Table of Contents

Introduction

SSO Management API is a REST API for managing SSO Server. With Management API it is possible to automate management tasks that previously were only possible with the web browser based Management Console.

Access to API

To operate REST API an OAuth2 access token is needed. To get the access token an OAuth2 Resource Server configured as Ubisecure agent needs to be activated and configured in the Ubisecure SSO server.

...

Authorization: Bearer {YOUR_SECURE_TOKEN}

Please check OAuth 2.0 API - SSO page for more information about OAuth API.
Please check SSO Management API Configuration Guide for information how to configure and start using SSO API.

...

Sites
Applications
- Update application metadata
Groups
Authentication Policies
- PolicyItem
Links between objects
Users
Mappings
Keys - see 8907526072 for API calls and SSO key rotation for further details

URI format

...

Impersonate user by an application, see Configuring impersonation with Management API - SSO

Mappings

Please read page Management UI Mappings - SSO.

Three kind of mappings:

Type outbound user mapping
- nameIDFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Type persistent ID mapping
- nameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Type transient ID mapping
- nameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Policy function is defined with nameIDFormat attribute when policy is created.

Note
NOTE: Policy function can not be changed after creation.

...

PUT /outboundMappingPolicy/Example/persistentIDPolicy1 nameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Note! At most one outbound mapping policy is allowed per application

Refresh token policy

Create refresh token policy

...

Panel

border	true

Status

colour	Blue
title	PUT

/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Query parameters

Content type: application/x-www-form-urlencoded

Parameter	Type	Required	Description
`kty`	string	yes	The type of the key. For example `RSA.`
`kid`	string	no	The key identifier as defined by RFC 7517 JSON Web Key specification.
`enabled`	boolean	no	Denotes whether the key is enabled or not. Defaults to `false`.
`use`	string	no	The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are `enc` - for encryption `sig` - for signing If this parameter is not set the key can be used for both signing and encryption.
`notBefore`	datetime	no	The date and time as specified by ISO 8601 after which the key is valid. If left out the key is valid immediately. When performing an update, leaving this field empty will clear any previously set date and time.
`notOnOrAfter`	datetime	no	The date and time as specified by ISO 8601 after which the key is not valid. If left out the key will be valid forever. When performing an update, leaving this field empty will clear any previously set date and time.
`description`	string	no	A human-readable description of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully created or updated a key

Accept: application/json

Field	Type	Description
`type`	string	The type of the object. Currently this is always set to `credential.`
`id`	string	The unique id of the key.
`attributes.name`	string	The name of the key.
`attributes.kty`	string	The type of the key. For example `RSA`
`attributes.kid`	string	The key identifier as defined by RFC 7517 JSON Web Key specification
`attributes.use`	string	The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are `enc` - for encryption `sig` - for signing
`attributes.enabled`	boolean	Denotes whether the key is enabled or not.
`attributes.notBefore`	datetime	The epoch timestamp after which the key is valid.
`attributes.notOnOrAfter`	datetime	The epoch timestamp after which the key is not valid.
`attributes.description`	string array	A human-readable description of the key.

...

Panel

Status

colour	Green
title	GET

/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully retrieved a key

Accept: application/json

Field	Type	Description
`type`	string	The type of the object. Currently this is always set to `credential.`
`id`	string	The unique id of the key.
`attributes.name`	string	The name of the key.
`attributes.kty`	string	The type of the key. For example `RSA`
`attributes.kid`	string	The key identifier as defined by RFC 7517 JSON Web Key specification
`attributes.use`	string	The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are `enc` - for encryption `sig` - for signing
`attributes.enabled`	boolean	Denotes whether the key is enabled or not.
`attributes.notBefore`	datetime	The epoch timestamp after which the key is valid.
`attributes.notOnOrAfter`	datetime	The epoch timestamp after which the key is not valid.
`attributes.description`	string array	A human-readable description of the key.

...

Panel

Status

colour	Red
title	DELETE

/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key to delete.

Responses

Tip

title	HTTP 204 success

No content is returned.

...

Panel

Status

colour	Blue
title	PUT

/server/$link/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully associated a key

Accept: application/json

Field	Type	Description
`type`	string	The type of the object. Currently this is always set to `server.`
`id`	string	The id of the object to which the associated is created.
`objects[0].type`	string	The type of the associated object. Currently this is always set to `credential`.
`objects[0].id`	string	The id of the association.
`objects[0].link`	string	Currently this is always set to `credential`.

...

Panel

Status

colour	Green
title	GET

/server/$link/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully retrieved a key association

Accept: application/json

Field	Type	Description
`type`	string	The type of the object. Currently this is always set to `server.`
`id`	string	The id of the object to which the associated is created.
`objects[0].type`	string	The type of the associated object. Currently this is always set to `credential`.
`objects[0].id`	string	The id of the association.
`objects[0].link`	string	Currently this is always set to `credential`.

...

Panel

Status

colour	Red
title	DELETE

/server/$link/credential/{site}/{name}

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully deleted key association

Accept: application/json

Field	Type	Description
`type`	string	The type of the object. Currently this is always set to `server.`
`id`	string	The id of the object from which the associated was removed.

...

Panel

Status

colour	Green
title	GET

/credential/{site}/{name}/$attribute/csr

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Responses

Tip

title	HTTP 200 success

Expand

title	Successfully obtained certificate signing request

Content-Type: application/pkcs10

-----BEGIN CERTIFICATE REQUEST-----
... redacted ...
-----END CERTIFICATE REQUEST-----

...

Panel

Status

colour	Blue
title	PUT

/credential/{site}/{name}/$attribute/csr

Path parameters

Parameter	Type	Required	Description
`site`	string	yes	The site where the key is stored. Server keys should be located in `System/ServerKeyContainer` site.
`name`	string	yes	The name of the key.

Request body

Signed certificate in PEM format.

...

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Access to API

URI format

Mappings

Refresh token policy

Path parameters

Query parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Request body

Page Comparison

Versions Compared

Old Version 4

New Version Current

Key

Introduction

Access to API

URI format

Mappings

Refresh token policy

Path parameters

Query parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Responses

Path parameters

Request body