Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, retrieve, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST REST API examples

Using the SPS REST API

The following sections give you a general overview of how the SPS REST API works.

Authenticate to the SPS REST API

Prerequisites
  • The REST server must permit password authentication to the SPS web interface. If only certificate-based authentication is permitted, see Authenticate to the SPS REST API using X.509 certificate.

    To check the permitted authentication method, query the /api/authentication/login_methods endpoint.

    For more information, see Listing SPS login methods.

  • You can access the REST server on the same IP address and port that you use to access the SPS web interface. Note that management (administrator) access must be enabled on the interface. For details on configuring management access, see Configuring user and administrator login addresses in the Administration Guide.

  • For the user to have full access over the SPS REST API, they must have the REST server privilege. The user privileges on the web UI and REST API are synchronized. For example, if the user has the ICA Control / Connections privilege then they can access this page on the web UI and also the /api/configuration/ica/connections endpoint on the REST API.For details, see Modifying group privileges in the Administration Guide.

  • Note that the system time of SPS and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both SPS and most REST clients validate this. As a result, if the system time of SPS and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access SPS. (If the session_id is missing from the cookies file, check the system clocks.)

  • Make sure that user credentials are encoded in UTF-8.

The authentication procedure:
  1. To authenticate on the SPS REST server, send a GET request over HTTPS using the basic HTTP authentication method, including your username and password to the /api/authentication resource.

  2. If the authentication is successful, the server returns the 200 status code, and a meta object in the response body. Also, the HTTP headers of the response include an HTTP cookie named session_id. This cookie is used to identify the client in every subsequent HTTP request.

  3. For every subsequent request, include the session_id header with the value of the received session ID. For example:

    session_id 087658d7e30cdc2552b015dd761b6f7ccb25bbd5

    NOTE: On Microsoft Windows platforms, to include the session ID, use the SessionVariable option in PowerShell. For example:

    $cred = Get-Credential 
    Invoke-WebRequest -skipcertificatecheck -Uri 
    "<SPS IP or hostname>/api/authentication?login_method=us"
    -Credential $cred -SessionVariable sessionid
    					
    Invoke-WebRequest -skipcertificatecheck -Uri "https://<example.com>/api/endpoints" -websession $sessionid

  4. The authenticated session times out after 20 minutes of inactivity.

    Note that the system time of SPS and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both SPS and most REST clients validate this. As a result, if the system time of SPS and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access SPS. (If the session_id is missing from the cookies file, check the system clocks.)

URL
GET https://<IP-address-of-SPS>/api/authentication
Headers

Header name

Description

Required

Values

Authorization

Contains the username and password of the user

Required

The string Basic followed by the username:password encoded using the RFC2045-MIME. For example, Basic YWRtaW46YQ==

Sample request
Example: Authenticate to the SPS REST server using curl

The following command authenticates on SPS using the curl HTTP client. The --insecure option used in the example is used to bypass verifying the certificate of SPS. (Alternatively, you can use the --cacert option or the CURL_CA_BUNDLE environment variable to specify the Certificate Authority to verify the certificate of SPS. For more information, see the curl man page).

When using the REST API in production environments, make sure to download the CA certificate of SPS from Basic Settings > Management > SSL certificate > CA X.509 certificate. Validate the certificate of SPS using this CA certificate, or with the CA certificate you used to sign the Server X.509 certificate of SPS.

curl --basic --user <username>:<password> --cookie-jar cookies.txt --insecure https://<SPS-IP-address>/api/authentication

The cookie containing the session ID is also received (you can display it for example with the tail -l cookies command).

localhost  FALSE  /  FALSE  1395325830  session_id  600dc0ffeec0ffeec0ffeec0ffeec0ffeec0ffee

The following command retrieves the configuration of SPS, using the session ID received during the authentication.

curl --cookie cookies.txt --insecure https://<IP-address-of-SPS>/api/configuration
Response

The following is a sample response received if the authentication is successful.

For more information on the meta object, see Message format.

{
  "meta": {
     "href": "/api",
     "next": "/api",
     "transaction": "/api/transaction"
  }
}
Authenticate with SPS login methods

You can use different login methods (local, LDAP, RADIUS, or X.509) to authenticate to SPS. To determine which login methods are available to you on SPS, use the Listing SPS login methods endpoint to list them.

URL
https://<IP-address-of-SPS>/api/authentication?login_method=<name-of-the-login-method>&type=<password|x509>

Query parameters related to the /authentication endpoint:

  • ?type=<password|x509>

    Where each value indicates the means of authentication to SPS:

    • password - You have to send the username and password in a Basic Authorization header.

    • x509 - You have to identify yourself with a client certificate

  • ?login_method=<name-of-the-login-method>

    A unique identifier for the login method. For example, x509_with_ldap_groups_name.

Example: Authenticating with password

The following command authenticates the user to SPS with local login.

curl --user <username>:<password> https://<IP-address-of-SPS>/api/authentication?login_method=example_login_method&type=password
Example: Authenticating with a x509 certificate

The following command authenticates the user to SPS with a x509 certificate.

curl --key <private-key.pem> --cert <x509-certificate.pem> https://<IP-address-of-SPS>/api/authentication?login_method=example_login_method&type=x509
Response

In all four examples, the following sample response is received if the authentication is successful.

{
"meta": {
    "href": "/api/authentication",
    "next": "/api",
    "remaining_seconds": 600,
    "transaction": "/api/transaction"
}
 

The HTTP response code is 302 Moved Temporarily. An HTTP response with this status code provides a redirect URL in the header field Location.

For more information on the meta object, see Message format.

Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code

Description

Notes

200

OK

Successful authentication

400

InvalidAuthenticationRequest

Unable to authenticate: no valid credentials found.

401

AuthenticationFailure

Authenticating the user with the given credentials has failed.

405

MethodNotAllowed

You tried using an unsupported HTTP method. Use the GET method for authentication.

Authenticate to the SPS REST API using API keys

In addition to the cookie-based authentication methods (Authenticate to the SPS REST API or Authenticate to the SPS REST API using X.509 certificate), you can use API keys to authenticate to the SPS REST API. This appliance access method is most suitable for scripts, so that saving passwords to text files can be avoided.

API keys are associated with a user entry. When an HTTP request is made to the REST API, which has the Authorization: apikey <token_value> header, the request will run with the same privileges, as it had been made by the authenticated user using HTTP cookies. The user’s privileges are determined by the groups to which the user belongs at the time of the request.

API tokens are random base64-encoded data, and SPS only displays the cleartext value once, right after its creation. The tokens are kept in the configuration in a cryptographically secure way and are subject to system backup and cluster replication.

API keys replace the authentication step entirely, therefore the API key access of a user remains available after the user password is changed or when their login credentials are revoked.

Authenticated users can create their own API key. Administrators who have read privilege to Users & Access control can list the API keys of all users. (The token value is not displayed.) Administrators with write privilege to Users & Access Control can remove API keys of any user.

Limitations:
  • Currently it is not possible to open or commit transactions when using API keys, therefore API keys cannot be used for changing SPS configuration or any other operation, which requires a transaction commit.

  • Currently it is not possible to view and manage API keys from the UI.

  • API keys can only be used with login methods, where api_key_access is set to enabled (Configuring SPS login methods).

  • The local admin user is not allowed to have an API key.

  • Groups obtained directly from a SAML2 Identity Provider are not available for API key access.

  • API keys do not have an expiry time; the user or the administrator must remove the token in order to prevent the future use of the token. Removing an API key cannot be undone.

To enable API key access for a login method, see Configuring SPS login methods.

Sample request using an API key

curl -H "Authorization: apikey <token_value>" https://<IP-address-of- 
SPS>/api/health_status 

Listing and removing API keys as an administrator

Privileged administrators have write access to Users & Access Control and can remove API keys of users.

NOTE: It is not possible to create API keys for other than the current user.

Users are identified by the combination of the following two pieces of information:

URL
https://<IP-address-of-SPS>/api/configuration/aaa/local_database/api_keys
HTTP operations

HTTP operations on the /api/configuration/aaa/local_database/api_keys endpoint include:

HTTP method

Description

Notes

GET

List API keys of all users

The API key value is not displayed.

DELETE

Remove an API key of a user

The key is removed after the administrator commits the transaction (Commit a transaction)

Sample request for listing API keys
GET /api/aaa/local_database/api_keys
Sample Response

The following is a sample response received when listing all API keys.

For more information on the meta object, see Message format.

 
                "items": [ 
 
                { 
 
                "body": { 
 
                "login_method": "f46acbd3-69c4-4562-8ed6-3212cc8750a8", 
 
                "name": "my_api_key", 
 
                "username": "exampleuser" 
 
                }, 
 
                "key": "575bbc51-c2a8-414b-8b7a-173da8d3cc9b", 
 
                "meta": { 
 
                "href": "/api/configuration/aaa/local_database/api_keys/575bbc51-c2a8-414b-8b7a-173da8d3cc9b" 
 
                } 
 
                }, 
 
                { 
 
                "body": { 
 
                "login_method": "f46acbd3-69c4-4562-8ed6-3212cc8750a8", 
 
                "name": "my_other_api_key", 
 
                "username": "exampleuser" 
 
                }, 
 
                "key": "f61f378e-bf15-4761-b507-5fe81cbf55de", 
 
                "meta": { 
 
                "href": "/api/configuration/aaa/local_database/api_keys/f61f378e-bf15-4761-b507-5fe81cbf55de" 
 
                } 
 
                } 
 
                ] 
 
            } 
Element

Type

Description
login_method

string

The identifier of the login method of the user.

name

string

A user-defined descriptive name for an API key.

username

string

User identifier.

key

string

The identifier of the API key.

Sample request for removing an API key
DELETE /api/aaa/local_database/api_keys/<key-of-API-key>

After removing an API key, commit your changes (Commit a transaction).

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen