Introduction
SSO Management API is a REST API for managing SSO Server. With Management API it is possible to automate management tasks that previously were only possible with the web browser based Management Console.
Access to API
To operate REST API an OAuth2 access token is needed. To get the access token an OAuth2 Resource Server configured as Ubisecure agent needs to be activated and configured in the Ubisecure SSO server.
...
Authorization: Bearer {YOUR_SECURE_TOKEN}
Please check OAuth 2.0 API - SSO page for more information about OAuth API.
Please check SSO Management API Configuration Guide for information how to configure and start using SSO API.
...
- Sites
- Applications
- Update application metadata
- Groups
- Authentication Policies
- Links between objects
- Users
- Mappings
- Keys - see 8907526072 for API calls and SSO key rotation for further details
URI format
...
To get more information on how the attributes and linkings are connected, there are three sub-pages explaining them in more detail.
You can also see a overview of the schema in our example site https://manage.example.ubidemo.com/sso-api-sample/schema/models
...
DELETE /user/Example/user1
NOTE that the references from user to methods, outbound mapping policies, and applications impersonating the user will be removed at the same time
Impersonate user by an application, see Configuring impersonation with Management API - SSO
Mappings
Please read page Management UI Mappings - SSO.
Three kind of mappings:
- Type outbound user mapping
- nameIDFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- Type persistent ID mapping
- nameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- Type transient ID mapping
- nameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Policy function is defined with nameIDFormat attribute when policy is created.
Note |
---|
NOTE: Policy function can not be changed after creation. |
...
PUT
/outboundMappingPolicy/Example/persistentIDPolicy1
nameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Note! At most one outbound mapping policy is allowed per application
Refresh token policy
Create refresh token policy
...
Panel |
---|
|
/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Query parameters
Content type: application/x-www-form-urlencoded
Parameter | Type | Required | Description |
---|
kty | string | yes | The type of the key. For example RSA. |
kid | string | no | The key identifier as defined by RFC 7517 JSON Web Key specification. |
enabled | boolean | no | Denotes whether the key is enabled or not. Defaults to false . |
use | string | no | The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are enc - for encryptionsig - for signing
If this parameter is not set the key can be used for both signing and encryption. |
notBefore | datetime | no | The date and time as specified by ISO 8601 after which the key is valid. If left out the key is valid immediately. When performing an update, leaving this field empty will clear any previously set date and time. |
notOnOrAfter | datetime | no | The date and time as specified by ISO 8601 after which the key is not valid. If left out the key will be valid forever. When performing an update, leaving this field empty will clear any previously set date and time. |
description | string | no | A human-readable description of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully created or updated a key |
---|
| Accept: application/json Field | Type | Description |
---|
type | string | The type of the object. Currently this is always set to credential. | id | string | The unique id of the key. | attributes.name | string | The name of the key. | attributes.kty | string | The type of the key. For example RSA | attributes.kid | string | The key identifier as defined by RFC 7517 JSON Web Key specification | attributes.use | string | The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are enc - for encryptionsig - for signing
| attributes.enabled | boolean | Denotes whether the key is enabled or not. | attributes.notBefore | datetime | The epoch timestamp after which the key is valid. | attributes.notOnOrAfter | datetime | The epoch timestamp after which the key is not valid. | attributes.description | string array | A human-readable description of the key. |
|
|
...
Panel |
---|
/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully retrieved a key |
---|
| Accept: application/json Field | Type | Description |
---|
type | string | The type of the object. Currently this is always set to credential. | id | string | The unique id of the key. | attributes.name | string | The name of the key. | attributes.kty | string | The type of the key. For example RSA | attributes.kid | string | The key identifier as defined by RFC 7517 JSON Web Key specification | attributes.use | string | The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are enc - for encryptionsig - for signing
| attributes.enabled | boolean | Denotes whether the key is enabled or not. | attributes.notBefore | datetime | The epoch timestamp after which the key is valid. | attributes.notOnOrAfter | datetime | The epoch timestamp after which the key is not valid. | attributes.description | string array | A human-readable description of the key. |
|
|
...
Panel |
---|
/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key to delete. |
Responses
Tip |
---|
|
No content is returned. |
...
Panel |
---|
/server/$link/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully associated a key |
---|
| Accept: application/json Field | Type | Description |
---|
type | string | The type of the object. Currently this is always set to server. | id | string | The id of the object to which the associated is created. | objects[0].type | string | The type of the associated object. Currently this is always set to credential . | objects[0].id | string | The id of the association. | objects[0].link | string | Currently this is always set to credential . |
|
|
...
Panel |
---|
/server/$link/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully retrieved a key association |
---|
| Accept: application/json Field | Type | Description |
---|
type | string | The type of the object. Currently this is always set to server. | id | string | The id of the object to which the associated is created. | objects[0].type | string | The type of the associated object. Currently this is always set to credential . | objects[0].id | string | The id of the association. | objects[0].link | string | Currently this is always set to credential . |
|
|
...
Panel |
---|
/server/$link/credential/{site}/{name} |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully deleted key association |
---|
| Accept: application/json Field | Type | Description |
---|
type | string | The type of the object. Currently this is always set to server. | id | string | The id of the object from which the associated was removed. |
|
|
...
Panel |
---|
/credential/{site}/{name}/$attribute/csr |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Responses
Tip |
---|
|
Expand |
---|
title | Successfully obtained certificate signing request |
---|
| Content-Type: application/pkcs10 -----BEGIN CERTIFICATE REQUEST----- ... redacted ... -----END CERTIFICATE REQUEST----- |
|
...
Panel |
---|
/credential/{site}/{name}/$attribute/csr |
Path parameters
Parameter | Type | Required | Description |
---|
site | string | yes | The site where the key is stored. Server keys should be located in System/ServerKeyContainer site. |
name | string | yes | The name of the key. |
Request body
Signed certificate in PEM format.
...