Responses from the REST API use the codes listed below. When method executions fail, a descriptive error message is displayed.
Table 1: HTTP response codes
|
200 |
Success. |
|
204 |
Success. No content returned. |
|
401 |
Unauthorized. To use the One Identity Manager REST API, you first have to authenticate it against the application server. |
|
404 |
Not found. The requested entity is not found. |
|
405 |
Method not allowed. The HTTP request method that was specified is not the correct method for the request. |
|
500 |
Internal server error. The error message is returned in the property error string of the response.
{
"responseStatus": {
"message": "Sample text"},
"errorString": "Sample text",
"exceptions": [{
"number": 810017,
"message": "Sample text"}
]
}
Due to security, the detailed error message will not be returned to the caller. More information can be retrieved from the application server log on the application server. |
One Identity Manager uses different authentication modules for logging into the REST API. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships.
NOTE:
-
After initial schema installation, only the System user and Component Authenticator authentication modules and the role-based authentication modules are enabled in One Identity Manager.
-
Authentication modules are defined in the modules and are not available until One Identity Manager modules are installed.
-
To access the REST API from external applications you can use the OAuth 2.0/OpenID Connect and OAuth 2.0/OpenID Connect (rolebased) authentication modules. For more detailed information, see the One Identity Manager Authorization and Authentication Guide.
-
To access the REST API in the application server, users need the program function Enables access to the REST API in the application server (AppServer_API).
Related topics
The authentication string is formatted as follows:
Module=<name>;<property1>=<value1>;<property2>=<value2>,…
Example:
Module=DialogUser;User=<user name>;Password=<password>
The initial data is one part of the authentication string (parameter-value pair without module ID). Initial data from the authentication string is pre-allocated by default for each authentication instance. Some authentication modules are not requiring any parameter besides specifying the authentication module.
For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.
The list of supported, respectively activated authentication modules can be retrieved using the URL <BaseURL>/appserver/authmodules.
Table 2: List authentication modules request
|
Get |
<BaseURL>/appserver/authmodules |
None |
Response schema:
{
"passwordBased": Boolean,
}
Example:
https://<Hostname>/AppServer/appserver/authmodules
Response:
[{
"id": "RoleBasedManualADS",
"caption": "Active Directory user account (manual input/role based)",
"passwordBased": false,
"isDefault": false
},
{
"id": "RoleBasedADSAccount",
"caption": "Active Directory user account (role based)",
"passwordBased": false,
"isDefault": false
},
{
"id": "DialogUser",
"caption": "System user",
"passwordBased": false,
"isDefault": true
},
{
"id": "RoleBasedPerson",
"caption": "Identity (role based)",
"passwordBased": false,
"isDefault": false
},
{
"id": "OAuthRoleBased",
"caption": "OAuth 2.0 (role based)",
"passwordBased": false,
"isDefault": false
},
{
"id": "OAuth",
"caption": "OAuth 2.0",
"passwordBased": false,
"isDefault": false
},
{
"id": "ADSAccount",
"caption": "Active Directory user account",
"passwordBased": false,
"isDefault": false
},
{
"id": "DynamicPerson",
"caption": "Identity (dynamic)",
"passwordBased": false,
"isDefault": false
}]
