    $ curl 'http://localhost/oauth/clients/meta' -i -X GET \
        -H 'Authorization: Bearer 748eba28f91a4b80aca1127f8be3adbd' \
        -H 'Accept: application/json'
    
    GET /oauth/clients/meta HTTP/1.1
    Authorization: Bearer 748eba28f91a4b80aca1127f8be3adbd
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 2446
    
    [ {
      "clientId" : "2z55wOAZ",
      "showOnHomePage" : true,
      "appLaunchUrl" : "http://myloginpage.com",
      "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
      "createdBy" : "e8b87b7e-bbfa-42e8-9c5d-d316d224d115"
    }, {
      "clientId" : "IYm1lHbG",
      "showOnHomePage" : false,
      "appLaunchUrl" : "http://client4.com/app",
      "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ="
    }, {
      "clientId" : "RPNNnxpk",
      "showOnHomePage" : true,
      "appLaunchUrl" : "http://client3.com/app",
      "appIcon" : "Y2xpZW50IDMgaWNvbg=="
    }, {
      "clientId" : "admin",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "app",
      "clientName" : "The Ultimate Oauth App",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "appspecial",
      "clientName" : "The Ultimate Oauth App",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "avUcXpYE",
      "showOnHomePage" : false,
      "appLaunchUrl" : "http://changed.app.launch/url",
      "appIcon" : "",
      "createdBy" : "e8b87b7e-bbfa-42e8-9c5d-d316d224d115"
    }, {
      "clientId" : "cf",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "client_with_bcrypt_prefix",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "client_without_openid",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "dashboard",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "identity",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "jku_test",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "jku_test_without_autoapprove",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "login",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "notifications",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_authorization_code",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_client_credentials",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_implicit_grant",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_password_grant",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_saml2_bearer",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "oauth_showcase_user_token",
      "showOnHomePage" : false,
      "appIcon" : ""
    }, {
      "clientId" : "some_client_that_contains_redirect_uri_matching_request_param",
      "showOnHomePage" : false,
      "appIcon" : ""
    } ]
    

    Request Headers

    Name Description
    Authorization Bearer token

    Response Fields

    Path Type Description
    [].clientId String Client identifier, unique within identity zone
    [].clientName String Human readable display name for the client
    [].showOnHomePage Boolean Flag to control visibility on home page
    [].appLaunchUrl String URL to which the app is linked to
    [].appIcon String Base64 encoded image file
    [].createdBy String The user guid of the resource owner who created this client

    Update

    $ curl 'http://localhost/oauth/clients/avUcXpYE/meta' -i -X PUT \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer 0f51deef6edc4be7809613c72ab8e83f' \
        -H 'If-Match: 0' \
        -H 'Accept: application/json' \
        -d '{"clientId":"avUcXpYE","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}'
    
    PUT /oauth/clients/avUcXpYE/meta HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer 0f51deef6edc4be7809613c72ab8e83f
    If-Match: 0
    Accept: application/json
    Content-Length: 93
    Host: localhost
    
    {"clientId":"avUcXpYE","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 183
    
    {
      "clientId" : "avUcXpYE",
      "showOnHomePage" : false,
      "appLaunchUrl" : "http://changed.app.launch/url",
      "appIcon" : "",
      "createdBy" : "e8b87b7e-bbfa-42e8-9c5d-d316d224d115"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token containing clients.read, clients.admin or zones.{zone.id}.admin
    X-Identity-Zone-Id May include this header to administer another zone if using zones.<zone.id>.admin or uaa.admin scope against the default UAA zone.

    Response Fields

    Path Type Description
    clientId String Client identifier, unique within identity zone
    showOnHomePage Boolean Flag to control visibility on home page
    appLaunchUrl String URL to which the app is linked to
    appIcon String Base64 encoded image file
    createdBy String The user guid of the resource owner who created this client
    Error Code Description
    404 Not Found - clientId doesn't exists
    400 Bad Request

    Server Information

    The UAA provides several endpoints to describe the server as well as handle various login tasks.

    Server Information

    This endpoint has two identical endpoints

    1. /info
    2. /login

    Both return the same result and both support both JSON and HTML output. The HTML output is intended for browser user agents to display a login page.

    $ curl 'http://localhost/info?origin=oidc-provider' -i -X GET \
        -H 'Accept: application/json'
    
    GET /info?origin=oidc-provider HTTP/1.1
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Language: en
    Content-Type: application/json;charset=UTF-8
    Cache-Control: no-store
    Content-Length: 498
    
    {
      "app" : {
        "version" : "76.11.0"
      },
      "links" : {
        "uaa" : "http://localhost:8080/uaa",
        "passwd" : "/forgot_password",
        "login" : "http://localhost:8080/uaa",
        "register" : "/create_account"
      },
      "zone_name" : "uaa",
      "entityID" : "cloudfoundry-saml-login",
      "commit_id" : "git-metadata-not-found",
      "idpDefinitions" : { },
      "prompts" : {
        "username" : [ "text", "Email" ],
        "password" : [ "password", "Password" ]
      },
      "timestamp" : "2023-05-04T14:45:02+0000"
    }
    

    Request Headers

    Name Description
    Accept When set to accept application/json the server will return prompts and server info in JSON format.

    Request Parameters

    Parameter Type Constraints Description
    origin String Optional Use the configured prompts of the OpenID Connect Provider with the given origin key in the response. Fallback to zone values if no prompts are configured or origin is invalid.

    Response Fields

    Path Type Description
    app.version String The UAA version
    commit_id String The GIT sha for the UAA version
    timestamp String JSON timestamp for the commit of the UAA version
    idpDefinitions Object A list of alias/url pairs of SAML IDP providers configured. Each url is the starting point to initiate the authentication process for the SAML identity provider.
    idpDefinitions.* Array A list of alias/url pairs of SAML IDP providers configured. Each url is the starting point to initiate the authentication process for the SAML identity provider.
    links Object A list of alias/url pairs of configured action URLs for the UAA
    links.login String The link to the login host alias of the UAA
    links.uaa String The link to the uaa alias host of the UAA
    links.passwd String The link to the 'Forgot Password' functionality. Can be external or internal to the UAA
    links.register String The link to the 'Create Account' functionality. Can be external or internal to the UAA
    entityID String The UAA is always a SAML service provider. This field contains the configured entityID
    prompts Object A list of name/value pairs of configured prompts that the UAA will login a user. Format for each prompt is [type, display name] where type can be 'text' or 'password'
    prompts.username Array Information about the username prompt.
    prompts.password Array Information about the password prompt.
    prompts.passcode Array If a SAML identity provider is configured, this prompt contains a URL to where the user can initiate the SAML authentication flow.
    zone_name String The name of the zone invoked
    showLoginLinks Boolean Set to true if there are SAML or OAUTH/OIDC providers with a visible link on the login page.

    OpenID Connect Discovery

    Provide OpenID Connect metadata related to the specified server. This URI Discovery Mechanism for the Provider Configuration is defined in OpenID Discovery Configuration standard.

    OpenID Well-Known Configuration

    An OpenID Discovery Configuration Document MUST be queried using an HTTP GET request at path /.well-known/openid-configuration.

    $ curl 'http://localhost/.well-known/openid-configuration' -i -X GET \
        -H 'Accept: application/json'
    
    GET /.well-known/openid-configuration HTTP/1.1
    Accept: application/json
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Content-Length: 1356
    
    {
      "issuer" : "http://localhost:8080/uaa/oauth/token",
      "authorization_endpoint" : "http://localhost/oauth/authorize",
      "token_endpoint" : "http://localhost/oauth/token",
      "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
      "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "userinfo_endpoint" : "http://localhost/userinfo",
      "jwks_uri" : "http://localhost/token_keys",
      "end_session_endpoint" : "http://localhost/logout.do",
      "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
      "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
      "subject_types_supported" : [ "public" ],
      "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
      "id_token_encryption_alg_values_supported" : [ "none" ],
      "claim_types_supported" : [ "normal" ],
      "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
      "claims_parameter_supported" : false,
      "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
      "ui_locales_supported" : [ "en-US" ],
      "code_challenge_methods_supported" : [ "S256", "plain" ]
    }
    

    Response Fields

    Path Type Description
    issuer String URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
    authorization_endpoint String URL of authorization endpoint.
    token_endpoint String URL of token endpoint.
    userinfo_endpoint String URL of the OP's UserInfo Endpoint.
    jwks_uri String URL of the OP's JSON Web Key Set document.
    end_session_endpoint String URL of the logout endpoint.
    scopes_supported Array JSON array containing a list of the OAuth 2.0 scope values that this server supports.
    subject_types_supported Array JSON array containing a list of the Subject Identifier types that this OP supports.
    token_endpoint_auth_methods_supported Array JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
    token_endpoint_auth_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms.
    response_types_supported Array JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
    id_token_signing_alg_values_supported Array JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
    id_token_encryption_alg_values_supported Array JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
    claim_types_supported Array JSON array containing a list of the Claim Types that the OpenID Provider supports.
    claims_supported Array JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
    claims_parameter_supported Boolean Boolean value specifying whether the OP supports use of the claims parameter.
    service_documentation String URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
    code_challenge_methods_supported Array UAA 75.5.0JSON array containing a list of PKCE code challenge methods supported by this authorization endpoint.
    ui_locales_supported Array Languages and scripts supported for the user interface.

    Passcode

    A user that has been authenticated, can request a one time authentication code, pass code, to be used during a token password grant. Password grants are often used in non browser environments, and authenticating a user with SAML, may be difficult.

    $ curl 'http://localhost/passcode' -i -X GET \
        -H 'Accept: application/json' \
        -H 'Cookie: JSESSIONID=13'
    
    GET /passcode HTTP/1.1
    Accept: application/json
    Cookie: JSESSIONID=13
    Host: localhost
    
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: X-Uaa-Csrf=o6dI3uqMu1KlXbX_4b531j; Path=/; Max-Age=86400; Expires=Fri, 5 May 2023 14:53:55 GMT; HttpOnly; SameSite=Lax
    Content-Language: en
    Content-Type: application/json;charset=UTF-8
    Cache-Control: no-store
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 34
    
    "-y5U9Z4mI5RLUQwzoxivUXqai546ddOm"
    

    Request Headers

    Name Description
    Cookie JSESSIONID cookie to match the server side session of the authenticated user.

    Auto Login

    Get authentication code

    Similar to /passcode, the difference with an autologin authentication code, is that the authentication of the user takes place during the generation of the temporary authentication code. The autologin authentication code can be used to log the user in with an HTTP redirect. The UAA will establish an authenticated server side session and expire the code. To generate the temporary authentication code, a POST against /autologin is required.

    $ curl 'http://localhost/autologin' -i -u 'admin:adminsecret' -X POST \
        -H 'Content-Type: application/json' \
        -H 'Accept: application/json' \
        -d '{"username":"marissa","password":"koala"}'
    
    POST /autologin HTTP/1.1
    Content-Type: application/json
    Authorization: Basic YWRtaW46YWRtaW5zZWNyZXQ=
    Accept: application/json
    Content-Length: 41
    Host: localhost
    
    {"username":"marissa","password":"koala"}
    
    HTTP/1.1 200 OK
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 80
    
    {
      "code" : "mtsc5kWQ6MswaT7vbKE4vANGSleapJfN",
      "path" : "/oauth/authorize"
    }
    

    Request Headers

    Name Description
    Authorization Basic authorization header for the client making the autologin request
    Content-Type Set to application/json
    Accept Set to application/json

    Request Body

    Path Type Constraints Description
    username String Required The username for the autologin request
    password String Required The password for the autologin request

    Response Body

    Path Type Description
    code String The code used to authenticate the user.
    path String Not used. Hardcoded to /oauth/authorize

    Perform Login

    To exchange the code for an authenticated session, simply issue a redirect to /autologin using the code and client_id. If successful the user will be redirected to the home page, unless the user had tried to access a protected URL and the UAA remembers the URL that was accessed.

    $ curl 'http://localhost/autologin?code=iRi3hHF0OSIJC6wP8dNGOyrD3gXIxSyH&client_id=admin' -i -X GET
    
    GET /autologin?code=iRi3hHF0OSIJC6wP8dNGOyrD3gXIxSyH&client_id=admin HTTP/1.1
    Host: localhost
    
    
    HTTP/1.1 302 Found
    Content-Security-Policy: script-src 'self'
    Set-Cookie: Current-User=%7B%22userId%22%3A%229528f0e0-7fec-494c-8a2b-cc5e13b85c20%22%7D; Path=/; Max-Age=1800; Expires=Thu, 4 May 2023 15:23:56 GMT; SameSite=Strict
    Content-Language: en
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Location: home
    
    

    Request Parameters

    Parameter Type Constraints Description
    code String Required The code generated from the POST /autologin
    client_id String Required The client_id that generated the autologin code

    External Login Server

    The UAA provides endpoints that facilitate the use of an external login server. A server that handles the UI for browser based actions.

    Change Password Flow

    Request Reset Password Code

    This endpoint returns an onetime code that can be used to change a user's password. The actual password change can take place by invoking an API endpoint, /password_change, or by a UI flow through the /reset_password endpoint.

    $ curl 'http://localhost/password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset' -i -X POST \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJkMzQ5MTkyNjBkNGY0ODAwODk4MWExOGM1Njc2MTUyYyIsInN1YiI6ImxvZ2luIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiZW1haWxzLndyaXRlIiwic2NpbS51c2VyaWRzIiwicGFzc3dvcmQud3JpdGUiLCJpZHBzLndyaXRlIiwibm90aWZpY2F0aW9ucy53cml0ZSIsIm9hdXRoLmxvZ2luIiwic2NpbS53cml0ZSIsImNyaXRpY2FsX25vdGlmaWNhdGlvbnMud3JpdGUiXSwic2NvcGUiOlsib2F1dGgubG9naW4iXSwiY2xpZW50X2lkIjoibG9naW4iLCJjaWQiOiJsb2dpbiIsImF6cCI6ImxvZ2luIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJlMGU5ODE2MyIsImlhdCI6MTY4MzIxMjE0NSwiZXhwIjoxNjgzMjU1MzQ1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImxvZ2luIiwib2F1dGgiXX0.67iHUEPIvVoT9bAEx1wUAJ4X9u0g6SriX3Ex-BahLLw' \
        -H 'Accept: application/json' \
        -d 'user-glagk2@test.org'
    
    POST /password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset HTTP/1.1
    Content-Type: application/json
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJkMzQ5MTkyNjBkNGY0ODAwODk4MWExOGM1Njc2MTUyYyIsInN1YiI6ImxvZ2luIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwiZW1haWxzLndyaXRlIiwic2NpbS51c2VyaWRzIiwicGFzc3dvcmQud3JpdGUiLCJpZHBzLndyaXRlIiwibm90aWZpY2F0aW9ucy53cml0ZSIsIm9hdXRoLmxvZ2luIiwic2NpbS53cml0ZSIsImNyaXRpY2FsX25vdGlmaWNhdGlvbnMud3JpdGUiXSwic2NvcGUiOlsib2F1dGgubG9naW4iXSwiY2xpZW50X2lkIjoibG9naW4iLCJjaWQiOiJsb2dpbiIsImF6cCI6ImxvZ2luIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJlMGU5ODE2MyIsImlhdCI6MTY4MzIxMjE0NSwiZXhwIjoxNjgzMjU1MzQ1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImxvZ2luIiwib2F1dGgiXX0.67iHUEPIvVoT9bAEx1wUAJ4X9u0g6SriX3Ex-BahLLw
    Accept: application/json
    Content-Length: 20
    Host: localhost
    
    user-glagk2@test.org
    
    HTTP/1.1 201 Created
    Content-Security-Policy: script-src 'self'
    Content-Type: application/json
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Content-Length: 103
    
    {
      "code" : "tbXSdmPd9zZpzuUkeDYNxAd_eQzKbXZt",
      "user_id" : "5afe9d83-3c4e-40de-8702-cbde82be27e9"
    }
    

    Request Headers

    Name Description
    Authorization Bearer token with the scope oauth.login present.
    X-Identity-Zone-Id If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a zone_id.
    X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what zone this request goes to by supplying a subdomain.

    Request Parameters

    Parameter Type Constraints Description
    client_id String Optional Optional client_id
    redirect_uri String Optional Optional redirect_uri to be used if the /reset_password flow is completed.

    Request Body

    The required request body of this request is the user's username, typically an email address, in form of a JSON string.

    Response Body

    Path Type Description
    code String The code to used to invoke the /password_change endpoint with or to initiate the /reset_password flow.
    user_id String The UUID identifying the user.