Contains the local users of SPS. You can use local users and groups to control the privileges of SPS local and LDAP users — who can view and configure what.
NOTE: The admin user is available by default and has all possible privileges. It is not possible to delete this user.
Local users cannot be managed when LDAP authentication is used. When LDAP authentication is enabled, the accounts of local users is disabled, but they are not deleted,
When using RADIUS authentication together with local users, the users are authenticated to the RADIUS server, only their group memberships must be managed locally on SPS.
For details, see Login settings.
URL
GET https://<IP-address-of-SPS>/api/configuration/aaa/local_database/users
Cookies
| session_id |
Contains the authentication token of the user |
Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.
NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format). |
Sample request
The following command lists the local users.
curl --cookie cookies.txt https://<IP-address-of-SPS>/api/configuration/aaa/local_database/users
The following command displays the parameters of a specific user.
curl --cookie cookies.txt https://<IP-address-of-SPS>/api/configuration/aaa/local_database/users/<ID-of-the-user>
Response
The following is a sample response received when querying the list of users.
For more information on the meta object, see Message format.
{
"items": [
{
"key": "103640099357f3b14f0529a",
"meta": {
"href": "/api/configuration/aaa/local_database/users/103640099357f3b14f0529a"
}
},
{
"key": "46785097158061f46c63d0",
"meta": {
"href": "/api/configuration/aaa/local_database/users/46785097158061f46c63d0"
}
}
],
"meta": {
"first": "/api/configuration/aaa/local_database/groups",
"href": "/api/configuration/aaa/local_database/users",
"last": "/api/configuration/aaa/local_database/users",
"next": null,
"parent": "/api/configuration/aaa/local_database",
"previous": "/api/configuration/aaa/local_database/groups",
"transaction": "/api/transaction"
}
}
The following is a sample response received when querying a specific user.
{
"body": {
"name": "testuser",
"password": {
"key": "8f84d7d1-9de1-429a-a7a7-c33a61cc7419",
"meta": {
"href": "/api/configuration/passwords/8f84d7d1-9de1-429a-a7a7-c33a61cc7419"
}
},
"password_created": 1476796261
},
"key": "46785097158061f46c63d0",
"meta": {
"first": "/api/configuration/aaa/local_database/users/103640099357f3b14f0529a",
"href": "/api/configuration/aaa/local_database/users/46785097158061f46c63d0",
"last": "/api/configuration/aaa/local_database/users/46785097158061f46c63d0",
"next": null,
"parent": "/api/configuration/aaa/local_database/users",
"previous": "/api/configuration/aaa/local_database/users/103640099357f3b14f0529a",
"transaction": "/api/transaction"
}
| body |
|
Top level element (JSON object) |
Contains the properties of the user. |
|
name |
string |
The username of the user account. |
|
password |
reference |
A reference to a password object. To create or update passwords, see Passwords stored on SPS. |
|
password_created |
integer |
The date when the password of the account was changed in UNIX timestamp format (for example, 1476796261). |
| key |
|
string |
Top level element, contains the ID of the user. |
Status and error codes
The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.
| 400 |
SemanticError |
You tried to reuse a password object. You can use a password object for only one purpose, that is, you cannot reference a password object twice. |
| 401 |
Unauthenticated |
The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 403 |
Unauthorized |
The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 404 |
NotFound |
The requested object does not exist. |
| 409 |
NoTransaction |
No open Transaction is available. You must open a transaction first (for details, see Open a transaction). |
Configure LDAP AD and LDAP POSIX servers for authentication, authorization, and accounting (AAA).
URL
POST https://<IP-address-of-SPS>/api/configuration/aaa/ldap_servers
Cookies
| session_id |
Contains the authentication token of the user |
Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.
NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format). |
Operations
Operations with the /aaa/ldap_servers endpoint include:
| Creating a new LDAP server |
POST |
/api/configuration/aaa/ldap_servers |
|
|
Retrieving a LDAP server |
GET |
|
Sample request
The following command creates a new LDAP server.
curl --cookie cookies.txt https://<IP-address-of-SPS>/api/configuration/aaa/ldap_servers
The following is a sample request.
{
"name": "ldap-server-name",
"schema": {
"selection": "posix",
"username_attribute": "uid",
"membership_check": {
"enabled": true,
"member_uid_attribute": "memberUid"
},
"memberof_check": {
"enabled": true,
"memberof_user_attribute": "memberOf",
"memberof_group_objectclass": "groupOfNames"
},
"user_dn_in_groups": [
{
"object_class": "groupOfNames",
"attribute": "member"
},
{
"object_class": "groupOfUniqueNames",
"attribute": "uniqueMember"
}
]
},
"servers": [
{
"host": {
"selection": "ip",
"value": "10.110.0.1"
},
"port": 389
}
],
"user_base_dn": "ou=People,dc=example",
"group_base_dn": "ou=Groups,dc=example",
"bind_dn": null,
"bind_password": null,
"encryption": {
"selection": "disabled"
}
}
Response
The following is a sample response received when you retrieve LDAP server information.
For more information on the meta object, see Message format.
{
"items": [
{
"body": {
"bind_dn": null,
"bind_password": null,
"encryption": {
"selection": "disabled"
},
"group_base_dn": "ou=Groups,dc=example",
"name": "ldap-server-name",
"schema": {
"memberof_check": {
"enabled": true,
"memberof_group_objectclass": "groupOfNames",
"memberof_user_attribute": "memberOf"
},
"membership_check": {
"enabled": true,
"member_uid_attribute": "memberUid"
},
"selection": "posix",
"user_dn_in_groups": [
{
"attribute": "member",
"object_class": "groupOfNames"
},
{
"attribute": "uniqueMember",
"object_class": "groupOfUniqueNames"
}
],
"username_attribute": "uid"
},
"servers": [
{
"host": {
"selection": "ip",
"value": "10.110.0.1"
},
"port": 389
}
],
"user_base_dn": "ou=People,dc=example"
},
"key": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"meta": {
"href": "/api/configuration/aaa/ldap_servers/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
}
]
}
Elements of the response message body include:
| bind_dn |
string |
The Distinguished Name that SPS should use to bind to the LDAP directory.
Must be used if the value of the selection element is set to ldap. |
NOTE: SPS accepts both pre Windows 2000-style and Windows 2003-style account names, or User Principal Names (UPNs). For example, administrator@example.com is also accepted. |
| bind_password |
null | string |
References the password SPS uses to authenticate on the server. You can configure passwords at the /api/configuration/passwords/ endpoint.
Must be used if the value of the selection element is set to ldap.
To modify or add a password, use the value of the returned key as the value of the password element, and remove any child elements (including the key). |
NOTE: SPS accepts passwords that are not longer than 150 characters and supports the following characters:
|
| encryption |
union |
Configuration settings for encrypting the communication between SPS and the LDAP server. |
The displayed value type depends on the encryption.selection parameter. |
| encryption.selection |
enum |
Defines the type of encryption SPS uses to communicate with the LDAP server. Possible values are:
-
disabled
The communication is not encrypted.
-
ssl
TLS/SSL encryption. To use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) as the server address, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.
-
starttls
Opportunistic TLS. |
-
Example if the value is disabled {
"selection": "disabled"
}
-
Example if the value is ssl or starttls: {
"selection": "ssl | starttls",
"trust_store": null|<trust-store-ref>,
"client_authentication": null|<x509-ref>
} |
|
group_base_dn |
string |
Name of the DN to be used as the base of queries regarding groups.
NOTE: You must fill in this field. It is OK to use the same value for user_base_dn and group_base_dn.
However, note that specifying a sufficiently narrow base for the LDAP subtrees where users and groups are stored can speed up LDAP operations. |
Example: "ou=users,ou=example" |
|
name |
string |
Top level element, the name of the object. This name is also displayed on the SPS web interface. It cannot contain whitespace. |
|
|
schema |
union |
AD and POSIX specific LDAP configuration. |
-
Example with LDAP AD server, where the schema selection is ad: {
"selection": "ad",
"membership_check": ...,
"memberof_check": ...,
"user_dn_in_groups": …
}
-
Example with LDAP POSIX server, where the schema selection is posix: {
"selection": "posix",
"membership_check": ...,
"memberof_check": ...,
"user_dn_in_groups": ...,
"username_attribute": …
} |
|
schema.memberof_check |
object |
The Enable checking for group DNs in user objects setting allows checking a configurable attribute in the user object. This attribute contains a list of group DNs the user is additionally a member of. This user attribute is usually memberOf.
|
-
Example with LDAP AD server, if memberof_check and memberof_user_attribute are enabled: "schema": {
"memberof_check": {
"enabled": true,
"memberof_user_attribute": "memberOf"
}
-
Example with LDAP POSIX server, if memberof_check is enabled: "schema": {
"memberof_check": {
"enabled": true,
"memberof_group_objectclass": "groupOfNames",
"memberof_user_attribute": "memberOf"
}
-
To disable memberof_check for both LDAP AD and LDAP POSIX servers, set the enabled parameter to false. "schema": {
"memberof_check": {
"enabled": false
} |
|
schema.memberof_check.enabled |
boolean |
To enable memberof_check, set it to true.
|
|
|
schema.memberof_check.memberof_group_objectclass |
string |
The attribute holding the members of the LDAP group. |
This field is case-sensitive.
Default value: groupOfNames |
|
schema.memberof_check.memberof_user_attribute |
string |
Must be used if the memberof_check is set to true. The name of the user attribute (for example, memberOf) that contains the group DNs.
|
This attribute is the same for both LDAP AD and LDAP POSIX schema. |
|
schema.membership_check |
object |
|
-
Example with LDAP AD server, if membership_check and nested_groups are enabled: "membership_check": {
"enabled": true,
"nested_groups": true | false"
}
-
Example with LDAP POSIX server, if membership_check and member_uid_attribute are enabled: "membership_check": {
"enabled": true,
"member_uid_attribute": null | "memberUid"
}
-
To disable membership_check for both LDAP AD and LDAP POSIX servers, set the enabled parameter to false. "membership_check": {
"enabled": false
} |
|
schema.membership_check.enabled |
boolean |
POSIX: Enables POSIX primary and supplementary group membership checking.
AD: Enables Active Directory specific non-primary group membership checking.
|
|
|
schema.membership_check.member_uid_attribute |
string |
Must be used if the value of the selection element is set to posix.
The POSIX group membership attribute name is the name of the attribute in a posixGroup group object, which lists the plain usernames that are members of the group. These groups are usually referred to as supplementary groups of the referred user. Can be null.
|
Default value: memberUid |
|
schema.selection |
string |
Configures which LDAP schema to use: AD or POSIX. Possible values are:
-
ad: Microsoft Active Directory server. For details and examples, see Configuring LDAP servers.
-
posix: The server uses the POSIX LDAP scheme.
Must be used with the member_uid_attribute and username_attribute elements. For details and examples, see Configuring LDAP servers.
|
Default value: ad, posix |
|
schema.user_dn_in_groups |
array |
Add object_class / attribute pairs. SPS will search for the user DN in the group's attribute defined here. If it finds the user DN there, SPS considers the user the member of that group. |
Example: "user_dn_in_groups": [
{
"attribute": "member",
"object_class": "groupOfNames"
},
{
"attribute": "uniqueMember",
"object_class": "groupOfUniqueNames"
}
]
The array can return empty: "user_dn_in_groups": []
user_dn_in_groups can serve as additional validation. At least one out of membership_check, memberof_check or user_dn_in_groups must be filled for validation. |
|
schema.user_dn_in_groups.attribute |
string |
Name of the group attribute which contains the user DN. |
Default value: member |
|
schema.user_dn_in_groups.object_class |
string |
Consider groups of this objectClass. |
Possible values: groupOfNames, groupOfUniqueNames |
|
schema.username_attribute |
string |
The login attribute that uniquely identifies a single user record. |
Default value: uid |
|
servers |
array |
Contains the addresses and ports of the LDAP servers. |
The displayed value type depends on the servers.host.selection parameter.
Possible values are: ip, fqdn
-
Example if the host selection is ip: "servers": [
{
"host":{
"selection": "ip",
"value": "1.2.3.4"
},
"port": 123
}
],
-
Example, if the host selection is fqdn: "servers": [
{
"host": {
"selection": "fqdn",
"value": "my.example"
},
"port": 123
}
],
|
|
servers.host |
object |
Contains the address of the LDAP server. |
|
|
servers.host.selection |
string |
Defines the address type (IP or domain name). |
Possible values are:
|
|
servers.host.value |
string |
The address of the LDAP server. |
|
|
servers.port |
int |
The port of the LDAP server. |
|
|
user_base_dn |
string |
Name of the DN to be used as the base of queries regarding users.
Must be used if the value of the selection element is set to ldap.
NOTE: You must fill in this field. It is OK to use the same value for user_base_dn and group_base_dn.
However, note that specifying a sufficiently narrow base for the LDAP subtrees where users and groups are stored can speed up LDAP operations. |
For example: "ou=groups,ou=example" |
Configure LDAP servers
To configure an LDAP server, you have to:
-
Open a transaction.
For more information, see Open a transaction.
-
Create the JSON object for the new LDAP server configuration.
POST the JSON object to the https://<IP-address-of-SPS>/api/configuration/aaa/ldap_servers endpoint. You can find a detailed description of the available parameters listed in Element .
-
Commit your changes.
For more information, see Commit a transaction.
HTTP response codes
For more information and a complete list of standard HTTP response codes, see Application level error codes.
Use the /aaa/login_methods endpoint to configure multiple login methods for SPS. Possible login methods are the following:
URL
https://<IP-address-of-SPS>/api/configuration/aaa/login_methods |
Cookies
| session_id |
Contains the authentication token of the user |
Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.
NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format). |
HTTP operations
HTTP operations with the /aaa/login_methods endpoint include:
|
POST |
/api/configuration/aaa/login_methods |
Configuring the local login method |
NOTE: Changing your password is possible only with Local login. |
|
|
|
Configuring the X.509 login method |
Before you can configure the X.509 login method, you must upload your X.509 certificate to a trust store at the /api/configuration/trust_stores endpoint. |
|
|
|
Configuring the password-based LDAP login method (AD or POSIX) |
Before you can configure the LDAP login method, you must create a new LDAP server at the /api/configuration/aaa/ldap_servers endpoint. |
|
|
|
Configuring the RADIUS login method |
|
|
|
|
Configuring the SAML2 login method |
|
|
PUT |
/api/configuration/aaa/login_methods/@order |
Reordering login methods |
By default, the Local login method button appears as the first login method on the SPS web interface. To reorder the login method buttons, use the /@order endpoint. |
Sample request
The following command creates a new login method.
curl --cookie cookies.txt https://<IP-address-of-SPS>/api/configuration/aaa/login_methods |
The following parameters are applicable to all login methods - Local, LDAP, X509, and RADIUS.
| type |
enum |
The login method type used for authentication. |
Possible values are:
- local
Use a local user database for authentication.
- x509
Use a X.509 certificate for authentication.
- ldap
Use an LDAP server (AD or POSIX) for authentication.
- radius
Use a RADIUS server for authentication.
- saml2
Use SAML2 for authentication |
| name |
string |
A unique identifier of the login method. |
|
| title |
string |
The title that appears above the login method button on the SPS web interface. This can be customized. |
In the case of X.509 login method, there is only one button. |
| active |
boolean |
Indicates whether the login method is enabled or not. |
|
|
api_key_access |
string |
Indicates whether API key authentication is enabled or not. |
Possible values are:
|
Example: Sample request for configuring Local login
{ |
"type": "local", |
"name": "inactive-local", |
"title": "Local login", |
"active": false, |
"api_key_access": "disabled", |
"cracklib_enabled": true, |
"expiration_days": 30, |
"remember_previous_passwords": 10, |
"minimum_password_strength": "good", |
"minimum_password_length": 1 |
} |
Elements of the request message body include:
| cracklib_enabled |
boolean |
Password setting. Must be used if the value of the selection element is set to local.
Set to true to test the strength of user passwords with simple dictionary attacks before they are committed.
Set to false if a RADIUS server or X.509 certificate is used for authentication. |
NOTE: The strength of a password is determined by its length and complexity: the variety of numbers, letters, capital letters, and special characters used.
To run simple dictionary-based attacks to find weak passwords, enable Cracklib (eg. dictionary) protection. |
| expiration_days |
integer |
Password setting. Configures the number of days the user passwords are considered valid. Expired passwords must be changed upon login. |
Set to 0 if a RADIUS server or X.509 certificate is used for authentication.
The 0 value means the passwords do not expire. The highest value you can configure is 365.
Must be used if the value of the selection element is set to local. |
| remember_previous_passwords |
integer |
Password setting. Configures the number of previous passwords to retain to prevent password reuse. |
Set to 0 if a RADIUS server or X.509 certificate is used for authentication.
The 0 value means passwords can be reused.
Must be used if the value of the selection element is set to local. |
| minimum_password_strength |
string |
Password setting. Configures the required password strength for new passwords. |
Set to disabled if a RADIUS server or X.509 certificate is used for authentication.
Possible values are:
-
disabled
Any password is accepted.
-
good
Weak passwords are not accepted.
-
strong
Only strong passwords are accepted.
Must be used if the value of the selection element is set to local. |
| minimum_password_length |
number |
The minimum number of characters the password must consist of. |
|
Example: Sample request for configuring LDAP login
{ |
"type": "ldap", |
"name": "ldap", |
"title": "LDAP login", |
"active": true, |
"api_key_access": "disabled", |
"ldap_server": "5ed1b422-395a-4d5e-abf0-b43cd6c752f8" |
} |
Elements of the request message body include:
| ldap_server |
string |
The identifier of the previously created LDAP server. |
|
Example: Sample request for configuring X509 login
{ |
"type": "x509", |
"name": "x509", |
"title": "X509 login", |
"active": true, |
"api_key_access": "disabled", |
"trust_store": "5ed1b422-395a-4d5e-abf0-b43cd6c752f8", |
"username_attribute": "commonName", |
"groups": { |
"type": "local" |
} |
} |
Elements of the request message body include:
| trust_store |
string |
The identifier of the X509 certificate that was previously uploaded into Trust stores. |
Trust stores serve as local certificate storages where users can store the certificate chains of trusted Certificate Authorities (CAs). |
| username_attribute |
enum |
The login attribute that uniquely identifies a single user record. You can choose which type of username you want to use. |
Possible values are:
-
commonName
-
emailAddress
-
userId
-
userPrincipalName |
| groups |
object |
The location of your group from which you will authorize access. |
|
| groups.type |
enum |
The type of the group. |
Possibe values are:
If the group type is ldap, the identifier of the previously created LDAP server (the value of the ldap_server field) will appear. |
Example: Sample request for configuring SAML2 login
{ |
"type": "saml2", |
"name": "saml_idp", |
"title": "SAML IdP", |
"active": true, |
"api_key_access": "disabled", |
"groups": { |
"type": "local" |
}, |
"idp_metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor entityID=\"http:\/\/www.okta.com\/exk4qxi1pzvjH2zBZ5d7\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAXjzrIibMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Rldi00NzkyNDAyMRwwGgYJKoZIhvcNAQkB\nFg1pbmZvQG9rdGEuY29tMB4XDTIxMDQyMTA5MDMzM1oXDTMxMDQyMTA5MDQzM1owgZMxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD\nVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLZGV2LTQ3OTI0MDIxHDAa\nBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCV8kFXnxvMmTBlOPGk0qUsO12vqUKdRXvbYke0xzpdsgk1xyGMDxLms6zdrlisgTFvP+N0CO4n\nYoZ\/gFbsIlQN7YCvV0P7Tm4vbCdL08GpFJllmougTQvXMCGmPZyuAA8aEKDbITD5vDjLRMiAzuP6\nt8WNocRzsBZCLoN0AEdCkjGArNzg9XeNef\/89YEvKtJKRyFk2uxjn7vakYwekjgXNRKTAYvtvwDt\n10qNc1fEhZ+H8h6zqACQH+AehJRIY1atYscQm1XhsDXu2s9Vz8W5M6WtflQD6rxKIB8q64scpk8F\nPcuv327sjdTL2BjmzWjOekdjr9WUkxJJ1hZXGHHbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG42\nISgPo0uypP5rc451JQVfSiY9+Bg+UoekGZKksm9NA1XHJKAd7+OAuZe9OeTXKaB6KtImphl95xe1\nVyvKPwZhNo91QoP6SMwUwES8A45j2\/2vi87Y2\/V5nEAahNy3Kcvl8v8MghIZja1F\/rZu3ha51sl5\n\/k6G7CG3mi1MknC0\/kNSw+FrVcAuJOqnJEUDvWBcoJ4NCVcGddmqHpLuESHswnMH03HRPgVI1b8M\nLnPrgvZfEEQV\/dIIDR9AOl9dmKG\/7HpL+gL8L5J1r3PSFN0kPTlXbZFIiUfAPKJuSxm4WgMWdCiT\nCT1H\/87qV0GjNmdMBU9IFlHBYi4eLzv5VZo=<\/ds:X509Certificate><\/ds:X509Data><\/ds:KeyInfo><\/md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<\/md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https:\/\/dev-4792402.okta.com\/app\/dev-4792402_ztsscb2_1\/exk4qxi1pzvjH2zBZ5d7\/sso\/saml\"\/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https:\/\/dev-4792402.okta.com\/app\/dev-4792402_ztsscb2_1\/exk4qxi1pzvjH2zBZ5d7\/sso\/saml\"\/><\/md:IDPSSODescriptor><\/md:EntityDescriptor>" |
} |
Elements of the request message body include:
|
groups |
object |
The location of your group from which you will authorize access. |
|
|
groups.type |
enum |
The type of the group. |
Possibe values are:
If the group type is ldap, the identifier of the previously created LDAP server (the value of the ldap_server field) will appear. |
|
idp_metadata |
|
Metadata XML of the Identity Provider. |
You must upload the metadata XML file contents as a properly escaped JSON string. |
Example: Configuring X.509 login with LDAP groups
To configure an X.509 login with LDAP groups
-
-
Open a transaction.
For more information, see Open a transaction.
-
Create a new LDAP server at the /api/configuration/aaa/ldap_servers endpoint.
{
"name": "ldap_server",
"schema": {
"selection": "posix",
"username_attribute": "uid",
"membership_check": {
"enabled": true,
"member_uid_attribute": "memberUid"
},
"memberof_check": {
"enabled": true,
"memberof_user_attribute": "memberOf",
"memberof_group_objectclass": "groupOfNames"
},
"user_dn_in_groups": [
{
"object_class": "groupOfNames",
"attribute": "member"
},
{
"object_class": "groupOfUniqueNames",
"attribute": "uniqueMember"
}
]
},
"servers": [
{
"host": {
"selection": "ip",
"value": "1.2.3.4"
},
"port": 389
}
],
"user_base_dn": "ou=People,dc=example",
"group_base_dn": "ou=Groups,dc=example",
"bind_dn": null,
"bind_password": null,
"encryption": {
"selection": "disabled"
}
}
-
Upload a X509 certificate at the /api/configuration/trust_stores endpoint.
{
"name": "X509_Trust_Store",
"authorities": [
"-----BEGIN CERTIFICATE-----\nMIIDZzCCAk+gAwIBAgIUMlI5+EgTDAh2zqRDGYrzFRyozI8wDQYJKoZIhvcNAQEL\nBQAwQzELMAkGA1UEBhMCSFUxETAPBgNVBAgMCEJ1ZGFwZXN0MSEwHwYDVQQKDBhJ\nbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODEyMTIzNjQ4WhcNMzQwNjE4\nMTIzNjQ4WjBDMQswCQYDVQQGEwJIVTERMA8GA1UECAwIQnVkYXBlc3QxITAfBgNV\nBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALffJBDD6A/ZGBTgFbyLXHulU+hGnMW3DoPo2q4HY1/FfbkS\nrzmK+Fiz+3EwJCWi+EwK9mqve/nh6YRRw/VaAVQ7CkA7f7to+I7gP647Bq1wk0lh\nBVEJNlN0jfYYSumGxzPotw/fon1MkXuMbLc0Pr/vFX3NQC7/STAV5dZFcdboXDA7\nZZ3rzBIr93ThObsGj01MRO6wrS3rfE7Px9D7C2u9YSkP3OQ1Sfm/jqyLNaT6xt4i\nhrLnfYEc8mClnrlvILi+q/D6mIUSjb4IGvergAyl4jgPjO02UcvBzOIA9tDlBJBi\nQxZx+T620ubmEwOl9Q0G8RAWKz7szrBcXEjXhYUCAwEAAaNTMFEwHQYDVR0OBBYE\nFCDfEeq5Hsm8jMrG110iNpt5cikTMB8GA1UdIwQYMBaAFCDfEeq5Hsm8jMrG110i\nNpt5cikTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAK3iizM4\nCx69YD+4CWOUswULrCJA38C+nDYONLbNkact8JKXqCn/MaZTII+dZoV9RjjX4AzA\nPTQkZT+RoVeCZyt+qWHMdjq6koabXwQmXNozUtaxEZTrnoUDEWtNIbjV/gNtRcSG\nsU7i9L2YnwDzTw0cR/pu1Hykq8fwqNqjQGYnmXtJspMkKAtVe1CrtnPLiC6JBr0g\n5GZF58sHx5+gO0RkqdzJgRAGnImdfAahqfHmKRFmxoxWLyylRyqDgQ+KqcaDvZI+\ni36M+NQHVrDX4jo4CFoXhFlSOepvtDOpmzoWhugwDNMPuU1IEY7//CJBXQnjp+uf\nLO6PsNmMKDGi9Dk=\n-----END CERTIFICATE-----\n"
],
"crl_urls": [
"http://crl.it/sec"
],
"revocation_check": "full"
}
-
Create a new LDAP login method at the /api/configuration/aaa/login_methods endpoint.
{
"type": "x509",
"name": "x509",
"title": "X509 login",
"active": true,
"api_key_access": "disabled",
"trust_store": "5ed1b422-395a-4d5e-abf0-b43cd6c752f8",
"username_attribute": "commonName",
"groups": {
"type": "ldap",
"ldap_server": "5ed1b422-395a-4d5e-abf0-b43cd6c752f8"
}
}
-
-
Commit your changes.
For more information, see Commit a transaction.
-
-
Commit your changes.
For more information, see Commit a transaction.
Example: Configuring RADIUS login with local groups
To configure a RADIUS login with local groups
-
-
Open a transaction.
For more information, see Open a transaction.
-
Create a new secret for your RADIUS server at the /api/configuration/passwords/ endpoint. For example, any.secret.
-
Create a new RADIUS login method at the /api/configuration/aaa/login_methods endpoint.
{
"type": "radius",
"name": "radius",
"title": "Radius login",
"active": true,
"api_key_access": "disabled",
"servers": [
{
"address": {
"selection": "ip",
"value": "4.5.6.7"
},
"port": 1812,
"shared_secret": "<'key' from the response of the penultimate creation>"
},
{
"address": {
"selection": "fqdn",
"value": "radius.example"
},
"port": 18120,
"shared_secret": "<'key' from the response of the last creation>"
}
],
"authentication_protocol": "pap",
"groups": {
"type": "local"
}
}
-
-
Commit your changes.
For more information, see Commit a transaction.
Example: Configuring RADIUS login with LDAP groups (AD or POSIX)
To configure a RADIUS login with LDAP groups
-
-
Open a transaction.
For more information, see Open a transaction.
-
Create a new LDAP server at the /api/configuration/aaa/ldap_servers endpoint.
-
Create a new secret for your RADIUS server at the /api/configuration/passwords/ endpoint. For example, any.secret.
-
Create a new LDAP server login method at the /api/configuration/aaa/login_methods endpoint.
{
"type": "radius",
"name": "radius",
"title": "Radius login",
"active": true,
"api_key_access": "disabled"
"servers": [
{
"address": {
"selection": "fqdn",
"value": "radius.balabit"
},
"port": 18120,
"shared_secret": "<'key' from the response of the last creation>"
}
],
"authentication_protocol": "pap",
"groups": {
"type": "ldap",
"ldap_server": "<'key' from the response of the penultimate creation>"
}
}
-
-
Commit your changes.
For more information, see Commit a transaction.
Example: Configuring SAML2 login
To configure a SAML2 login
-
-
Open a transaction.
For more information, see Open a transaction.
-
Download the metadata XML of your Identity Provider.
-
Create a new SAML2 login method at the /api/configuration/aaa/login_methods endpoint.
-
-
Commit your changes.
For more information, see Commit a transaction.
Response
For more information on the meta object, see Message format.
HTTP response codes
For more information and a complete list of standard HTTP response codes, see Application level error codes.
Configure the Security Assertion Markup Language 2.0 (SAML2) Service Provider settings to control federated user access to SPS.
URL
https://<IP-address-of-SPS>/api/configuration/aaa/saml2 |
Cookies
| session_id |
Contains the authentication token of the user |
Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For more information on authentication, see Authenticate to the SPS REST API.
NOTE: This session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format). |
HTTP operations
HTTP operations with the /aaa/saml2 endpoint include:
|
GET |
/api/configuration/aaa/saml2 |
Listing the SAML2 Service Provider settings. |
|
|
PUT |
/api/configuration/aaa/saml2 |
Configuring the SAML2 Service Provider settings. |
|
Sample request
Listing the SAML2 Service Provider settings.
curl -X GET -b "${COOKIE_PATH}" https://<IP-address-of-SPS>/api/configuration/aaa/saml2 |
Sample response
The following is a sample response received if the request was successful.
{ |
"key": "saml2", |
"body": { |
"acs_addresses": [ |
"hostname", |
"hostname.example.com", |
"192.168.1.101" |
], |
"entity_id": "https://hostname.example.com/sts/saml2/170953689162bf25866552c", |
"x509_identity": { |
"key": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", |
"meta": { |
"href": "/api/configuration/x509/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" |
} |
} |
} |
} |
|
Elements of the response message body include:
|
key |
string |
The identifier of the SAML2 login method. |
|
|
body.acs_addresses |
array |
A list of Assertion Consumer Service (ACS) addresses. |
|
|
body.entity_id |
string |
The entity ID of the SPS as Service Provider. |
|
|
body.x509_identity |
object |
X.509 identity of the Service Provider to sign the authentication requests. |
|
|
body.x509_identity.key |
string |
The identifier of the X.509 identity under /api/configuration/x509. |
|
|
body.x509_identity.meta.href |
string (relative path) |
Link to the X.509 identity (only the path part of the URL). |
|
For more information on the meta object, see Message format.
Sample request
Configuring the SAML2 Service Provider settings.
curl -X PUT -b "${COOKIE_PATH}" https://<IP-address-of-SPS>/api/configuration/aaa/saml2 |
To configure the SAML2 Service Provider settings
-
Download the SP metadata XML from /sts/saml2/sp-metadata.xml. This XML file contains the SP's entity ID. You are not required to authenticate to download this XML file.
-
-
Open a transaction.
For more information, see Open a transaction.
-
Create a X.509 identity at the /api/configuration/x509 endpoint.
{ |
"certificate": <-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE----->, |
"private_key": <-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY----->, |
"issuer_chain": [] |
} |
-
Return to the /api/configuration/aaa/saml2 endpoint and add the newly created X.509 identity to the SAML2 entity ID and the listed ACS addresses to complete the configuration.
{ |
"entity_id": "https://minimal.balabit/sts/saml2/other-random-string", |
"x509_identity": "<XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>", |
"acs_addresses": ["minimal.balabit", "192.168.1.101"] |
} |
|
-
-
Commit your changes.
For more information, see Commit a transaction.
HTTP response codes
For more information and a complete list of standard HTTP response codes, see Application level error codes.
