6 Manage Token Issuer Trust Configurations
Before using the REST API to view and manage token issuer trust configurations, you need to understand how to access the REST resources and other important concepts.
For more information, see "About the REST API".
For more information about token issuer trust management, see "Defining Trusted Issuers and a Trusted DN List for Signing Certificates" in Administering Web Services.
This chapter includes the following sections:
-
View and Manage Token Issuer Trust Configurations Using REST Resources
-
POST Domain Trusted Issuers and Distinguished Name Lists Method
-
POST Document Trusted Issuers and Distinguished Name Lists Method
-
GET Specified Document Trusted Issuer and Distinguished Name Lists Method
-
POST Token Attribute Rule Distinguished Name Method (Domain Context)
-
POST Token Attribute Rule Distinguished Name Method (Document Context)
6.1 View and Manage Token Issuer Trust Configurations Using REST Resources
You can view and manage token issuer trust configurations using a set of representational state transfer (REST) resources, as summarized below.
Section | Method | Resource Path |
---|---|---|
|
|
|
POST Domain Trusted Issuers and Distinguished Name Lists Method |
|
|
POST Document Trusted Issuers and Distinguished Name Lists Method |
|
|
|
|
|
GET Specified Document Trusted Issuer and Distinguished Name Lists Method |
|
|
POST Token Attribute Rule Distinguished Name Method (Domain Context) |
|
|
POST Token Attribute Rule Distinguished Name Method (Document Context) |
|
/idaas/webservice/admin/v1/trust/token |
|
|
|
|
/idaas/webservice/admin/v1/trust/token |
|
|
|
|
GET |
/idaas/webservice/admin/v1/trustdocument/export |
|
POST |
/idaas/webservice/admin/v1/trustdocument/import |
|
|
|
|
|
|
|
Import Federation Metadata Document Method |
|
|
Export Federation Metadata Document Method |
|
|
Revoke Federation Metadata Document Method |
|
|
|
|
|
|
|
|
One Paas — One Token Trust | POST |
/idaas/webservice/admin/v1/trust/token |
Enabling and Disabling Token Issuer Trust | POST
|
/idaas/webservice/admin/v1/trust/issuers |
Import JWK Document Trust Configurations | PUT |
/idaas/webservice/admin/v1/federation/jwk/import |
Revoke JWK Trust Configurations | PUT |
/idaas/webservice/admin/v1/federation/jwk/revoke |
PUT |
/idaas/webservice/admin/v1/federation/discoverymetadata/import |
|
PUT |
/idaas/webservice/admin/v1/federation/discoverymetadata/revoke |
6.2 POST TrustDocument Name Method
Use the Post method to create a trusted issuer document.
REST Request
POST /idaas/webservice/admin/v1/trustdocument
Parameters
The following table summarizes the POST request parameters.
Name | Description | Type |
---|---|---|
|
Display name for the document. |
Query |
|
Name of the document. |
Query |
Response Body
Media types for the request or response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to create a trusted issuer document by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password http://myhost:7001/idaas/webservice/admin/v1/trustdocument?"documentName=myTrustDocument&displayName=myTrustDocument"
Example of Response Header
The following shows an example of the response header. For more about the HTTP status codes, see HTTP Status Codes for HTTP Methods
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded", "Result": "New Token Issuer Trust document named "myTrustDocument" created." }
6.3 POST Domain Trusted Issuers and Distinguished Name Lists Method
Use the POST method to create trusted issuers and distinguished name (DN) lists for signing certificates in a domain context (that is, it applies to the entire domain).
REST Request
POST /idaas/webservice/admin/v1/trust/issuers
Request Body
Media types for the request body: application/json
The request body contains the details of the add request:
Attribute | Description | Required |
---|---|---|
|
List of DN values to be added to the trusted issuer. For each DN, use a string that conforms to RFC 2253, as described at the following URL: |
Yes |
|
Groups information about a trusted issuer. |
Yes |
|
Name of the trusted issuer. For example, |
Yes |
|
Groups information about JSON Web Token (JWT) trusted issuers. |
No |
|
Groups information about SAML holder-of-key trusted issuers. |
No |
|
Groups information about SAML sender vouches trusted issuers. |
No |
|
Groups the trusted issuers and DN lists. |
Yes |
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to create a trusted issuers and DN lists by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password --data @createtrust.json -H Content-Type:application/json http://myhost:7001/idaas/webservice/admin/v1/trust/issuers
Example of Request Body
The following shows an example of the request body in JSON format.
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls1", ] } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls2", ] } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", ] } ] } } }
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded", }
6.4 POST Document Trusted Issuers and Distinguished Name Lists Method
Use the POST method to create trusted issuers and distinguished name (DN) lists for signing certificates in a document context (that is, it applies to a specified document). The trusted issuers will be stored in the specified trusted issuers document.
REST Request
POST /idaas/webservice/admin/v1/trust/issuers/{documentName}
Parameters
The following table summarizes the POST request parameters.
Name | Description | Type |
---|---|---|
|
Name of trusted issuer document. For information about creating a trusted issuer document, see "POST TrustDocument Name Method". |
Query |
Request Body
Media types for the request body: application/json
The request body contains the details of the add request:
Attribute | Description | Required |
---|---|---|
|
List of DN values to be added to the trusted issuer. For each DN, use a string that conforms to RFC 2253, as described at the following URL: |
Yes |
|
Groups information about a trusted issuer. |
Yes |
|
Name of the trusted issuer. For example, |
Yes |
|
Groups information about JSON Web Token (JWT) trusted issuers. |
No |
|
Groups information about SAML holder-of-key trusted issuers. |
No |
|
Groups information about SAML sender vouches trusted issuers. |
No |
|
Groups the trusted issuers and DN lists. |
Yes |
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to create trusted issuers and DN lists by submitting a POST request on the REST resource using cURL
curl -i -X POST -u username:password --data @createtrust.json -H Content-Type:application/json http://myhost:7001/idaas/webservice/admin/v1/trust/issuers/mydocument
Example of Request Body
The following shows an example of the request body in JSON format.
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls1", ] } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls2", ] } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", ] } ] } } }
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded", }
6.5 GET All Trusted Issuer and Distinguished Name Lists Method
Use the GET method to view a trusted issuer and its distinguished name (DN) lists for all domain documents.
REST Request
GET /idaas/webservice/admin/v1/trust/issuers
Response Body
Media types for the request or response body: application/json
The response body contains information about the trusted issuer and DN lists, including:
Attribute | Description |
---|---|
|
List of DN values to be added to the trusted issuer. |
|
Groups information about a trusted issuer. |
|
Name of the trusted issuer. |
|
Groups information about JSON Web Token (JWT) trusted issuers. |
|
Groups information about SAML holder-of-key trusted issuers. |
|
Groups information about SAML sender vouches trusted issuers. |
|
Groups the DN lists. |
cURL Example
TESTED
The following example shows how to view a trusted issuer and its DN lists by submitting a GET request on the REST resource using cURL.
curl -i -X GET -u username:password http://myhost:7001/idaas/platform/admin/v1/trust/issuers
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls1", ] } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls2", ] } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", ] } ] } } }
6.6 GET Specified Document Trusted Issuer and Distinguished Name Lists Method
Use the GET method to view a trusted issuer and its distinguished name (DN) lists based on the document name provided.
REST Request
GET /idaas/webservice/admin/v1/trust/issuers/{documentName}
Parameters
The following table summarizes the GET request parameters.
Name | Description | Type |
---|---|---|
|
Name of document for which you want to view issuer and DN lists. |
Path |
Response Body
Media types for the request or response body: application/json
The response body contains information about the trusted issuer and DN lists, including:
Attribute | Description |
---|---|
|
List of DN values to be added to the trusted issuer. |
|
Groups information about a trusted issuer. |
|
Name of the trusted issuer. |
|
Groups information about JSON Web Token (JWT) trusted issuers. |
|
Groups information about SAML holder-of-key trusted issuers. |
|
Groups information about SAML sender vouches trusted issuers. |
|
Groups the DN lists. |
cURL Example
TESTED
The following example shows how to view a trusted issuer and its DN lists by submitting a GET request on the REST resource using cURL.
curl -i -X GET -u username:password http://myhost:7001/idaas/platform/admin/v1/trust/issuers/mydocument
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls1", ] } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "wls2", ] } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", ] } ] } } }
6.7 POST Token Attribute Rule Distinguished Name Method (Domain Context)
Use the POST method to create a token attribute rule for a trusted distinguished name (DN) for a domain context (that is, it applies to the entire domain). This operation can be performed by the REST service or client. Only token attribute mapping is supported on the client side.
REST Request
POST /idaas/webservice/admin/v1/trust/token
Request Body
Media types for the request body: application/json
The request body contains the details of the add request:
Attribute | Description |
---|---|
|
Groups the constraints filter and mapping attributes for trusted users. Note: This attribute is not required on the client side. |
|
On the service side, set this value to a trusted DN for which you are configuring an attribute rule. Use a string that conforms to RFC 2253, as described at the following URL: On the client side, set this value to a URL of the domain hosting the targeted services using the following format: |
|
Defines the constraint values for trusted users and attributes. Note: This attribute is not applicable on the client side. |
|
Defines the mapping attributes for trusted users. |
|
Name of the attribute rule. Note: This attribute is not applicable on the client side. |
|
Defines the users that are accepted for the trusted DN. |
|
Groups information about a single token attribute rule. |
|
Groups information about all token attribute rules. |
|
Defines the user attribute that the trusted DN can assert. Note: This attribute is not applicable on the client side. |
|
Defines the user mapping attribute that the trusted DN can assert. |
|
Defines values for the constraint filter attribute. This value can be a full name or name pattern with a wildcard character (*), such as Note: This attribute is not applicable on the client side. |
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to create a token attribute rule for a trusted DN by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password --data @createrule.json http://myhost:7001/idaas/webservice/admin/v1/trust/token
Example of Request Body - Service Side
The following shows an example of the request body in JSON format for creating a token attribute rule for a trusted DN on the service side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "cn=orcladmin,o=oracle", "name-id":{ "filter": { "value":[ "filter1" ] }, "mapping": { "user-attribute": "val3", "user-mapping-attribute":"val4" } }, "attributes": [ { "-name": "tenant1", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping":{ "user-attribute": "val1", "user-mapping-attribute":"val2" } } } ] } ] } }
Example of Request Body - Client Side
The following shows an example of the request body in JSON format for creating a token attribute rule on the client side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "https://example.com/", "name-id":{ "mapping": { "user-mapping-attribute":"mail" } }, } ] "token-attribute-rule": [ { "-dn": "https://example.com/mysvcInstance1-acme/", "name-id":{ "mapping": { "user-mapping-attribute":"uid" } }, } ] } }
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded" }
6.8 POST Token Attribute Rule Distinguished Name Method (Document Context)
Use the POST method to create a token attribute rule for a trusted distinguished name (DN) for a document context (that is, it applies to a specified document). This operation can be performed by the REST service or client. Only token attribute mapping is supported on the client side.
REST Request
POST /idaas/webservice/admin/v1/trust/token/{documentName}
Parameters
The following table summarizes the POST request parameters.
Name | Description | Type |
---|---|---|
|
Name of document for which you want to create a token attribute rule. |
Path |
Request Body
Media types for the request body: application/json
The request body contains the details of the add request:
Attribute | Description |
---|---|
|
Groups the constraints filter and mapping attributes for trusted users. Note: This attribute is not required on the client side. |
|
On the service side, set this value to a trusted DN for which you are configuring an attribute rule. Use a string that conforms to RFC 2253, as described at the following URL: On the client side, set this value to a URL of the domain hosting the targeted services using the following format: |
|
Defines the constraint values for trusted users and attributes. Note: This attribute is not applicable on the client side. |
|
Defines the mapping attributes for trusted users. |
|
Name of the attribute rule. Note: This attribute is not applicable on the client side. |
|
Defines the users that are accepted for the trusted DN. |
|
Groups information about a single token attribute rule. |
|
Groups information about all token attribute rules. |
|
Defines the user attribute that the trusted DN can assert. Note: This attribute is not applicable on the client side. |
|
Defines the user mapping attribute that the trusted DN can assert. |
|
Defines values for the constraint filter attribute. This value can be a full name or name pattern with a wildcard character (*), such as Note: This attribute is not applicable on the client side. |
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to create a token attribute rule for a trusted DN by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password --data @createrule.json http://myhost:7001/idaas/webservice/admin/v1/trust/token/mydocument
Example of Request Body - Service Side
The following shows an example of the request body in JSON format for creating a token attribute rule for a trusted DN on the service side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "cn=orcladmin,o=oracle", "name-id":{ "filter": { "value":[ "filter1" ] }, "mapping": { "user-attribute": "val3", "user-mapping-attribute":"val4" } }, "attributes": [ { "-name": "tenant1", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping":{ "user-attribute": "val1", "user-mapping-attribute":"val2" } } } ] } ] } }
Example of Request Body - Client Side
The following shows an example of the request body in JSON format for creating a token attribute rule on the client side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "https://example.com/", "name-id":{ "mapping": { "user-mapping-attribute":"mail" } }, } ] "token-attribute-rule": [ { "-dn": "https://example.com/mysvcInstance1-acme/", "name-id":{ "mapping": { "user-mapping-attribute":"uid" } }, } ] } }
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded" }
6.9 GET All Token Attribute Rules Method
Use the GET method to view all token attribute rules for a domain context (applies to entire domain). This operation can be performed by the REST service or client. Only token attribute mapping is supported on the client side.
REST Request
GET /idaas/webservice/admin/v1/trust/token
Response Body
Media types for the request or response body: application/json
The response body contains information about all token attribute rules, including:
Attribute | Description |
---|---|
|
Groups the constraints filter and mapping attributes for trusted users. Note: This attribute is not required on the client side. |
|
On the service side, trusted DN for which you are configuring an attribute rule. The string conforms to RFC 2253, as described at the following URL: On the client side, URL specified using the following format: |
|
Defines the filter values for trusted users and attributes. You can enter a complete name or a name pattern with a wildcard character (*), such as |
|
Defines the mapping attributes for trusted users. Note: This attribute is not applicable on the client side. |
|
Name of the attribute rule. Note: This attribute is not applicable on the client side. |
|
Defines the users that are accepted for the trusted DN. |
|
Groups information about a single token attribute rule. |
|
Groups information about all token attribute rules. |
|
Defines the user attribute that the trusted DN can assert. Note: This attribute is not applicable on the client side. |
|
Defines the user mapping attribute that the trusted DN can assert. |
|
Defines values for the constraint filter attribute. This value can be a full name or name pattern with a wildcard character (*), such as |
cURL Example
TESTED against MAIN -- was asked to remove trust document name for URL in review.
The following example shows how to view all token attribute rules by submitting a GET request on the REST resource using cURL.
curl -i -X GET -u username:password http://myhost:7001/idaas/platform/admin/v1/trust/token
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body—Service Side
The following shows an example of the response body in JSON format for viewing a token attribute rule on the service side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "cn=orcladmin,o=oracle", "attributes": [ { "-name": "tenant1", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping":{ "user-attribute": "val1", "user-mapping-attribute":"val2" } } } ], "name-id":{ "filter": { "value":[ "filter1" ] }, "mapping": { "user-attribute": "val3", "user-mapping-attribute":"val4" } } } ] } }
Example of Response Body - Client Side
The following shows an example of the response body in JSON format for viewing a token attribute rule on the client side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "https://example.com/", "name-id":{ "mapping": { "user-mapping-attribute":"mail" } }, } ] "token-attribute-rule": [ { "-dn": "https://example.com/mysvcInstance1-acme/", "name-id":{ "mapping": { "user-mapping-attribute":"uid" } }, } ] } }
6.10 GET Specified Document Token Attribute Rules Method
Use the GET method to view token attribute rules for a specified document. This operation can be performed by the REST service or client. Only token attribute mapping is supported on the client side.
REST Request
GET /idaas/webservice/admin/v1/trust/token/{documentName}
Parameters
The following table summarizes the GET request parameters.
Name | Description | Type |
---|---|---|
|
Name of document for which you want to view token attribute rules. |
Path |
Response Body
Media types for the request or response body: application/json
The response body contains information about all token attribute rules for the document, including:
Attribute | Description |
---|---|
|
Groups the constraints filter and mapping attributes for trusted users. Note: This attribute is not required on the client side. |
|
On the service side, trusted DN for which you are configuring an attribute rule. The string conforms to RFC 2253, as described at the following URL: On the client side, URL specified using the following format: |
|
Defines the filter values for trusted users and attributes. You can enter a complete name or a name pattern with a wildcard character (*), such as |
|
Defines the mapping attributes for trusted users. Note: This attribute is not applicable on the client side. |
|
Name of the attribute rule. Note: This attribute is not applicable on the client side. |
|
Defines the users that are accepted for the trusted DN. |
|
Groups information about a single token attribute rule. |
|
Groups information about all token attribute rules. |
|
Defines the user attribute that the trusted DN can assert. Note: This attribute is not applicable on the client side. |
|
Defines the user mapping attribute that the trusted DN can assert. |
|
Defines values for the constraint filter attribute. This value can be a full name or name pattern with a wildcard character (*), such as |
cURL Example
TESTED against MAIN -- was asked to remove trust document name for URL in review.
The following example shows how to view all token attribute rules by submitting a GET request on the REST resource using cURL.
curl -i -X GET -u username:password http://myhost:7001/idaas/platform/admin/v1/trust/token/mydocument
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body—Service Side
The following shows an example of the response body in JSON format for viewing a token attribute rule on the service side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "cn=orcladmin,o=oracle", "attributes": [ { "-name": "tenant1", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping":{ "user-attribute": "val1", "user-mapping-attribute":"val2" } } } ], "name-id":{ "filter": { "value":[ "filter1" ] }, "mapping": { "user-attribute": "val3", "user-mapping-attribute":"val4" } } } ] } }
Example of Response Body - Client Side
The following shows an example of the response body in JSON format for viewing a token attribute rule on the client side.
{ "token-attribute-rules": { "token-attribute-rule": [ { "-dn": "https://example.com/", "name-id":{ "mapping": { "user-mapping-attribute":"mail" } }, } ] "token-attribute-rule": [ { "-dn": "https://example.com/mysvcInstance1-acme/", "name-id":{ "mapping": { "user-mapping-attribute":"uid" } }, } ] } }
6.11 Import TrustDocument Name Configurations Method
Use the POST method to import trusted issuer configurations, including issuer names, distinguished name (DN) lists, and token attribute rules.
REST Request
POST /idaas/webservice/admin/v1/trustdocument/import
Request Body
Media types for the request body: application/xml
and application/JSON
The request body contains the details of the import request. You must create a trusted issuers document, as described in "POST TrustDocument Name Method", and pass it using the oratrust:name
element.
Request body in xml format:
<?xml version="1.0" encoding="UTF-8"?> <ns0:TokenIssuerTrust xmlns:ns0="http://xmlns.oracle.com/wsm/security/trust" ns0:name="owsm" ns0:displayName="owsm"> <ns0:Issuers> <ns0:Issuer ns0:name="www.oracle.com" ns0:tokentype="saml.sv" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="x509certificate" ns0:valuetype="dn" ns0:enabled="true">alice2</ns0:KeyIdentifier> </ns0:TrustedKeys> </ns0:Issuer> <ns0:Issuer ns0:name="www.example.com" ns0:tokentype="saml.hok" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="x509certificate" ns0:valuetype="dn" ns0:enabled="true">bob</ns0:KeyIdentifier> </ns0:TrustedKeys> </ns0:Issuer> <ns0:Issuer ns0:name="https://identity.oraclecloud.com/" ns0:tokentype="jwt" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">orakey_jwk</ns0:KeyIdentifier> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">orakey</ns0:KeyIdentifier> <ns0:Keys ns0:type="jwk" ns0:trust="idcs.jwk.jwt"></ns0:Keys> </ns0:TrustedKeys> <ns0:TrustedRP> <ns0:RP ns0:type="literal">client</ns0:RP> </ns0:TrustedRP> <ns0:DiscoveryInfo> <ns0:DiscoveryURL>https://www.example.com/.well-known/openid-configuration</ns0:DiscoveryURL> <ns0:IdcsClientCsfKey>idcs-orakey</ns0:IdcsClientCsfKey> </ns0:DiscoveryInfo> </ns0:Issuer> <ns0:Issuer ns0:name="https://accounts.example.com" ns0:tokentype="jwt" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">3b0fc11962ad16e49d55a26816c5ad0d3f6b8a83</ns0:KeyIdentifier> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">19e8b40cf03c4cf1ec545f01ec8c51a6f46ab455</ns0:KeyIdentifier> <ns0:mdURL>https://www.exampleapis.com/oauth2/v3/certs</ns0:mdURL> <ns0:Keys ns0:type="jwk" ns0:trust="jwk.jwt" ns0:refreshInterval="2000"></ns0:Keys> </ns0:TrustedKeys> <ns0:TrustedRP> <ns0:RP ns0:type="literal">client</ns0:RP> </ns0:TrustedRP> </ns0:Issuer> </ns0:Issuers> <ns0:TokenAttributeRules> <ns0:TokenAttributeRule ns0:issuer="https://accounts.example.com"> <ns0:NameId ns0:name="name-id"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val3</ns0:user-attribute> <ns0:user-mapping-attribute>val4</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:NameId> <ns0:Proxy> <ns0:ProxyHost>www-proxy.us.oracle.com</ns0:ProxyHost> <ns0:ProxyPort>80</ns0:ProxyPort> </ns0:Proxy> </ns0:TokenAttributeRule> <ns0:TokenAttributeRule ns0:identifier="cn=user,o=oracle" ns0:issuer="https://identity.oraclecloud.com/"> <ns0:NameId ns0:name="name-id"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val3</ns0:user-attribute> <ns0:user-mapping-attribute>val4</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:NameId> <ns0:Attributes> <ns0:Attribute ns0:name="user.tenant.name"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val1</ns0:user-attribute> <ns0:user-mapping-attribute>val2</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:Attribute> </ns0:Attributes> <ns0:VirtualUser ns0:enabled="true"> <ns0:DefaultRoles> <ns0:Role>defRole1</ns0:Role> <ns0:Role>defRole2</ns0:Role> </ns0:DefaultRoles> <ns0:TokenRoleAttributes> <ns0:AttributeName>displayname</ns0:AttributeName> </ns0:TokenRoleAttributes> <ns0:TokenRoleMapping> <ns0:RoleMapping> <ns0:TokenRole>TestUser</ns0:TokenRole> <ns0:MappingRole>manager</ns0:MappingRole> <ns0:MappingRole>executer</ns0:MappingRole> </ns0:RoleMapping> </ns0:TokenRoleMapping> </ns0:VirtualUser> </ns0:TokenAttributeRule> </ns0:TokenAttributeRules> </ns0:TokenIssuerTrust>
Request body in JSON format:
{ "name": "test", "displayname": "test", "issuers": [ { "issuer": "www.oracle.com", "enabled": "true", "tokentype": "saml.sv", "trustedkeys": { "keyidentifiers": [ { "keytype": "x509certificate", "valuetype": "dn", "enabled": "true", "value": "alice2" } ] } }, { "issuer": "www.example.com", "enabled": "true", "tokentype": "saml.hok", "trustedkeys": { "keyidentifiers": [ { "keytype": "x509certificate", "valuetype": "dn", "enabled": "true", "value": "bob" } ] } }, { "issuer": "https://identity.oraclecloud.com/", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "trust": "idcs.jwk.jwt", "keyidentifiers": [ { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "orakey_jwk" }, { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "orakey" } ] }, "relyingparty": [ { "type": "literal", "value": "client" } ], "discovery": { "discovery_uri": "https://www.example.com/.well-known/openid-configuration", "idcs-client-csf-key": "idcs-orakey" } }, { "issuer": "https://accounts.example.com", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "jwk_uri": "https://www.exampleapis.com/oauth2/v3/certs", "trust": "jwk.jwt", "refreshinterval": "2000", "keyidentifiers": [ { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "3b0fc11962ad16e49d55a26816c5ad0d3f6b8a83" }, { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "19e8b40cf03c4cf1ec545f01ec8c51a6f46ab455" } ] }, "relyingparty": [ { "type": "literal", "value": "client" } ] } ], "token-attribute-rules": { "token-attribute-rule": [ { "issuer": "https://accounts.example.com", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "proxy" : { "host": "www-proxy.us.oracle.com", "port" : "80" } }, { "-dn": "cn=user,o=oracle", "issuer": "https://identity.oraclecloud.com/", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "attributes": [ { "-name": "user.tenant.name", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val2", "user-attribute": "val1" } } } ], "virtual-user": { "enabled": "true", "default-roles": { "role": [ "defRole1", "defRole2" ] }, "token-role-attributes": { "attribute-name": [ "displayname" ] }, "token-role-mapping": { "role-mapping": [ { "token-role": "TestUser", "mapping-role": [ "manager", "executer" ] } ] } } } ] } }
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Element | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
cURL Example
The following example shows how to view all certificates for an alias by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password --data @import.xml -H Content-Type:application/xml -H Accept:application/json http://myhost:7001/idaas/platform/admin/v1/trustdocument/import
6.12 Export TrustDocument Name Configurations Method
Use the GET method to export trusted issuer configurations, including issuer names, distinguished name (DN) lists, and token attribute rules.
REST Request
GET/idaas/webservice/admin/v1/trustdocument/export
Request Body
Media types for the request body: application/xml
and application/JSON
The request body contains the details of the export request. You must create a trusted issuers document, as described in "POST TrustDocument Name Method", and pass it using the oratrust:name
element.
Request body in JSON format:
{ "name": "owsm", "displayname": "owsm", "issuers": [ { "issuer": "https://identity.oraclecloud.com/", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "trust": "idcs.jwk.jwt" , "refreshinterval" : "2000" }, "discovery": { "base_uri":"https://identity.c9dev0.oc9qadev.com/", "idcs-client-csf-key": "idcs-orakey", "idcs-client-tenant":"owsm" } }, { "issuer": "https://identity.oraclecloud.com/", "tenant": "owsm", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "trust": "idcs.jwk.jwt", "refreshinterval" : "2000", "keyidentifiers": [ { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "SIGNING_KEY" } ] }, "discovery": { "discovery_uri":"https://owsm.identity.c9dev0.oc9qadev.com/.well-known/openid-configuration", "idcs-client-csf-key": "idcs-orakey", "idcs-client-tenant":"owsm"} } ] , "token-attribute-rules": { "token-attribute-rule": [ { "issuer": "https://identity.oraclecloud.com/", "tenant": "owsm", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } } } ] } }
Note:
-
The
base_uri
is defined ashttps://identity.c9dev0.oc9qadev.com/
-
The
idcs-client-csf-key
is the csf key of the client with cross tenant role.
-
The
idcs-client-tenant
is the tenant of the above client.
Response Body
Media types for the response body: application/xml
and application/JSON
The response body returns the status of the export operation, including:
Element | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
6.13 Import Global Discovery Configuration
The Global Discovery Configuration uses the POST method to configure discovery settings globally instead of doing it for individual tenants. At runtime these global settings are used to fetch JWK keys for tenants.
REST Request
POST/idaas/webservice/admin/v1/trustdocument/import
Request Body
Media types for the request body: application/xml
and application/JSON
The request body contains the details of the import request. You must create a trusted issuers document, as described in "POST TrustDocument Name Method", and pass it using the oratrust:name
element.
Request body in JSON format:
{ "name": "owsm", "displayname": "owsm", "issuers": [ { "issuer": "https://identity.oraclecloud.com/", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "trust": "idcs.jwk.jwt", "refreshinterval" : "2000" }, "discovery": { "base_uri": "https://identity.c9dev0.oc9qadev.com/", "idcs-client-csf-key": "idcs-orakey", "idcs-client-tenant":"owsm" } } ] }
Note:
-
The
base_uri
is defined ashttps://identity.c9dev0.oc9qadev.com/
-
The
idcs-client-csf-key
is the csf key of the client with cross tenant role.
-
The
idcs-client-tenant
is the tenant of the above client.
Response Body
Media types for the response body: application/xml
and application/JSON
The response body returns the status of the import operation, including:
Element | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
6.14 GET TrustDocument Method
Use the GET method to view configuration details for the trusted issuer document.
REST Request
GET /idaas/webservice/admin/v1/trustdocument
Parameters
The following table summarizes the POST request parameters.
Name | Description | Type |
---|---|---|
|
Name of the document. |
Query |
Response Body
Media types for the request or response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
cURL Example
The following example shows how to view all token attribute rules by submitting a GET request on the REST resource using cURL.
curl -i -X GET -u username:password http://myhost:7001/idaas/platform/admin/v1/trustdocument?"documentName=myTrustDocument"
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS":"Succeeded", "Result":"List of token issuer trust documents in the Repository:\nDetails of the document matching your request:\nName : myTrustDocument\tDisplay Name : myTrustDocument\tStatus : DOCUMENT_STATUS_COMMITED \nList of trusted issuers for this type:\tNone\nList of Token Attribute Rules\tNone" }
6.15 DELETE Trust Document Method
Use the Delete method to delete a trusted issuer document.
REST Request
DELETE /idaas/webservice/admin/v1/trustdocument
Parameters
The following table summarizes the DELETE request parameters.
Name | Description | Type |
---|---|---|
|
Display name for the document. |
Query |
|
Name of trusted issuer document. |
Query |
Response Body
Media types for the request or response body: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
cURL Example
TESTED
The following example shows how to delete a SAML issuer trust document by submitting a DELETE request on the REST resource using cURL.
curl -i -X DELETE -u username:password http://myhost:7001/idaas/webservice/admin/v1/trustdocument?"documentName=myTrustDocument&displayName=myTrustDocument"
Example of Response Header
The following shows an example of the response header. For more about the HTTP status codes, see HTTP Status Codes for HTTP Methods
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded", "Result": "Token Issuer Trust document named "myTrustDocument" deleted from the repository." }
6.16 Import Federation Metadata Document Method
Use the POST method to import the signing certificate (federation metadata document) and configure the WS-Trust for the Relying Party (RP-STS) in OWSM.
REST Request
POST /idaas/webservice/admin/v1/federation/import
Request Body
Method: POST
Content Type: multipart/form-data
Parameters
The following table summarizes the POST request parameters.
Name | Description | Required? |
---|---|---|
|
The name of the attribute to assert in case the name ID maps to non standard attribute. |
Optional |
|
The name of the local user attribute to the value of the corresponding attribute. |
Optional |
|
The name of the local user attribute to be mapped. |
Optional |
|
List of filter values to be set for the attribute. Each value can be an exact value. |
Optional |
|
Location of the federation metadata file. This can be an Web URL or file system path. Example: |
Required |
Response Body
Content Type: application/json
The response body returns the status of the import operation:
Attribute | Description |
---|---|
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
6.17 Export Federation Metadata Document Method
Use the POST method to generate the signed or unsigned federation document for the Identity Provider STS (IP-STS) or Service Provider (SP).
Rest Request
POST /idaas/webservice/admin/v1/federation/export
Request Body
Method: POST
Content Type: application/json
Parameters
The following table summarizes the export request parameters.
Name | Description | Required? |
---|---|---|
|
Type of metadata document to create. For example, IDP (Identify Provider) or SP (Service Provider). |
Required |
|
Name of the issuer. For IDP, you must specify the host name. For example: For SP, you must specify the service URL. For example:https:http://localhost:7001/JaxWsWssStsIssuedBearerTokenWithADFSWssUNOverSsl/JaxWsWssStsIssuedBearerTokenWithADFSWssUNOverSslService |
Required |
|
Specify whether to sign the metadata document. |
Optional |
|
List of aliases or csf key (in case of KSS). The certificate is exported and used in the metadata document. It is required in case of creating IDP metdata. If this parameter is not provided, the sign key will not be included. In case of empty values ("sign-keys": [ ]), the domain configured sign key is used. |
Optional |
|
List of aliases or csf key (in case of KSS). The certificate is exported and used in the metadata document. It is required in case of creating SP metdata. If this parameter is not provided, the encryption key will not be included. In case of empty values ("encryption-keys": [ ]) , the domain configured encryption key is used. |
Optional |
Response Body
Content Type: application/xml
6.18 Revoke Federation Metadata Document Method
Use the revoke method to remove the signing certificates from OWSM and the WS-Trust configuration from the federation metadata document.
REST Request
POST /idaas/webservice/admin/v1/federation/revoke
Request Body
Method: POST
Content Type: multipart/form-data
Parameters
The following table summarizes the revoke request parameters.
Name | Description | Required? |
---|---|---|
|
Location of the federation metadata file. This can be an Web URL or file system path. Example: |
Required |
Response Body
Content Type: application/json
The response body returns the status of the import operation, including:
Attribute | Description |
---|---|
|
It provides the contents of the error message, if |
|
Details of the operation results. |
|
Status of operation. For example, |
6.19 POST Virtual User for a DN
Use the POST method to create virtual users for a DN.
REST Request
POST /idaas/webservice/admin/v1/trust/token
Request Body
Media types for the request body: application/json
The request body contains the details of the add request:
Attribute | Description | Required |
---|---|---|
|
List of virtual user properties. |
Yes |
|
List of token role attributes applicable for a virtual user. |
No |
|
Mapping values for token-role-attributes. |
No |
issuer |
Name of the issuer. | No |
Example of Request Body
The following shows an example of the request body in JSON format.
{ "token-attribute-rules": { "token-attribute-rule": [ { "issuer": "https://accounts.example.com", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "proxy" : { "host": "www-proxy.us.oracle.com", "port" : "80" } }, { "-dn": "cn=user,o=oracle", "issuer": "https://identity.oraclecloud.com/", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "attributes": [ { "-name": "user.tenant.name", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val2", "user-attribute": "val1" } } } ], "virtual-user": { "enabled": "true", "default-roles": { "role": [ "defRole1", "defRole2" ] }, "token-role-attributes": { "attribute-name": [ "displayname" ] }, "token-role-mapping": { "role-mapping": [ { "token-role": "TestUser", "mapping-role": [ "manager", "executer" ] } ] } } } ] } }
Response Body
Media types for the response body: application/json
The response body returns the status of the add operation, including:
Attribute | Description |
---|---|
|
If |
|
If |
|
Status of operation. For example, |
Example of Response Header
The following shows an example of the response header.
HTTP/1.1 200 OK
Example of Response Body
The following shows an example of the response body in JSON format.
{ "STATUS": "Succeeded", }
6.20 Get Virtual User for a DN
Use the GET method to view the virtual users for a DN configured in a token issuer trust document.
REST Request
GET /idaas/webservice/admin/v1/trust/token
Request Body
Media types for the request body: application/json
The request body contains the details of the view request:
Attribute | Description | Required |
---|---|---|
|
List of virtual user properties. |
Yes |
|
List of token role attributes applicable for a virtual user. |
No |
|
Mapping values for token-role-attributes. |
No |
issuer |
Name of the issuer. | No |
Response Body
Media types for the response body: application/json
The response body returns the information for the specified virtual user.
Example of Response Body
The following shows an example of the response body in JSON format.
{ "token-attribute-rules": { "token-attribute-rule": [ { "issuer": "https://accounts.example.com", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "proxy" : { "host": "www-proxy.us.oracle.com", "port" : "80" } }, { "-dn": "cn=user,o=oracle", "issuer": "https://identity.oraclecloud.com/", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "attributes": [ { "-name": "user.tenant.name", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val2", "user-attribute": "val1" } } } ], "virtual-user": { "enabled": "true", "default-roles": { "role": [ "defRole1", "defRole2" ] }, "token-role-attributes": { "attribute-name": [ "displayname" ] }, "token-role-mapping": { "role-mapping": [ { "token-role": "TestUser", "mapping-role": [ "manager", "executer" ] } ] } } } ] } }
6.21 Create Tags for Trusted Issuer
Use the POST method to create tags for trusted issuer.
REST Request POST Method
curl -i -X POST -u username:password --data @createtokentags.json -H Content-Type:application/json http://myhost:7001/idaas/webservice/admin/v1/trust/token
Media types for the request body: JSON
Example:
{ "token-attribute-rules": { "token-attribute-rule": [ "issuer": https://www.example.com, "one-token-trust": { "enabled": "true", "service-instance": [ { "app-name": "App1", "refreshinterval": "444", "tags": { "tag": [ { "key": "color", "value":"blue" }, { "key": "env", "value":"prod" } ] } }, { "app-name": "App2", "refreshinterval": "555" } ] }, ] } }
6.22 Enabling and Disabling Token Issuer Trust
Use the POST and PUT method to enable and disable Token Issuer Trust.
REST Request POST Method
curl -i -X POST -u username:password --data @createtrust.json -H Content-Type:application/json http://myhost:7001/idaas/webservice/admin/v1/trust/issuers
Media types for the request body: JSON
Example:
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "dn": [ "CN=Alice"], "disabled-dn": [ "CN=Bob" ], } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "enabled": "true" "dn": [ ], } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "enabled": "false" "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", "CN=Alice" ], } ] } } }
REST Request PUT Method
curl -i -X PUT -u username:password --data @updatetrust.json -H Content-Type:application/json http://myhost:7001/idaas/webservice/admin/v1/trust/issuers
Media types for the request body: JSON
Example:
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "disabled-dn": [ "CN=Alice" ], } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "enabled": "false" } ] } } }
Response Body
Media types for the response body: application/json
{ "saml-trusted-dns": { "saml-hok-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "enabled": "true" "dn": [ ], "disabled-dn": ["CN=Alice", "CN=Bob"] } ] }, "saml-sv-trusted-dns": { "issuer": [ { "-name": "www.oracle.com", "enabled": "false" "dn": [ ], "disabled-dn": [ ] } ] }, "jwt-trusted-issuers": { "issuer": [ { "-name": "www.oracle.com", "enabled": true, "dn": [ "CN=orakey, OU=Orakey,O=Oracle, C=US", "CN=Alice" ], "disabled-dn": [ ] } ] } } }
6.23 Import TrustDocument Name Configurations Method
Use the POST method to import trusted issuer configurations, including issuer names, distinguished name (DN) lists, and token attribute rules.
REST Request
POST /idaas/webservice/admin/v1/trustdocument/import
Request Body
Media types for the request body: application/xml
and application/JSON
The request body contains the details of the import request. You must create a trusted issuers document, as described in "POST TrustDocument Name Method", and pass it using the oratrust:name
element.
Request body in xml format:
<?xml version="1.0" encoding="UTF-8"?> <ns0:TokenIssuerTrust xmlns:ns0="http://xmlns.oracle.com/wsm/security/trust" ns0:name="owsm" ns0:displayName="owsm"> <ns0:Issuers> <ns0:Issuer ns0:name="www.oracle.com" ns0:tokentype="saml.sv" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="x509certificate" ns0:valuetype="dn" ns0:enabled="true">alice2</ns0:KeyIdentifier> </ns0:TrustedKeys> </ns0:Issuer> <ns0:Issuer ns0:name="www.example.com" ns0:tokentype="saml.hok" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="x509certificate" ns0:valuetype="dn" ns0:enabled="true">bob</ns0:KeyIdentifier> </ns0:TrustedKeys> </ns0:Issuer> <ns0:Issuer ns0:name="https://identity.oraclecloud.com/" ns0:tokentype="jwt" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">orakey_jwk</ns0:KeyIdentifier> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">orakey</ns0:KeyIdentifier> <ns0:Keys ns0:type="jwk" ns0:trust="idcs.jwk.jwt"></ns0:Keys> </ns0:TrustedKeys> <ns0:TrustedRP> <ns0:RP ns0:type="literal">client</ns0:RP> </ns0:TrustedRP> <ns0:DiscoveryInfo> <ns0:DiscoveryURL>https://www.example.com/.well-known/openid-configuration</ns0:DiscoveryURL> <ns0:IdcsClientCsfKey>idcs-orakey</ns0:IdcsClientCsfKey> </ns0:DiscoveryInfo> </ns0:Issuer> <ns0:Issuer ns0:name="https://accounts.example.com" ns0:tokentype="jwt" ns0:enabled="true"> <ns0:TrustedKeys> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">3b0fc11962ad16e49d55a26816c5ad0d3f6b8a83</ns0:KeyIdentifier> <ns0:KeyIdentifier ns0:keytype="publickey" ns0:valuetype="kid" ns0:enabled="true">19e8b40cf03c4cf1ec545f01ec8c51a6f46ab455</ns0:KeyIdentifier> <ns0:mdURL>https://www.exampleapis.com/oauth2/v3/certs</ns0:mdURL> <ns0:Keys ns0:type="jwk" ns0:trust="jwk.jwt" ns0:refreshInterval="2000"></ns0:Keys> </ns0:TrustedKeys> <ns0:TrustedRP> <ns0:RP ns0:type="literal">client</ns0:RP> </ns0:TrustedRP> </ns0:Issuer> </ns0:Issuers> <ns0:TokenAttributeRules> <ns0:TokenAttributeRule ns0:issuer="https://accounts.example.com"> <ns0:NameId ns0:name="name-id"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val3</ns0:user-attribute> <ns0:user-mapping-attribute>val4</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:NameId> <ns0:Proxy> <ns0:ProxyHost>www-proxy.us.oracle.com</ns0:ProxyHost> <ns0:ProxyPort>80</ns0:ProxyPort> </ns0:Proxy> </ns0:TokenAttributeRule> <ns0:TokenAttributeRule ns0:identifier="cn=user,o=oracle" ns0:issuer="https://identity.oraclecloud.com/"> <ns0:NameId ns0:name="name-id"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val3</ns0:user-attribute> <ns0:user-mapping-attribute>val4</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:NameId> <ns0:Attributes> <ns0:Attribute ns0:name="user.tenant.name"> <ns0:Filter> <ns0:value>filter1</ns0:value> <ns0:value>filter2</ns0:value> </ns0:Filter> <ns0:Mapping> <ns0:user-attribute>val1</ns0:user-attribute> <ns0:user-mapping-attribute>val2</ns0:user-mapping-attribute> </ns0:Mapping> </ns0:Attribute> </ns0:Attributes> <ns0:VirtualUser ns0:enabled="true"> <ns0:DefaultRoles> <ns0:Role>defRole1</ns0:Role> <ns0:Role>defRole2</ns0:Role> </ns0:DefaultRoles> <ns0:TokenRoleAttributes> <ns0:AttributeName>displayname</ns0:AttributeName> </ns0:TokenRoleAttributes> <ns0:TokenRoleMapping> <ns0:RoleMapping> <ns0:TokenRole>TestUser</ns0:TokenRole> <ns0:MappingRole>manager</ns0:MappingRole> <ns0:MappingRole>executer</ns0:MappingRole> </ns0:RoleMapping> </ns0:TokenRoleMapping> </ns0:VirtualUser> </ns0:TokenAttributeRule> </ns0:TokenAttributeRules> </ns0:TokenIssuerTrust>
Request body in JSON format:
{ "name": "test", "displayname": "test", "issuers": [ { "issuer": "www.oracle.com", "enabled": "true", "tokentype": "saml.sv", "trustedkeys": { "keyidentifiers": [ { "keytype": "x509certificate", "valuetype": "dn", "enabled": "true", "value": "alice2" } ] } }, { "issuer": "www.example.com", "enabled": "true", "tokentype": "saml.hok", "trustedkeys": { "keyidentifiers": [ { "keytype": "x509certificate", "valuetype": "dn", "enabled": "true", "value": "bob" } ] } }, { "issuer": "https://identity.oraclecloud.com/", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "trust": "idcs.jwk.jwt", "keyidentifiers": [ { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "orakey_jwk" }, { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "orakey" } ] }, "relyingparty": [ { "type": "literal", "value": "client" } ], "discovery": { "discovery_uri": "https://www.example.com/.well-known/openid-configuration", "idcs-client-csf-key": "idcs-orakey" } }, { "issuer": "https://accounts.example.com", "enabled": "true", "tokentype": "jwt", "trustedkeys": { "jwk_uri": "https://www.exampleapis.com/oauth2/v3/certs", "trust": "jwk.jwt", "refreshinterval": "2000", "keyidentifiers": [ { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "3b0fc11962ad16e49d55a26816c5ad0d3f6b8a83" }, { "keytype": "publickey", "valuetype": "kid", "enabled": "true", "value": "19e8b40cf03c4cf1ec545f01ec8c51a6f46ab455" } ] }, "relyingparty": [ { "type": "literal", "value": "client" } ] } ], "token-attribute-rules": { "token-attribute-rule": [ { "issuer": "https://accounts.example.com", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "proxy" : { "host": "www-proxy.us.oracle.com", "port" : "80" } }, { "-dn": "cn=user,o=oracle", "issuer": "https://identity.oraclecloud.com/", "name-id": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val4", "user-attribute": "val3" } }, "attributes": [ { "-name": "user.tenant.name", "attribute": { "filter": { "value": [ "filter1", "filter2" ] }, "mapping": { "user-mapping-attribute": "val2", "user-attribute": "val1" } } } ], "virtual-user": { "enabled": "true", "default-roles": { "role": [ "defRole1", "defRole2" ] }, "token-role-attributes": { "attribute-name": [ "displayname" ] }, "token-role-mapping": { "role-mapping": [ { "token-role": "TestUser", "mapping-role": [ "manager", "executer" ] } ] } } } ] } }
Response Body
Media types for the response body: application/json
The response body returns the status of the import operation, including:
Element | Description |
---|---|
|
If |
|
If |
|
Details of the operation results. |
|
Status of operation. For example, |
cURL Example
The following example shows how to view all certificates for an alias by submitting a POST request on the REST resource using cURL.
curl -i -X POST -u username:password --data @import.xml -H Content-Type:application/xml -H Accept:application/json http://myhost:7001/idaas/platform/admin/v1/trustdocument/import
6.24 Import JWK Document Trust Configurations
Use the PUT method to import configurations from JWK Document of trusted issuer.
REST Request
PUT /idaas/webservice/admin/v1/federation/jwk/import
Request Body
Media types for the request body: multipart/form-data
The request body contains the input parameters of the import request.
Input Parameter | Description | Data Type |
---|---|---|
issuer |
Name of the JWK issuer, for example www.example.com .
|
String |
|
The type of trust. It can be |
String |
name-id-attribute |
The name of the attribute to assert in case name-id maps to non standard attribute. | String |
user-attribute |
The name of the local user attribute the value of the attribute corresponds to. | String |
user-mapping-attribute |
The name of the local user attribute to map to. | String |
filter |
Comma separated list of filter values to be set for the attribute. Each value can be an exact value. | Comma separated string |
metadata-file |
Path of the JWK document. It could be local system file, file path on server, or web URL. For example /home/example.jwk or http://www.example.com/common/discovery/v2.0/keys |
File/file path/web URL |
refreshInterval |
Time interval in milliseconds after which JWK keys will be checked for any update. | String |
trust-document-name |
Token issuer trust document to configure trust. If not provided, then the domain configured document will be used. | String |
Response Body
The response body returns the status of the import operation. Media types for the response body: application/json
6.25 Revoke JWK Trust Configurations
Use the PUT method to revoke JWK configurations of a trusted issuer.
REST Request
PUT /idaas/webservice/admin/v1/federation/jwk/revoke
Request Body
Media types for the request body: multipart/form-data
The request body contains the input parameters of the request.
Input Parameter | Description | Data Type |
---|---|---|
issuer |
Name of the JWK issuer, for example www.example.com .
|
String |
|
The type of trust. It can be |
String |
trust-document-name |
Token issuer trust document to revoke trust. If not provided, then the domain configured document will be used. | String |
Response Body
The response body returns the status of the revoke operation. Media types for the response body: application/json
6.26 Import WSM Discovery Metadata Trust Configurations
Use the PUT method to import configurations from WSM Discovery Metadata of trusted issuer.
REST Request
PUT/idaas/webservice/admin/v1/federation/discoverymetadata/import
Request Body
Media types for the request body: multipart/form-data
The request body contains the input parameters of the import request.
Input Parameter | Description | Data Type |
---|---|---|
|
The type of trust. It can be or |
String |
issuer |
Open id discovery metadata provider | String |
idcs-client-csf-key |
Optional . CSF key containing IDCS registered clientid and secret to fetch JWK document. | String |
jwk-access-token |
Optional . Access token containing IDCS registered clientid and secret to fetch JWK document. | String |
name-id-attribute |
Optional. The name of the attribute to assert in case name-id maps to non standard attribute. | String |
filter |
Optional. Comma separated list of filter values to be set for the attribute. Each value can be an exact value. | Comma separated string |
user-attribute |
Optional. The name of the local user attribute the value of the attribute corresponds to. | String |
user-mapping-attribute |
Optional. The name of the local user attribute to map to. | String |
metadata-file |
Optional. Path of the JWK document. It could be local file, path on the server, and web URL. | File/file path/web URL |
refreshInterval |
Optional. The time interval after which keys will be refreshed. | String |
trust-document-name |
Optional. Name of the trust-document | String |
Response Body
The response body returns the status of the import operation. Media types for the response body: application/json
6.27 Revoke WSM Discovery Metadata Trust Configurations
Use the PUT method to revoke WSM Discovery Metadata configurations of a trusted issuer.
REST Request
PUT/idaas/webservice/admin/v1/federation/discoverymetadata/revoke
Request Body
Media types for the request body: multipart/form-data
The request body contains the input parameters of the revoke request.
Input Parameter | Description | Data Type |
---|---|---|
issuer |
Open id discovery metadata provider. | String |
|
The type of trust. It can be |
String |
metadata-file |
Optional. Metadata file in case issuer is not provided. This could be system path or file. | File/file path/web URL |
trust-document-name |
Optional. Name of the trust-document | String |
Response Body
The response body returns the status of the revoke operation. Media types for the response body: application/json
See Also:
-
Import TrustDocument Name Configurations Method in REST API for Managing Credentials and Keystores with Oracle Web Services Manager.