Identity Provider APIs

Use Identity Provider(IdP) APIs to register IdP configuration and their connections.

It is a mandatory step in the following scenarios:

• If you are using foundational services version 3.12.0 or later.

• If you are configuring SSO (single sign-on).

Note:

• Currently, IBM supports SAML only as supported protocol with the V2 version. In future, IdP V2 version will be deactivated. It is recommended to configure SAML from your product UI. From foundational services version 3.19.9, you can configure SAML by using your product UI. For more information, see Configuring single sign-on using your product UI.

• You can get the hostname from the route available in ibm-common-service namespace or where the foundational services is installed. To get the host details, see Getting the host details.

• The IAM roles, CloudPakAdministrator and Administrator are allowed to access the IdP APIs. For more information about IAM roles and actions, see Role-based access control (RBAC) for clusters.

Register IdP

You can register the IdP by the following methods:

• SAML with SCIM dependency registration
• SAML registration without any dependency
• SAML with LDAP dependency registration

SAML with SCIM dependency registration

The following example shows the IdP registration with ISV (IBM Security Verify) which supports SCIM enabled IdP with SAML. Hence, the token_attribute_mappings and scim_attribute_mappings can be different for the respective IdPs.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

POST

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The sample curl command resembles the following code:

curl -k -X POST 'https://cp-console.apps.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
    "name": "idp_saml_isv",
    "description": "This is a saml isv config",
    "protocol": "saml",
    "idp_type": "isv",
    "scim": "yes",
    "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
    "token_attribute_mappings": {"uid":"userID","first_name":"given_name","last_name":"family_name", "groups": "groupIds", "email":"email"},
    "jit": "no",
    "scim_attribute_mappings":{
         "user":{
         "principalName":"userName",
         "givenName":"name.givenName",
         "middleName":"name.middleName",
         "familyName":"name.familyName",
         "formatted":"name.formatted"
         },
         "group":{
          "principalName":"displayName",
          "created":"meta.created",
          "lastModified":"meta.lastModified"
         }
    },
    "config": {
        "grant_type": "client_credentials",
        "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
        "client_id": "c2eae9d2-900d-4102-840b-023af12e36c5",
        "client_secret":"Your_isv_client_id"
    },
    "status": "enabled"
}'

The response resembles the following code:

{"status":"Client Successfully registered."}

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
201 OK Response

SAML registration without any dependency

The following example shows the IdP registration by using SAML without any dependency:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• User can find the SAML attribute and claim names from the IdP administration. Specify the SAML attributes and claim names as the values in the token_attribute_mappings attributes.

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The following sample curl command shows the SAML registration with w3id SAML provider:

curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v2/auth/idsource/registration' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
    "name": "w3id-sample-saml",
    "description": "w3id-sample-saml-test",
    "protocol": "saml",
    "idp_type": "default",
    "scim": "no",
    "saml_ldap": "None",
    "jit": "yes",
    "token_attribute_mappings": {"uid": "uid","first_name": "firstName","last_name": "lastName", "groups": "blueGroups", "email": "emailAddress"},
    "status": "enabled"
}'

The response resembles the following code:

{"status":"Client Successfully registered."}

The sample registration for configuring Azure AD with auto-onboarding:

curl -k -X POST 'https://cp-console.apps.cp.fyre.ibm.com /idprovider/v2/auth/idsource/registration' \ --header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
    "name": "idp_saml_azure",
    "description": "This is a saml azure config",
    "protocol": "saml",
    "idp_type": "default",
    "jit": "yes",
    "saml_ldap": "None",
    "token_attribute_mappings": {
            "uid": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "groups": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "email": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
    },
    "status": "enabled"
}'

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
201 OK Response

SAML with LDAP dependency registration

The following example is provided for IBM W3 SAML Provider and with dependency of an IBM Tivoli Directory Server LDAP. The token_attribute_mappings might change based on the SAML provider.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• User can find the SAML attributes and claim names from the IdP administration. Specify the SAML attributes and claim names as the values in the token_attribute_mappings attributes.

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The sample curl command resembles the following code:

curl -k -X POST 'https://cp-console.apps.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
    "name": "saml-test",
    "description": "saml bluepages with ldap",
    "protocol": "saml",
    "idp_type": "default",
    "saml_ldap":"IBM Tivoli Directory Server",
    "token_attribute_mappings": {"uid":"uid", "first_name":"firstName", "last_name":"lastName", "groups": "blueGroups","email":"email"},
    "jit": "no",
    "status": "enabled"
}'

The response resembles the following code:

{"status":"Client Successfully registered."}

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
201 OK Response

Get IdP registration

You can get the IdP registration by the following ways:

• By name
• By list
• By query

Get IdP registration by name

The following example shows how to get the details of IdP registration by name:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/idpname

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The sample curl command resembles the following code:

curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v2/auth/idsource/registration/isvbedrock-test' \
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "name": "isvbedrock-test",
    "description": "ISV bedrock test ISV",
    "protocol": "saml",
    "idp_type": "isv",
    "scim": "yes",
    "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
    "token_attribute_mappings": {
        "uid": "userID",
        "first_name": "given_name",
        "last_name": "family_name",
        "groups": "groupIds",
        "email": "email"
    },
    "jit": "no",
    "scim_attribute_mappings": {
        "user": {
            "principalName": "userName",
            "givenName": "name.givenName",
            "middleName": "name.middleName",
            "familyName": "name.familyName",
            "formatted": "name.formatted"
        },
        "group": {
            "principalName": "displayName",
            "created": "meta.created",
            "lastModified": "meta.lastModified"
        }
    },
    "config": {
        "grant_type": "client_credentials",
        "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
        "client_id": "c2eae9d2-900d-4102-840b-023af12e36c5"
    },
    "status": "enabled"
}

The error message resembles the following code:

403 "error": "Insufficient user permission for role : rolename"
404 "error": "Document not found"
500 "error": "Other errors"
200 OK Response

Get the list of IdP registration

The following example shows how to get the list of IdP registration:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The sample curl command resembles the following code:

curl -k -X GET 'https://cp-console.apps.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration' \
---header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
"idp": [
        {
            "name": "isvbedrock-test",
            "description": "ISV bedrock test ISV",
            "protocol": "saml",
            "idp_type": "isv",
            "scim": "yes",
            "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
            "token_attribute_mappings": {
                "uid": "userID",
                "first_name": "given_name",
                "last_name": "family_name",
                "groups": "groupIds",
                "email": "email"
            },
            "jit": "no",
            "scim_attribute_mappings": {
                "user": {
                    "principalName": "userName",
                    "givenName": "name.givenName",
                    "middleName": "name.middleName",
                    "familyName": "name.familyName",
                    "formatted": "name.formatted"
                },
                "group": {
                    "principalName": "displayName",
                    "created": "meta.created",
                    "lastModified": "meta.lastModified"
                }
            },
            "config": {
                "grant_type": "client_credentials",
                "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
                "client_id": "c2eae9d2-900d-4102-840b-023af12e36c5"
            },
            "status": "enabled"
        }
    ]
}

The error message resembles the following code:

403 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response

Get IdP registration by query

The following example shows how to get the IdP registration by query:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

GET

Command output format

application/json

The sample curl command resembles the following code:

curl -k -X GET 'https://cp-console.apps.iam-test.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration?idp_type=isv' \
--header "Authorization: Bearer $ACCESS_TOKEN"

You can also alter the query based on the requirements. For example,

curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v2/auth/idsource/registration?name=isvbedrock-test' \
--header "Authorization: Bearer $ACCESS_TOKEN"

curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v2/auth/idsource/registration?protocol=saml \
--header "Authorization: Bearer $ACCESS_TOKEN"

Note: The code contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The response resembles the following code:

    "idp": [
        {
            "name": "isvbedrock-test",
            "description": "ISV bedrock test ISV",
            "protocol": "saml",
            "idp_type": "isv",
            "scim": "yes",
            "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
            "token_attribute_mappings": {
                "uid": "userID",
                "first_name": "given_name",
                "last_name": "family_name",
                "groups": "groupIds",
                "email": "email"
            },
            "jit": "no",
            "scim_attribute_mappings": {
                "user": {
                    "principalName": "userName",
                    "givenName": "name.givenName",
                    "middleName": "name.middleName",
                    "familyName": "name.familyName",
                    "formatted": "name.formatted"
                },
                "group": {
                    "principalName": "displayName",
                    "created": "meta.created",
                    "lastModified": "meta.lastModified"
                }
            },
            "config": {
                "grant_type": "client_credentials",
                "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
                "client_id": "c2eae9d2-900d-4102-840b-023af12e36c5"
            },
            "status": "enabled"
        }
    ]
}

The error message resembles the following code:

403 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response

Updating IdP

To update the IdP registration, you require the IdP name. To get the IdP name, see Get the list of IdP registration. The following example shows how to update the IdP registration:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

PUT

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V2.

The sample curl command resembles the following code:

curl -k -X PUT 'https://cp-console.apps.sashay.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration/saml-test' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
    "name": "saml-test",
    "description": "saml bluepages no ldap",
    "protocol": "saml",
    "idp_type": "default",
    "saml_ldap":"Custom",
    "token_attribute_mappings": {"uid":"uid", "first_name":"firstName", "last_name":"lastName", "groups": "blueGroups","email":"email"},
    "jit": "no",
    "status": "enabled"
}  '

The response resembles the following code:

{"status":"Client Successfully updated."}

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
400 "error": "schema constraint error: schema validation error followed by error"
500 "error": "Other errors"
202 OK Response

Deleting IdP registration

To delete the IdP registration, you require the IdP name. To get the IdP name, see Get the list of IdP registration. The following example shows how to delete the IdP registration:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v2/auth/idsource/registration/

Command

DELETE

Command output format

application/json

The sample curl command resembles the following code:

curl -k -X DELETE 'https://cp-console.apps.cp.fyre.ibm.com/idprovider/v2/auth/idsource/registration/saml-test'  \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{"status":"Client Successfully deleted.”}

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
404 "error": "Document not found"
500 "error": "Other errors"
202 OK Response

IdP V3 APIs

From foundational services version 3.19.9 and later, you can register OIDC and SAML providers with the IdP V3 API. To register OIDC and SAML provider using IdP V3, see Registering the OIDC clients using IdP V3 and Registering the SAML clients using IdP V3.

It is recommended to configure the SAML from your product UI. For more information, see Configuring single sign-on using your product UI.

Registering the OIDC clients using IdP V3

Before you begin

Login to any of the following platforms by using the provided IdP links and register yourself in the application. While registering, use application url as cp-console url and redirect URL as https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>. Once you are registered, you can get the unique client ID, client secret and discovery_url endpoint. Currently, only these platforms are verified to register the OIDC by using the IdP V3 API.

Note: The IdP links for the listed verified platforms can be changed anytime by their service providers. If any of the listed IdP links are broken, check the IdP links on their official websites.

Registering the OIDC clients

The following example shows how to register the client by using IdP V3:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster address

Port number

Cluster Port

Path

idprovider/v3/auth/idsource

Command

POST

Command output format

application/json

Note:

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
• Using the POST call, you can get the unique identifier (UID) as a successful response. The UID is required for the further operations or tasks. Alternatively, to get the list of registered IdP's UID, see Getting the list of registered OIDC clients by query.

The sample curl command to register the client:

curl --insecure POST 'https://cp-console.apps.vij-soc.cp.fyre.ibm.com/idprovider/v3/auth/idsource/'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
    "name": "oidc_isv",
    "description": "This is a oidc config for isv",
    "protocol": "oidc",
    "type": "IBMVerify",
    "idp_config": {
        "discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
        "client_id": "4ad41ddc-5f10-4d84-a24f-fb776607895e",
        "client_secret": "rqJMyEgee",
        "token_attribute_mappings": {
            "groups": "groupIds",
            "given_name": "given_name",
            "family_name": "family_name",
            "sub": "uid",
            "email": "email"
        }
    }
}'

The response resembles the following code:

{
    "status": "success",
    "message": "Identity provider {oidc_isv} is successfully registered with unique identifier NpiV6qBhsSDEjKRvJDQLl"
}

The error message resembles the following code:

400 "error":  "E11000 duplicate key error collection: platform-db.cloudpak_ibmid_v3 index: name_1 dup key: { : <oidc name>" }"
500 "error": "Other errors"
401 "error": "Insufficient user permission for role :Viewer"
202 OK Response

Deleting the registration of the client

The following example shows how to delete the registered client by using IdP V3:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster address

Port number

Cluster Port

Path

idprovider/v3/auth/idsource/

Command

DELETE

Command output format

application/json

The sample curl command to delete the client registration:

curl --insecure DELETE 'https://cp-console.apps.vij-soc.cp.fyre.ibm.com/idprovider/v3/auth/idsource/NpiV6qBhsSDEjKRvJDQLl' --header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
“status”: “success”,
“message”: “{NpiV6qBhsSDEjKRvJDQLl} is deleted”
}

The error message resembles the following code:

400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response

Getting the list of registered OIDC clients

You can get the list of registered OIDC clients by using either of the following methods:

• By unique identifier (UID)
• By query

Getting the list of registered OIDC clients by UID

The following example shows how to get the list of all the registered clients by UID:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The following sample curl command to get the list of registered clients by UID:

curl --insecure --request GET 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource/yOLi5oHo3t-es4aJFLkC8' --header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
  "name": "oidc_1",
  "description": "This is a oidc config",
  "protocol": "oidc",
  "type": "IBMVerify",
  "idp_config": {
    "discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
    "client_id": "My_Client_ID",
    "client_secret": "My_Client_Secret",
    "token_attribute_mappings": {
      "groups": "groupIds"
    }
  },
  "uid": "NpiV6qBhsSDEjKRvJDQLl"
}

The error message resembles the following code:

400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response

Getting the list of registered OIDC clients by query

The following example shows how to get the list of all the registered clients by query:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/

Command

GET

Command output format

application/json

The following sample curl command to get the list of registered clients by query:

curl --insecure --request GET 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource?protocol=oidc' --header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "idp": [
        {
            "name": "oidc_google",
            "description": "This is a oidc config for google",
            "protocol": "oidc",
            "type": "google",
            "idp_config": {
                "discovery_url": "https://accounts.google.com/.well-known/openid-configuration",
                "client_id": "My_Client_ID",
                "client_secret": "My_Client_Secret",
                "token_attribute_mappings": {
                    "groups": "groupIds",
                    "given_name": "firstName",
                    "family_name": "lastName",
                    "sub": "uid",
                    "email": "email",
                    "uniqueSecurityName": "uniqueSecurityName"
                }
            },
            "uid": "Uo4Y31mV7unaj5NtyfpIY"
        },
        {
            "name": "oidc_isv",
            "description": "This is a oidc config",
            "protocol": "oidc",
            "type": "IBMVerify",
            "idp_config": {
                "discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
                "client_id": "My_Client_ID",
                "client_secret": "My_Client_Secret",
                "token_attribute_mappings": {
                    "groups": "groupIds",
                    "given_name": "given_name",
                    "family_name": "family_name",
                    "sub": "uid",
                    "email": "email",
                    "uniqueSecurityName": "uniqueSecurityName",
                    "preferred_username": "preferred_username",
                    "displayName": "displayName"
                }
            },
            "uid": "NpiV6qBhsSDEjKRvJDQLl"
        }
    ]
}

The error message resembles the following code:

400 "error": "Cannot find {oidc uid}"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response

Updating the OIDC clients

The following example shows how to update the OIDC client by using IdP V3:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster address

Port number

Cluster Port

Path

idprovider/v3/auth/idsource

Command

PUT

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command to update the client:

curl --insecure PUT 'https://cp-console.cp.fyre.ibm.com/idprovider/v3/auth/idsource/NpiV6qBhsSDEjKRvJDQLl'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
    "name": "oidc_isv",
    "description": "This is a oidc config for isv",
    "protocol": "oidc",
    "type": "IBMVerify",
    "idp_config": {
        "discovery_url": "https://bedrock-iam.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration",
        "client_id": "4ad41ddc-5f10-4d84-a24f-fb776607895e",
        "client_secret": "rqJMyEgee",
        "token_attribute_mappings": {
            "groups": "groupIds",
            "given_name": "given_name",
            "family_name": "family_name",
            "sub": "uid",
            "email": "email"
        }
    }
}'

The response resembles the following code:

{
    "status": "success",
    "message": "{NpiV6qBhsSDEjKRvJDQLl} is Updated."
}

The error message resembles the following code:

400 "error": "Document not found"
401 "error": "Insufficient user permission for role :Viewer"
200: Ok Response

Registering the SAML clients using IdP V3

You can register the SAML IdP by the following methods:

• SAML with SCIM dependency registration
• SAML registration without any dependency
• SAML with LDAP dependency registration

Note: You can configure only one SAML registration at an instance. The unique identifier generated on the POST request is defaultSP. For idp_metadata, you need to provide base64 encoded value of the generated identity provider metadata xml file.

Get the base64 encoded value of generated identity provider metadata xml file by using the following code:

cat idp-metadata-xml |base64

SAML with SCIM dependency registration (IdP V3 registration with IBM Security Verify and Okta)

• IdP V3 registration with IBM Security Verify (ISV)
• IdP V3 registration with Okta

IdP V3 registration with IBM Security Verify (ISV)

The following example shows the IdP V3 registration with ISV that supports SCIM enabled IdP with SAML. Hence, the token_attribute_mappings and scim_attribute_mappings can be different for the respective IdPs.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.
• Using the POST call, you can get the unique identifier (UID) as a successful response. The UID is required for the further operations or tasks. Alternatively, to get the list of registered IdP's UID, see Getting SAML registration by query.

The sample curl command resembles the following code:

curl --insecure POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource'
--header "Authorization: Bearer $ACCESS_TOKEN"
--header 'Content-Type: application/json'
--data-raw
'{
  "name": "idp_saml_isv",
  "description": "This is a saml isv config",
  "protocol": "saml",
  "type": "isv",
  "idp_config": {
    "token_attribute_mappings": {
      "sub": "userID",
      "given_name": "given_name",
      "family_name": "family_name",
      "groups": "groupIds",
      "email": "email"
    },
    "idp_metadata": "<base64-encoded-idp-xml>"
  },
  "scim_config": {
    "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
    "grant_type": "client_credentials",
    "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
    "client_id": "Your_isv_client_id",
    "client_secret": "Your_isv_client_secret",
    "scim_attribute_mappings": {
      "user": {
        "principalName": "userName",
        "givenName": "name.givenName",
        "middleName": "name.middleName",
        "familyName": "name.familyName",
        "formatted": "name.formatted"
      },
      "group": {
        "principalName": "displayName",
        "created": "meta.created",
        "lastModified": "meta.lastModified"
      }
    }
  },
  "jit": "false"
}'

The response resembles the following code:

{
    "status": "success",
    "message": "Identity provider {idp_saml_isv} is successfully registered with unique identifier defaultSP"
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response

IdP V3 registration with Okta

The following example shows the IdP V3 registration with Okta.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

• Using the POST call, you can get the unique identifier (UID) as a successful response. The UID is required for the further operations or tasks. Alternatively, to get the list of registered IdP's UID, seeGetting SAML registration by query.

curl --location --request POST 'https://cpconsoleroute/idprovider/v3/auth/idsource' \
--header 'Authorization: Bearer $accessToken' \
--header 'Content-Type: application/json' \
--data-raw '{
            "name": "OKTASAML",
            "description": "OKTASAML",
            "protocol": "saml",
            "type": "okta",
            "idp_config": {
                "token_attribute_mappings": {
                    "sub": "uid",
                    "given_name": "firstName",
                    "family_name": "lastName",
                    "groups": "groups",
                    "email": "emailAddress",
                    "first_name": "firstName",
                    "last_name": "lastName"
                },
                "idp_metadata": "Base64-encoded-metadata"
            },
            "jit": false,
            "scim_config": {
                "redirect_url": ["okta_redirect_url"],
                "scim_attribute_mappings": {
                    "user": {
                        "principalName": "userName",
                        "name": {
                            "givenName": "givenName",
                            "familyName": "familyName"
                        },
                        "displayName": "displayName",
                        "emails": [
                            {
                                "value": "emails",
                                "type": "home"
                            }
                        ],
                        "id": "id",
                        "userName": "userName"
                    },
                    "group": {
                        "principalName": "displayName",
                        "id": "displayName"
                    }

                }
            }
        }'

The response resembles the following:

{
    "status": "success",
    "message": "Identity provider {oktasaml} is successfully registered with unique identifier : defaultSP , oktaclient created with clientId: yx3a5pwtdrmn0sf8ockyf97dg55lswo7 , client secret: okta-oidcclient-secret"
}

The error message resembles the following:

401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response

token_attribute_mappings: token_attribute_mappings is a custom mapping that user can provide based on the SAML attribute mapping that is configured at Okta. User should modify the values, not the key, based on the Okta SAML attribute configuration. For more information about attributes, see Step 9 in Configure CloudPak as SAML service provider (SP) at OKTA.

For more information, see Okta doc for SAML attributes.

scim_attribute_mappings: Provide the mapping attributes as in the CURL command. The defined mapping will be used for filter query, creating attributes and the response to be sent.

redirect_url: redirect_url is only applicable for the IdP "type": "okta". The redirect_url is used to create the OIDC client registration for the OKTA instance. To get the redirect_url while using non IBM OIN App:

Based on the environment (a standard org, an EMEA org, and an Okta Preview org), the redirect_uri can be one of the following:

• https://system-admin.okta.com/admin/app/cpc/${appName}/oauth/callback
• https://system-admin.okta-emea.com/admin/app/cpc/${appName}/oauth/callback

• https://system-admin.oktapreview.com/admin/app/cpc/${appName}/oauth/callback

  Note: Replace the ${appName} with the variable name for your application instance. If you don't know the variable name for application instance, you can find it as part of the App Embed link from the browser by opening the embed link or you can also check the Name attribute for the application at the /Apps API endpoint.

  For example, if the URL embedded link is https://dev-68798908-admin.okta.com/admin/app/dev-68798908_iamsaml_3/instance/0oa6vnyhkm86B4xha5d7/#tab-general, the ${appName} will be dev-68798908_iamsaml_3 and so the redirect_uri is https://system-admin.okta.com/admin/app/cpc/dev-68798908_iamsaml_3/oauth/callback. For more information, see Okta documentation.

SAML registration without any dependency

The following example shows the IdP V3 registration by using SAML without any dependency:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• User can find the SAML attribute and claim names from the IdP administration. Specify the SAML attributes and claim names as the values in the token_attribute_mappings attributes.

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

• You can also provide an optional attribute called uniqueSecurityName in token_attribute_mappings payload to map the IdP attributes. By default, uniqueSecurityName attribute is mapped to the Subject in the response of userinfo/introspect endpoint.

The following sample curl command shows the SAML registration with w3id SAML provider:

curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/ idprovider/v3/auth/idsource' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
  "name": "w3id-sample-saml",
  "description": "w3id-sample-saml-test",
  "protocol": "saml",
  "type": "default",
  "idp_config": {
    "token_attribute_mappings": {
      "sub": "uid",
      "given_name": "firstName",
      "family_name": "lastName",
      "groups": "blueGroups",
      "email": "emailAddress"
    },
    "idp_metadata": "<base64-encoded-idp-xml>"
  },
  "jit": true
}'

The response resembles the following code:

{
    "status": "success",
    "message": "Identity provider {w3id-sample-saml} is successfully registered with unique identifier defaultSP"
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response

SAML with LDAP dependency registration

The following example is provided for IBM W3 SAML Provider and with dependency of an IBM Tivoli Directory Server LDAP. The token_attribute_mappings might change based on the SAML provider.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/registration/

Command

POST

Command output format

application/json

Note:

• When the LDAP is configured, the response for userinfo/introspect endpoints are directly collected from the liberty. Therefore, the attributes provided in the token_attribute_mappings payload are not available in the response of userinfo/introspect endpoints.

• The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
  "name": "saml-test",
  "description": "saml bluepages with ldap",
  "protocol": "saml",
  "type": "default",
  "idp_config": {
    "token_attribute_mappings": {
      "sub": "uid",
      "given_name": "firstName",
      "family_name": "lastName",
      "groups": "blueGroups",
      "email": "email"
    },
    "idp_metadata": "<base64-encoded-idp-xml>"
  },
  "ldap_config": {
    "ldap_id": "<existing_ldap_id>"
  },
  "jit": false
}'

The response resembles the following code:

{
    "status": "success",
    "message": "Identity provider {saml-test} is successfully registered with unique identifier defaultSP"
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema error:schema validation error followed by error"
400 "error": "duplicate : Idp with protocol=saml is already created"
500 "error": "Other errors"
200 OK Response

Getting SAML registration by UID

You can get the IdP registration by the following ways:

• By name
• By list
• By query

Getting IdP V3 registration by name

The following example shows how to get the details of IdP V3 registration by name:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource/defaultSP

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.com/idprovider/v3/auth/idsource/defaultSP' \
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "name": "w3id-sample-saml",
    "description": "w3id-sample-saml-test",
    "protocol": "saml",
    "type": "default",
    "idp_config": {
        "token_attribute_mappings": {
            "sub": "uid",
            "given_name": "firstName",
            "family_name": "lastName",
            "groups": "blueGroups",
            "email": "emailAddress"
        },
        "idp_metadata": "<base64-encoded-idp-xml>"
    },
    "jit": true,
    "uid": "defaultSP"
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
404 "error": "Cannot find {defaultSP}
500 "error": "Other errors"
200 OK Response

Getting the list of IdP V3 registration

The following example shows how to get the list of IdP V3 registration:

Note: This API returns all registered IdPs of SAML or OIDC clients through IdP V3 API.

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X GET ‘https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource' \
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "idp": [
        {
            "name": "w3id-sample-saml",
            "description": "w3id-sample-saml-test",
            "protocol": "saml",
            "type": "default",
            "idp_config": {
                "token_attribute_mappings": {
                    "sub": "uid",
                    "given_name": "firstName",
                    "family_name": "lastName",
                    "groups": "blueGroups",
                    "email": "emailAddress"
                },
                "idp_metadata": "<base64-encoded-idp-xml>"
            },
            "jit": true,
            "uid": "defaultSP"
        }
    ]
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response

Getting SAML registration by query

The following example shows how to get the IdP V3 registration by query:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource

Command

GET

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X GET 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource?protocol=saml'
\
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "idp": [
        {
            "name": "w3id-sample-saml",
            "description": "w3id-sample-saml-test",
            "protocol": "saml",
            "type": "default",
            "idp_config": {
                "token_attribute_mappings": {
                    "sub": "uid",
                    "given_name": "firstName",
                    "family_name": "lastName",
                    "groups": "blueGroups",
                    "email": "emailAddress"
                },
                "idp_metadata": "<base64-encoded-idp-xml>"
            },
            "jit": true,
            "uid": "defaultSP"
        }
    ]
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
500 "error": "Other errors"
200 OK Response

Updating SAML registration

To update the SAML registration, you require the IdP UID. To get the IdP UID, see Get the list of IdP V3 registration. Alternatively, you can use the UID as defaultSP because only one SAML registration at an instance is supported for now. The following example shows how to update the IdP registration:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource

Command

PUT

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X PUT 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/ idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
' {
  "name": "w3id-sample-saml",
  "description": "this is plain saml testing",
  "protocol": "saml",
  "type": "default",
  "idp_config": {
    "token_attribute_mappings": {
      "sub": "uid",
      "given_name": "firstName",
      "family_name": "lastName",
      "groups": "blueGroups",
      "email": "emailAddress"
    },
    "idp_metadata": "<base64-encoded-idp-xml>"
  },
  "jit": true
}'

The response resembles the following code:

{
    "status": "success",
    "message": "{defaultSP} is Updated."
}

The error message resembles the following code:

401 "error": "Insufficient user permission for role : rolename"
400 "error": "schema validation error:followed by error"
500 "error": "Other errors"
200 OK Response

Deleting SAML registration

To delete the SAML registration, you require the IdP UID. To get the IdP UID, see Get the list of IdP V3 registration. Alternatively, you can use the UID as defaultSP because only one SAML registration at an instance is supported for now. The following example shows how to delete the IdP registration:

API version

1.0.0

API URI components

Scheme

HTTPS

Host IP

Cluster Master Host

Port number

Cluster Master API Port

Path

idprovider/v3/auth/idsource

Command

DELETE

Command output format

application/json

Note: The curl command contains different schema elements. To understand the use of these schema elements, see Different schema elements for IdP V3.

The sample curl command resembles the following code:

curl -k -X DELETE 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/defaultSP' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"

The response resembles the following code:

{
    "status": "success",
    "message": "{defaultSP} is deleted"
}

The error message resembles the following code:

400 "error": "Insufficient user permission for role : rolename"
404 "error": "Document not found"
500 "error": "Other errors"
202 OK Response

Getting the host details

1. Install OC (OpenShift Container) client and connect to the OCP (OpenShift Container Platform) cluster. For more information, see Getting started with the OpenShift CLI.

2. Get the hostname from the route available in ibm-common-service namespace or where the foundational services is installed.

oc get route -n ibm-common-services cp-console -o jsonpath='{.spec.host}' && echo

The sample output:

cp-console.apps.mycluster.mydomain.com

Different schema elements for IdP V2

• name: It gives the name of the IdP that you want to register. It is a mandatory field.

• description: It provides a short description for the registration. It is a mandatory field.

• type: It shows the type of the configured OIDC IdP. For example, Google, Microsoft, IBM ISV and Okta. It is a mandatory field.

• idp_type: It shows the type of the configured IdP. It is a mandatory field. Set the idp_type as default when you want to use the SAML with LDAP dependency. If the idp_type is default, the saml_ldap valid attribute is mandatory (which can be none or valid LDAP type). Currently, the supported values for the idp_type are isv or default.

• saml_ldap: It specifies the type of LDAP that you want to bind with the SAML that is available in your cluster as the IdP configuration. The following are the accepted values for the saml_ldap elements:

  • IBM Tivoli Directory Server
  • IBM Lotus Domino
  • IBM SecureWay Directory Server
  • Novell EDirectory
  • Sun Java System Directory Server
  • Netscape Directory Server
  • Microsoft Active Directory
  • Custom
  • None

The values of the saml_ldap elements are case-sensitive.

• scim: It is an optional field. The value of the scim element is yes. If your IdP supports the SCIM protocol, the IAM can interact with your backend SCIM server with the entries like scim_base_path , scim_attribute_mappings, and config. These entries are mandatory if the scim is set to yes.

• scim_base_path: It is the SCIM server endpoint of the IdP. It is required for uniquely identifying the service instance. It is a Mandatory field if the SCIM is set to yes.

• config elements: It is a mandatory field if the scim is set to yes.

  • grant_type - It identifies the token generation flow. The client_credentials is used to issue the tokens to access the SCIM APIs.

  • token_url - It is the token endpoint of the IdP. It is used to request the token.

  • client_id - It is used for the client credentials flow.

  • client_secret - It is used for the client credentials flow.

• scim_attribute_mappings - It is used to map the SCIM provider with the SCIM attributes of foundational services. You need to replace only the values_to_be_mapped based on your backend SCIM IdP configuration. It is a mandatory field if the scim is set to yes. The mapped values are case-sensitive.

For example,

"scim_attribute_mappings": {
    "user": {
    "principalName": “values_to_be_mapped”,
        "givenName": "values_to_be_mapped",
        "middleName": "values_to_be_mapped",
        "familyName": "values_to_be_mapped",
        "formatted": "values_to_be_mapped"
        },
        "group": {
            "principalName": "values_to_be_mapped",
            "created": "values_to_be_mapped",
            "lastModified": "values_to_be_mapped"
            }
        }

Tested values for ISV SCIM:

"scim_attribute_mappings": {
    "user": {
        "principalName": "userName",
        "givenName": "name.givenName",
        "middleName": "name.middleName",
        "familyName": "name.familyName",
        "formatted": "name.formatted"
        },
        "group": {
            "principalName": "displayName",
            "created": "meta.created",
            "lastModified": "meta.lastModified"
            }
     }

• jit: It is an optional field. It is true only if you are using the SAML without any LDAP and SCIM dependency. Otherwise, The value of jit is false.

• token_attribute_mappings: It is an optional field. Use the default mapping if the token_attribute_mappings values are not provided as the following:

"token_attribute_mappings": {
        "uid": "values_to_be_mapped",
        "first_name": "values_to_be_mapped",
        "last_name": "values_to_be_mapped",
        "groups": "values_to_be_mapped",
        "email": "values_to_be_mapped"
        }

The mapping is the IAM token claims. The mapping value is the identity provider (for example, ISV) user attribute name. If the names match, it is optional to list out the mapping, such as given_name, family_name, and email. The mapping shows what user attribute values to use when foundational services IAM generates ID token. The values are stored in the local database. IBM supports OIDC standard claims, such as given_name, family_name, email and sub, and additional claim groups in the mapping. You need to replace only the values_to_be_mapped based on the SAML configuration. The mapped values are case-sensitive.

• status - Its default value is enabled.

Different schema elements for IdP V3

• name: It gives the name of the IdP that you want to register. It is a mandatory field.

• description: It provides a short description for the registration. It is a mandatory field.

• protocol: It is the type of protocol. As of now, OIDC and SAML are the only supported protocols. It is a mandatory field.

• type: It shows the type of the configured OIDC or SAML IdP. For example, Google, Microsoft, IBM ISV and Okta for OIDC; isv and default for SAML. It is a mandatory field.

• idp_config: It is a mandatory field that contains the following sud-fields:

  For OIDC:

  • discovery_url: It is a well-known endpoint by OIDC provider.
  • client_id: It is a client ID that is provided by the registered application in the IdP.
  • client_secret: It is a client secret that is provided by the registered application in the IdP.

  For SAML:

• idp_metadata: It is a base64 encoded value of IdP metadata XML file.

• token_attribute_mappings: It is used to map the token attributes with the IdP user attributes. You need to replace only the values_to_be_mapped based on your IDP configuration at the backend.

"token_attribute_mappings": {
        "groups": "values_to_be_mapped",
        "given_name": "values_to_be_mapped",
        "family_name": "values_to_be_mapped",
        "sub": "values_to_be_mapped",
        "email": "values_to_be_mapped"
        }

The mapped values are case-sensitive.

For SAML with SCIM dependency:

• scim_config: It is used to provide SCIM configuration and SCIM attribute mappings information.

  • grant_type - It identifies the token generation flow. The client_credentials is used to issue the tokens to access the SCIM APIs.

  • token_url - It is the token endpoint of the IdP. It is used to request the token.

  • client_id - It is used for the client credentials flow.

  • client_secret - It is used for the client credentials flow.

For example,

    "scim_config": {
      "scim_base_path": "https://bedrock-iam.verify.ibm.com/v2.0/",
      "grant_type": "client_credentials",
      "token_url": "https://bedrock-iam.verify.ibm.com/v1.0/endpoint/default/token",
      "client_id": "Your_isv_client_id",
      "client_secret": "Your_isv_client_secret",
      "scim_attribute_mappings": {
        "user": {
          "principalName": "userName",
          "givenName": "name.givenName",
          "middleName": "name.middleName",
          "familyName": "name.familyName",
          "formatted": "name.formatted"
        },
        "group": {
          "principalName": "displayName",
          "created": "meta.created",
          "lastModified": "meta.lastModified"
        }
      }
    }

For SAML with LDAP dependency:

• ldap_config: It is used to provide LDAP dependency information.

For example,

"ldap_config":
{
  "ldap_id": "existing-ldap-connection-name"
}