Identity Provider APIs
Use Identity Provider (IdP) V3 APIs to register IdP connection and configuration.
If you are configuring SSO (single sign-on), you must use the IdP V3 APIs.
See the following notes:
-
You can get the hostname from the route available in your foundational services namespace. To get the host details, see Getting the host details.
-
The
Administrator
IM role is allowed to access the IdP V3 APIs.
IdP V3 APIs
You can register the following providers and connections by using the IdP V3 APIs:
-
OIDC provider For more information, see Registering OIDC clients by using IdP V3.
-
SAML provider For more information, see Registering SAML clients by using IdP V3. To configure SAML, use your product UI. For more information, see Configuring single sign-on using your product UI.
-
LDAP For more information, see Configuring LDAP connection by using IdP V3.
OIDC clients
Currently, only the following platforms are verified to register OIDC by using IdP V3 APIs.
Note: Service providers might change the links that are listed here. If any links is broken, check the service provider website for the new location.
- IBM Security Verify
- Note: In the IBM Security Verify application, whenever you map attributes, enable the Send all known user attributes in the ID token option. And, do not use spaces in IBM Security Verify groups.
- Google Cloud Platform
- Microsoft
- Okta
Before you begin, register yourself in your service provider application. During registration, use the following URLs:
- For application URL, use the cp-console URL.
- For redirect URL, use
https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>
.
After you register, you get a unique client ID, client secret, and discovery_url
endpoint.
Note: The curl commands that are used in the following sections contain different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
- Registering the OIDC clients
- Deleting the registration of the client
- Getting the list of registered OIDC clients
- Updating the OIDC clients
Registering OIDC clients
API details - register OIDC clients - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster Port
- Path
idprovider/v3/auth/idsource
- Command
POST
- Command output format
application/json
Note: By using the POST call, you can get the unique identifier (UID) as a successful response. The UID is required for the further operations or tasks. You can also get the list of UIDs of registered IdPs by using the Getting the list of registered OIDC clients by query API.
Sample curl command to register a client
curl --insecure POST 'https://cp-console.apps.vij-soc.cp.fyre.ibm.com/idprovider/v3/auth/idsource/'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
"name": "oidc_isv",
"description": "This is a oidc config for isv",
"protocol": "oidc",
"type": "IBMVerify",
"idp_config": {
"discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
"client_id": "4ad41ddc-5f10-4d84-a24f-fb776607895e",
"client_secret": "rqJMyEgee",
"token_attribute_mappings": {
"groups": "groupIds",
"given_name": "given_name",
"family_name": "family_name",
"sub": "uid",
"email": "email"
}
}
}'
Sample response - register a client
{
"status": "success",
"message": "Identity provider {oidc_isv} is successfully registered with unique identifier NpiV6qBhsSDEjKRvJDQLl"
}
Sample error message - register a client
400 "error": "E11000 duplicate key error collection: platform-db.cloudpak_ibmid_v3 index: name_1 dup key: { : <oidc name>" }"
500 "error": "Other errors"
401 "error": "Insufficient user permission for role :Viewer"
202 OK Response
Deleting the registration of a client
API details - delete registration - DELETE
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster Port
- Path
idprovider/v3/auth/idsource/:UID
- Command
DELETE
- Command output format
application/json
Sample curl command to delete the client registration
curl --insecure DELETE 'https://cp-console.apps.vij-soc.cp.fyre.ibm.com/idprovider/v3/auth/idsource/NpiV6qBhsSDEjKRvJDQLl' --header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - delete client registration
{
“status”: “success”,
“message”: “{NpiV6qBhsSDEjKRvJDQLl} is deleted”
}
Sample error message - delete client registration
400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response
Getting the list of registered OIDC clients
You can get the list of registered OIDC clients by using either of the following methods:
Getting the list of registered OIDC clients by UID
API details - get OIDC clients by UID - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
GET
- Command output format
application/json
Sample curl command to get the list of registered clients by UID
curl --insecure --request GET 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource/yOLi5oHo3t-es4aJFLkC8' --header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - list registered clients by UID
{
"name": "oidc_1",
"description": "This is a oidc config",
"protocol": "oidc",
"type": "IBMVerify",
"idp_config": {
"discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
"client_id": "My_Client_ID",
"client_secret": "My_Client_Secret",
"token_attribute_mappings": {
"groups": "groupIds"
}
},
"uid": "NpiV6qBhsSDEjKRvJDQLl"
}
Note: For security reasons, the values of the client_secret
is not displayed in the output when you retrieve the list of registered clients with UID.
Sample error message - list registered clients by UID
400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response
Getting the list of registered OIDC clients by query
API details - get OIDC clients by query - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
GET
- Command output format
application/json
Sample curl command to get the list of registered clients by query
curl --insecure --request GET 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource?protocol=oidc' --header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - list registered clients by query
{
"idp": [
{
"name": "oidc_google",
"description": "This is a oidc config for google",
"protocol": "oidc",
"type": "google",
"idp_config": {
"discovery_url": "https://accounts.google.com/.well-known/openid-configuration",
"client_id": "My_Client_ID",
"client_secret": "My_Client_Secret",
"token_attribute_mappings": {
"groups": "groupIds",
"given_name": "firstName",
"family_name": "lastName",
"sub": "uid",
"email": "email",
"uniqueSecurityName": "uniqueSecurityName"
}
},
"uid": "Uo4Y31mV7unaj5NtyfpIY"
},
{
"name": "oidc_isv",
"description": "This is a oidc config",
"protocol": "oidc",
"type": "IBMVerify",
"idp_config": {
"discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
"client_id": "My_Client_ID",
"client_secret": "My_Client_Secret",
"token_attribute_mappings": {
"groups": "groupIds",
"given_name": "given_name",
"family_name": "family_name",
"sub": "uid",
"email": "email",
"uniqueSecurityName": "uniqueSecurityName",
"preferred_username": "preferred_username",
"displayName": "displayName"
}
},
"uid": "NpiV6qBhsSDEjKRvJDQLl"
}
]
}
Note: For security reasons, the values of the client_secret
is not displayed in the output when you retrieve the list of registered clients with query.
Sample error message - list registered clients by query
400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response
Updating the OIDC clients
API details - update OIDC clients - PUT
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster Port
- Path
idprovider/v3/auth/idsource/:UID
- Command
PUT
- Command output format
application/json
Sample curl command to update the client
curl --insecure PUT 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource/NpiV6qBhsSDEjKRvJDQLl'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
"name": "oidc_isv",
"description": "This is a oidc config for isv",
"protocol": "oidc",
"type": "IBMVerify",
"idp_config": {
"discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
"client_id": "4ad41ddc-5f10-4d84-a24f-fb776607895e",
"client_secret": "rqJMyEgee",
"token_attribute_mappings": {
"groups": "groupIds",
"given_name": "given_name",
"family_name": "family_name",
"sub": "uid",
"email": "email"
}
}
}'
Sample response - update client
{
"status": "success",
"message": "{NpiV6qBhsSDEjKRvJDQLl} is Updated."
}
Sample error message - update client
400 "error": "Document not found"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response
SAML clients
You can register the SAML IdP by the following methods:
- SAML with SCIM dependency registration
- SAML registration without any dependency
- SAML with LDAP dependency registration
Note: You can configure only one SAML registration at an instance. The UID generated on the POST request is defaultSP
. For idp_metadata
, you need to provide the base64-encoded value of the generated IdP
metadata xml
file.
Get the base64-encoded value by using the following command:
cat idp-metadata-xml | base64
SAML with SCIM dependency registration
You can register IdP V3 with the following platforms:
Note: The curl commands that are used in the following sections contain different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Note: By using the POST call, you can get the unique identifier (UID) as a successful response. The UID is required for the further operations or tasks. You can also get the list of UIDs of registered IdPs by using the Getting the list of registered OIDC clients by query API.
IdP V3 registration with IBM Security Verify
The following example shows IdP V3 registration with IBM Security Verify that supports SCIM-enabled IdP with SAML. Hence, the token_attribute_mappings
and scim_attribute_mappings
can be different for the respective IdPs.
API details - registration with IBM Security Verify - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource
- Command
POST
- Command output format
application/json
Sample curl command - registration with IBM Security Verify
curl --insecure POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
"name": "idp_saml_isv",
"description": "This is a saml isv config",
"protocol": "saml",
"type": "isv",
"idp_config": {
"token_attribute_mappings": {
"sub": "userID",
"given_name": "given_name",
"family_name": "family_name",
"groups": "groupIds",
"email": "email"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"scim_config": {
"scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
"grant_type": "client_credentials",
"token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
"client_id": "Your_isv_client_id",
"client_secret": "Your_isv_client_secret",
"scim_attribute_mappings": {
"user": {
"principalName": "userName",
"givenName": "name.givenName",
"middleName": "name.middleName",
"familyName": "name.familyName",
"formatted": "name.formatted"
},
"group": {
"principalName": "displayName",
"created": "meta.created",
"lastModified": "meta.lastModified"
}
}
},
"jit": "false"
}'
Sample response - registration with IBM Security Verify
{
"status": "success",
"message": "Identity provider {idp_saml_isv} is successfully registered with unique identifier defaultSP"
}
Sample error message - registration with IBM Security Verify
401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response
IdP V3 registration with Okta
The following example shows IdP V3 registration with Okta.
API details - registration with Okta - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
Mapping | Description |
---|---|
token_attribute_mappings |
A custom mapping that you can provide based on the SAML attribute mapping that is configured at Okta. You must modify the values, not the key, based on the Okta SAML attribute configuration. For more information about attributes, see step 9 in Configure CloudPak as SAML service provider (SP) at OKTA and Okta doc for SAML attributes. |
scim_attribute_mappings |
Provide the mapping attributes as shown in the curl command for OKTA registration as SAML IdP. The defined mapping is used to filter query, and to create attributes and responses to be sent. |
redirect_url |
Only applicable for the IdP "type": "okta". Must be an array. The redirect_url is used to create the OIDC client registration for the OKTA instance. For a non-IBM OIN app, the redirect_uri can be one of the following URIs based on the environment (a standard org, an EMEA org, or an Okta Preview org): https://system-admin.okta.com/admin/app/cpc/${appName}/oauth/callback https://system-admin.okta-emea.com/admin/app/cpc/${appName}/oauth/callback https://system-admin.oktapreview.com/admin/app/cpc/${appName}/oauth/callback Note: Replace the ${appName} with the variable name for your application instance. If you don't know the variable name for application instance, you can find it as part of the App
embed link from the browser by opening the embed link, or you can also check the Name attribute for the application at the /Apps API endpoint. For example, if the URL embedded link is https://dev-68798908-admin.okta.com/admin/app/dev-68798908_iamsaml_3/instance/0oa6vnyhkm86B4xha5d7/#tab-general, the ${appName} is dev-68798908_iamsaml_3 and so the redirect_uri is https://system-admin.okta.com/admin/app/cpc/dev-68798908_iamsaml_3/oauth/callback. For more information, see Okta documentation. |
Sample curl command - registration with Okta
curl --location --request POST 'https://cpconsoleroute/idprovider/v3/auth/idsource' \
--header 'Authorization: Bearer $accessToken' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "OKTASAML",
"description": "OKTASAML",
"protocol": "saml",
"type": "okta",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "groups",
"email": "emailAddress",
"first_name": "firstName",
"last_name": "lastName"
},
"idp_metadata": "Base64-encoded-metadata"
},
"jit": false,
"scim_config": {
"redirect_url": ["okta_redirect_url"],
"scim_attribute_mappings": {
"user": {
"principalName": "userName",
"name": {
"givenName": "givenName",
"familyName": "familyName"
},
"displayName": "displayName",
"emails": [
{
"value": "emails",
"type": "home"
}
],
"id": "id",
"userName": "userName"
},
"group": {
"principalName": "displayName",
"id": "displayName"
}
}
}
}'
Sample response - registration with Okta
{
"status": "success",
"message": "Identity provider {oktasaml} is successfully registered with unique identifier : defaultSP, oktaclient created with clientId: yx3a5pwtdrmn0sf8ockyf97dg55lswo7 , client secret: okta-oidcclient-secret"
}
Sample error message - registration with Okta
401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response
SAML registration without any dependency
API details - registration without any dependency - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
See the following notes:
-
You can find the SAML attribute and claim names from the IdP administration. Specify the SAML attributes and claim names as the values in the
token_attribute_mappings
attributes. -
You can also provide an optional attribute named
uniqueSecurityName
intoken_attribute_mappings
payload to map the IdP attributes. By default, theuniqueSecurityName
attribute is mapped to theSubject
in the response ofuserinfo
orintrospect
endpoint.
Sample curl command for SAML registration with w3id SAML provider
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "w3id-sample-saml",
"description": "w3id-sample-saml-test",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "emailAddress"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true
}'
Sample response - registration with w3id SAML provider
{
"status": "success",
"message": "Identity provider {w3id-sample-saml} is successfully registered with unique identifier defaultSP"
}
Sample error message - registration with w3id SAML provider
401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response
SAML with LDAP dependency registration
The following example is provided for IBM W3 SAML provider and with dependency of an IBM Tivoli Directory Server LDAP. The token_attribute_mappings
might change based on the SAML provider.
API details - SAML with LDAP dependency registration - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
Note: When LDAP is configured, the response for userinfo
or introspect
endpoints are directly collected from liberty. Therefore, the attributes that are provided in the token_attribute_mappings
payload are not available in the response of the userinfo
or introspect
endpoints.
Sample curl command - SAML with LDAP dependency registration
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "saml-test",
"description": "saml bluepages with ldap",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "email"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"ldap_config": {
"ldap_id": "<existing_ldap_id>"
},
"jit": false
}'
Sample response - SAML with LDAP dependency registration
{
"status": "success",
"message": "Identity provider {saml-test} is successfully registered with unique identifier defaultSP"
}
Sample error message - SAML with LDAP dependency registration
401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response
Getting SAML registration by UID
You can get the IdP registration by the following ways:
- By name
- By list
- By query
Getting IdP V3 registration by name
The following example shows how to get the details of IdP V3 registration by name:
API details - registration by UID - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/defaultSP
- Command
GET
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Sample curl command - registration by UID
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - registration by UID
{
"name": "w3id-sample-saml",
"description": "w3id-sample-saml-test",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "emailAddress"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true,
"uid": "defaultSP"
}
Sample error message - registration by UID
401 "error": "Insufficient user permission for role : rolename"
404 "error": "Cannot find {defaultSP}
500 "error": "Other errors"
200 OK Response
Getting the list of IdP V3 registration
The following example shows how to get the list of IdP V3 registration:
Note: This API returns all registered IdPs of SAML or OIDC clients through IdP V3 API.
API details - list of IdP V3 registration - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource
- Command
GET
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Sample curl command - IdP V3 registration
curl -k -X GET ‘https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - IdP V3 registration
{
"idp": [
{
"name": "w3id-sample-saml",
"description": "w3id-sample-saml-test",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "emailAddress"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true,
"uid": "defaultSP"
}
]
}
Sample error message - IdP V3 registration
401 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response
Getting SAML registration by query
The following example shows how to get the IdP V3 registration by query:
API details - SAML registration by query - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
GET
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Sample curl command - SAML registration by query
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource?protocol=saml'
\
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - SAML registration by query
{
"idp": [
{
"name": "w3id-sample-saml",
"description": "w3id-sample-saml-test",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "emailAddress"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true,
"uid": "defaultSP"
}
]
}
Sample error message - SAML registration by query
401 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response
Updating SAML registration
To update the SAML registration, you require the IdP UID. To get the IdP UID, see Get the list of IdP V3 registration. Alternatively, you can use the UID as defaultSP
because only one SAML registration
at an instance is supported for now.
The following example shows how to update the IdP registration:
API details - Update SAML registration - PUT
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
PUT
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Sample curl command - Update SAML registration
curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
' {
"name": "w3id-sample-saml",
"description": "this is plain saml testing",
"protocol": "saml",
"type": "default",
"idp_config": {
"token_attribute_mappings": {
"sub": "uid",
"given_name": "firstName",
"family_name": "lastName",
"groups": "blueGroups",
"email": "emailAddress"
},
"idp_metadata": "<base64-encoded-idp-xml>"
},
"jit": true
}'
Sample response - Update SAML registration
{
"status": "success",
"message": "{defaultSP} is Updated."
}
Sample error message - Update SAML registration
401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema validation error:followed by error"
500 "error": "Other errors"
200 OK Response
Deleting SAML registration
To delete the SAML registration, you require the IdP UID. To get the IdP UID, see Get the list of IdP V3 registration. Alternatively, you can use the UID as defaultSP
because only one SAML registration
at an instance is supported for now.
The following example shows how to delete the IdP registration:
API details - Delete SAML registration - DELETE
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
DELETE
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
Sample curl command - Delete SAML registration
curl -k -X DELETE 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - Delete SAML registration
{
"status": "success",
"message": "{defaultSP} is deleted"
}
Sample error message - Delete SAML registration
400 "error": "Insufficient user permission for role : rolename"
404 "error": "Document not found"
500 "error": "Other errors"
202 OK Response
SAML metadata download by using IdP V3
You can export the SAML metadata by using IdP V3 API.
Details of downloading SAML metadata by using IdP V3 API.
Downloading the SAML metadata by using IdP V3 API
The following example shows how to export SAML metadata by using the samlmetadata
API:
API details - download SAML metadata - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
/idprovider/v3/auth/idsource/
- Command
GET
- Command output format
application/xml
Sample curl command - download SAML metadata
curl -k -v -X GET 'https://<cluster_address>/idprovider/v3/auth/idsource/<SERVICE_PROVIDER_ID>' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Example command - download SAML metadata
curl -k -v -X GET 'https://cp-console.apps.cp.fyre.ibm.com/idprovider/v3/auth/idsource/defaultSP' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Note: If you choose to download SAML metadata API, the response code shows 200 OK
status with SAML metadata sample.
Sample response - download SAML metadata
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://cp-console.apps.tamil-bedrock-dev.cp.fyre.ibm.com/ibm/saml20/defaultSP">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDWjCCAkKgAwIBAgIRALy+U3ooWL4WotnPuKUixTswDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
AxMRY3MtY2EtY2VydGlmaWNhdGUwHhcNMjIwNDE4MTIyODI4WhcNMjMwNDE4MTIyODI4WjAdMRsw
GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC6h0rYALFRA104/DGWLlfiuftuoxT+Ab2FzsnmkO1q8Iu/SUhLf5FFnb05BrcemrL+0OJcZEyR
ALdxliWSWPG/I/9Uj+BcVlVdQupND/RQTQHS5ECYEoLJJvHkFHVj7+/WxyN3eYmqlz9OZHKp17f1
t79HDOYPZSKVzhLhZ9MsLM/G3xIF8feRpJRoQSYUUKHB6gDXZ4Kbfui7kd/LMrQK820psA8z/Bjy
dYQ2SXXUo4BfgpUxjN+VM1dGUy0khkuUSdNKlW9pLmZdT1FH7FjWH9zBWOOHz8szr+Pr4ZavHmFL
SUP4nDMpFeH/v6+cBm48LrezWAAUzZuSTYxRQeuhAgMBAAGjgZUwgZIwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUzW7sLnme6JsG
DZM/SC2ZRUwS/OswPAYDVR0RBDUwM4IxY3AtY29uc29sZS5hcHBzLnRhbWlsLWJlZHJvY2stZGV2
LmNwLmZ5cmUuaWJtLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEASHgDST++rAi79e0P5TXrUF2QQ7dc
o2pgiv/xNKvwm/URzaSGZ1CYq69hXOd+SFZ0sverFFEQZhBXxKVIDGFMT2Jll189sTtQsQnodbpj
gwQxB7c4KbqI4EKU33jj9lT5CmmzHWtO5cPa7br4nOcPKp7bl2q79/aDbP7GYLMp8sGMacopq5J7
vAkL3O3De3sv2p7wg5nHB0JBA/k7Ecd/34gKpftfwZxNsBAxL+dfwOdHjK1bSlHoyo5F7gjwvLVx
dCGdw0AfSNuw0efyGEK2+bA9bc+pzGQf6vKaaSQpdL/YC6b5QLpQkpculwl+lLESFJkdEzmM2VRB
XfgckB39kg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDWjCCAkKgAwIBAgIRALy+U3ooWL4WotnPuKUixTswDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
AxMRY3MtY2EtY2VydGlmaWNhdGUwHhcNMjIwNDE4MTIyODI4WhcNMjMwNDE4MTIyODI4WjAdMRsw
GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC6h0rYALFRA104/DGWLlfiuftuoxT+Ab2FzsnmkO1q8Iu/SUhLf5FFnb05BrcemrL+0OJcZEyR
ALdxliWSWPG/I/9Uj+BcVlVdQupND/RQTQHS5ECYEoLJJvHkFHVj7+/WxyN3eYmqlz9OZHKp17f1
t79HDOYPZSKVzhLhZ9MsLM/G3xIF8feRpJRoQSYUUKHB6gDXZ4Kbfui7kd/LMrQK820psA8z/Bjy
dYQ2SXXUo4BfgpUxjN+VM1dGUy0khkuUSdNKlW9pLmZdT1FH7FjWH9zBWOOHz8szr+Pr4ZavHmFL
SUP4nDMpFeH/v6+cBm48LrezWAAUzZuSTYxRQeuhAgMBAAGjgZUwgZIwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUzW7sLnme6JsG
DZM/SC2ZRUwS/OswPAYDVR0RBDUwM4IxY3AtY29uc29sZS5hcHBzLnRhbWlsLWJlZHJvY2stZGV2
LmNwLmZ5cmUuaWJtLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEASHgDST++rAi79e0P5TXrUF2QQ7dc
o2pgiv/xNKvwm/URzaSGZ1CYq69hXOd+SFZ0sverFFEQZhBXxKVIDGFMT2Jll189sTtQsQnodbpj
gwQxB7c4KbqI4EKU33jj9lT5CmmzHWtO5cPa7br4nOcPKp7bl2q79/aDbP7GYLMp8sGMacopq5J7
vAkL3O3De3sv2p7wg5nHB0JBA/k7Ecd/34gKpftfwZxNsBAxL+dfwOdHjK1bSlHoyo5F7gjwvLVx
dCGdw0AfSNuw0efyGEK2+bA9bc+pzGQf6vKaaSQpdL/YC6b5QLpQkpculwl+lLESFJkdEzmM2VRB
XfgckB39kg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.tamil-bedrock-dev.cp.fyre.ibm.com/ibm/saml20/defaultSP/slo"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.tamil-bedrock-dev.cp.fyre.ibm.com/ibm/saml20/defaultSP/acs" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Configuring LDAP connection by using IdP V3 API
IMPORTANT: Creating and deleting an LDAP connection simultaneously can cause misconfiguration at the backend. Therefore, avoid creating and deleting the LDAP connection simultaneously.
Before you begin: Ensure that you are informed about the other LDAP configuration parameters that are used in the Identity Provider V3 APIs. For more information, see LDAP authentication, LDAP filters and Default LDAP filters by LDAP type. The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
Validating LDAP configuration while creating the LDAP connection using IdP V3 API
The following example shows how to validate the LDAP connection while creating an LDAP connection by using IdP V3 API:
API details - validate LDAP connection while creating - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/ldap/validateConnection
- Command
POST
- Command output format
application/json
See the following notes:
-
If you are setting up multiple LDAP connections, you must individually connect to each directory.
-
In the curl command, you must use a base64-encoded password in the
"LDAP_BINDPASSWORD"
parameter. To encode the password, use the following command:echo -n <password> | base64
Following is an example output:
UGFzc3cwcmQ=
Sample curl command for validating LDAP configuration while creating an LDAP connection
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/ldap/validateConnection' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "openLDAP",
"idp_config": {
"ldap_url": "ldap://9.35.210.15:389",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_bindpassword": "HNJat5opcqR="
}
}'
Sample response - validate LDAP connection while creating
{"status":"success","result":"Successfully validated LDAP configuration."}%
Validating LDAP configuration while updating the LDAP connection by using IdP V3 API
The following example shows how to validate the LDAP connection while you update an LDAP connection by using IdP V3 API:
API details - validate LDAP connection while updating - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/ldap/validateConnection
- Command
POST
- Command output format
application/json
See the following notes:
-
The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
-
In the curl command, you must use a base64-encoded password in the
"LDAP_BINDPASSWORD"
parameter. To encode the password, use the following command:echo -n <password> | base64
Example output:
UGFzc3cwcmQ=
Sample curl command for validating LDAP configuration while you update an LDAP connection
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/ldap/validateConnection' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "openLDAP",
"idp_config": {
"ldap_url": "ldap://9.35.210.15:389",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_binddn": "cn=admin,dc=ibm,dc=com"
}
}'
Sample response - validate LDAP connection while updating
{"status":"success","result":"Successfully validated LDAP configuration."}%
Registering an LDAP connection by using IdP V3 API
See the following notes:
-
The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
-
In the curl command, you must use a base64-encoded password in the
"LDAP_BINDPASSWORD"
parameter. To encode the password, use the following command:echo -n <password> | base64
Example output:
UGFzc3cwcmQ=
The following example shows how to register an LDAP connection by using IdP V3 API:
API details - register an LDAP connection - POST
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
The following sample curl command is for creating a custom LDAP connection. Replace the "type"
parameter value with your LDAP type. For more information about the supported LDAP types, see Configuring LDAP connection.
You must also replace the parameter values in the "idp_config"
section based on your LDAP type. For more information about the parameter values for each LDAP type, see Default LDAP filters by LDAP type.
Sample curl command for creating a custom LDAP connection
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "openldap",
"description": "",
"protocol": "ldap",
"type": "Custom",
"idp_config": {
"ldap_id": "openldap",
"ldap_realm": "REALM",
"ldap_url": "ldap://9.30.253.13:389",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_bindpassword": "UGFzc3cwcmQ=",
"ldap_type": "Custom",
"ldap_ignorecase": "false",
"ldap_userfilter": "(&(uid=%v)(objectclass=person))",
"ldap_useridmap": "*:uid",
"ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
"ldap_groupidmap": "*:cn",
"ldap_groupmemberidmap": "groupOfUniqueNames:uniqueMember",
"ldap_nestedsearch": "false",
"ldap_pagingsearch": "false"
}
}'
Getting information about all LDAP connections
The following example shows how to get the list of all the registered LDAP directories:
API details - information about all LDAP connections - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource?protocol=ldap
- Command
GET
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
Sample curl command to get the list of registered LDAP connections
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/?protocol=ldap' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - information about all LDAP connections
{"id":"8967e54c-7f6f-4755-a944-cf4d2a4b8a64","LDAP_ID":"openldap","LDAP_REALM":"REALM","LDAP_HOST":"corp.abc.com","LDAP_PORT":"389","LDAP_IGNORECASE":"false","LDAP_BASEDN":"dc=ibm,dc=com","LDAP_BINDDN":"cn=admin,dc=ibm,dc=com","LDAP_TYPE":"Custom","LDAP_USERFILTER":"(&(uid=%v)(objectclass=person))","LDAP_GROUPFILTER":"(&(cn=%v)(objectclass=groupOfUniqueNames))","LDAP_USERIDMAP":"*:uid","LDAP_GROUPIDMAP":"*:cn","LDAP_GROUPMEMBERIDMAP":"groupOfUniqueNames:uniquemember","LDAP_URL":"ldap://corp.abc.com:389","LDAP_PROTOCOL":"ldap"}
Getting information about LDAP connection by using UID
The following example shows how to get the registered LDAP directory by UID:
API details - LDAP information by UID - GET
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
GET
- Command output format
application/json
Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
Sample curl command to get the list of registered LDAP connections by UID
curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/:UID' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - LDAP information by UID
{"id":"8967e54c-7f6f-4755-a944-cf4d2a4b8a64","LDAP_ID":"openldap","LDAP_REALM":"REALM","LDAP_HOST":"corp.abc.com","LDAP_PORT":"389","LDAP_IGNORECASE":"false","LDAP_BASEDN":"dc=ibm,dc=com","LDAP_BINDDN":"cn=admin,dc=ibm,dc=com","LDAP_TYPE":"Custom","LDAP_USERFILTER":"(&(uid=%v)(objectclass=person))","LDAP_GROUPFILTER":"(&(cn=%v)(objectclass=groupOfUniqueNames))","LDAP_USERIDMAP":"*:uid","LDAP_GROUPIDMAP":"*:cn","LDAP_GROUPMEMBERIDMAP":"groupOfUniqueNames:uniquemember","LDAP_URL":"ldap://corp.abc.com:389","LDAP_PROTOCOL":"ldap"}
Updating an LDAP connection by using IdP V3 API
See the following notes:
-
Use
UID
to update the LDAP connection. To get the UID, see Getting information about LDAP connection by using UID. -
The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3 and Schema elements for LDAP connection.
-
In the curl command, you must use a base64-encoded password in the
"LDAP_BINDPASSWORD"
parameter. To encode the password, use the following command:echo -n <password> | base64
The following is an example output:
UGFzc3cwcmQ=
The following example shows how to update an LDAP connection by using IdP V3 API:
API details - update an LDAP connection - PUT
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
PUT
- Command output format
application/json
Sample curl command to update an LDAP connection
curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/8967e54c-7f6f-4755-a944-cf4d2a4b8a64' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "openldap",
"description": "",
"protocol": "ldap",
"type": "Custom",
"idp_config": {
"ldap_id": "openldap",
"ldap_realm": "REALM",
"ldap_url": "ldap://9.35.210.15:389",
"ldap_host": "9.35.210.15",
"ldap_port": "389",
"ldap_protocol": "ldap",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_bindpassword": "UGFzc3cwcmQ=",
"ldap_type": "Custom",
"ldap_ignorecase": "false",
"ldap_userfilter": "(&(uid=%v)(objectclass=person))",
"ldap_useridmap": "*:uid",
"ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
"ldap_groupidmap": "*:cn",
"ldap_groupmemberidmap": "groupOfUniqueNames:uniqueMember",
"ldap_nestedsearch": "false",
"ldap_pagingsearch": "false"
}
}'
Sample response - update an LDAP connection
{"status":"success","message":"{8967e54c-7f6f-4755-a944-cf4d2a4b8a64} is Updated."}
Deleting an LDAP connection by using IdP V3 API
The following example shows how to delete an LDAP connection by using IdP V3 API:
API details - delete an LDAP connection - DELETE
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/:UID
- Command
DELETE
- Command output format
application/json
Note: To get the UID, see Getting information about LDAP connection by using UID.
Sample curl command to delete an LDAP connection
curl -k -X DELETE 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/8967e54c-7f6f-4755-a944-cf4d2a4b8a64' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
Sample response - delete an LDAP connection
{"status":"success","message":"{8967e54c-7f6f-4755-a944-cf4d2a4b8a64} is deleted"}
Disabling OpenShift authentication by using IdP V3 API
The following example shows how to disable Red Hat OpenShift authentication by using IdP V3 API:
API details - disable OpenShift authentication - PUT
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster address
- Port number
Cluster port
- Path
idprovider/v3/auth/idsource/osauth
- Command
PUT
- Command output format
application/json
Sample curl command to disable Red Hat OpenShift authentication
curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/osauth' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"uid": "osauth",
"description": "OpenShift Authentication enablement",
"enabled": "false",
"idp_config": {
"ROKS_URL": "https://oauth-openshift.apps.cp3custom.cp.fyre.ibm.com",
"ROKS_USER_PREFIX": ""
},
"name": "OpenShift",
"protocol": "oauth",
"type": "OpenShiftAuthentication"
}'
Sample response - disable OpenShift authentication
{
"status": "success",
"message": "{osauth} is Updated."
}
Getting the host details
-
Install OC client and connect to the OpenShift Container Platform cluster. By default, OpenShift Container Platform is enabled automatically once you install foundational services.
-
Get the hostname from the route available in the namespace where the foundational services is installed.
oc get route -n <your-foundational services-namespace> cp-console -o jsonpath='{.spec.host}' && echo
Sample output:
cp-console.apps.mycluster.mydomain.com
Different schema elements for IdP V3 APIs
See the following mandatory fields and their description:
name
: Name of the IdP that you want to register.description
: Short description of the registration.protocol
: Type of protocol. Currently, OIDC, SAML, and LDAP are the only supported protocols.type
: Type of configured LDAP, OIDC, or SAML IdP. For example, Google, Microsoft, IBM ISV, and Okta for OIDC;isv
anddefault
for SAML.-
idp_config
: Contains the following subfields:- OIDC has the following fields:
discovery_url
: A well-known endpoint by OIDC provider.client_id
: A client ID that is provided by the registered application in the IdP.client_secret
: A client secret that is provided by the registered application in the IdP.
-
SAML has the following fields:
idp_metadata
: A base64-encoded value of IdP metadata XML file.-
token_attribute_mappings
: Used to map the token attributes with the IdP user attributes You need to replace only thevalues_to_be_mapped
based on your IDP configuration at the backend.-
Sample mapping:
"token_attribute_mappings": { "groups": "values_to_be_mapped", "given_name": "values_to_be_mapped", "family_name": "values_to_be_mapped", "sub": "values_to_be_mapped", "email": "values_to_be_mapped" }
The mapped values are case-sensitive.
-
- OIDC has the following fields:
Schema elements for SAML with SCIM dependency
See the following schema elements:
-
scim_config
: Used to provide SCIM configuration and SCIM attribute mapping information.-
grant_type
- Identifies the token generation flow. Theclient_credentials
value is used to issue the tokens to access the SCIM APIs. -
token_url
- Token endpoint of IdP. It is used to request the token. -
client_id
- Used for the client credentials flow. -
client_secret
- Used for the client credentials flow.
-
Example schema
"scim_config": {
"scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
"grant_type": "client_credentials",
"token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
"client_id": "Your_isv_client_id",
"client_secret": "Your_isv_client_secret",
"scim_attribute_mappings": {
"user": {
"principalName": "userName",
"givenName": "name.givenName",
"middleName": "name.middleName",
"familyName": "name.familyName",
"formatted": "name.formatted"
},
"group": {
"principalName": "displayName",
"created": "meta.created",
"lastModified": "meta.lastModified"
}
}
}
Schema elements for SAML with LDAP dependency
ldap_config
is used to provide LDAP dependency information. See the following example:
"ldap_config":
{
"ldap_id": "existing-ldap-connection-name"
}
Schema elements for LDAP connection
To know more about LDAP parameters that are used in Identity Provider APIs, see LDAP authentication, LDAP filters, and Default LDAP filters by LDAP type.
-
LDAP_PAGINGSEARCH
: If theLDAP_PAGINGSEARCH
parameter is set as"false"
, it indicates that the pagination option is disabled. Set this parameter to"true"
to enable the pagination option. -
LDAP_PAGING_SIZE
: It is a numeric field that defines the page size of the LDAP type. You can set the number as per your requirement. It is an optional field. If you do not provide the value to theLDAP_PAGING_SIZE
parameter, the default page size of the LDAP server is considered as a request in the API query.For example, when the LDAP type is Microsoft Active Directory and you do not provide the
LDAP_PAGING_SIZE
value in the API, then 1000 (default page size) value is considered as a request in the API. Also, theLDAP_PAGING_SIZE
value must not exceed the default server-side page limit or the maximum configured value for the respective LDAP type.