Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.7.0 - REST API Reference Guide

Introduction Using the Safeguard for Privileged Sessions REST API Basic settings User management and access control Managing Safeguard for Privileged Sessions General connection settings HTTP connections Citrix ICA connections RDP connections SSH connections Telnet connections VNC connections Search, download, and index sessions Reporting Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST About us Third-party contributions

Using the Safeguard for Privileged Sessions REST API

The following sections give you a general overview of how the Safeguard for Privileged Sessions REST API works.

Authenticate to the Safeguard for Privileged Sessions REST API

Prerequisites:

  • The REST server must permit password authentication to the Safeguard for Privileged Sessions web interface. If only certificate-based authentication is permitted, see Authenticate to the Safeguard for Privileged Sessions REST API using X.509 certificate.

    To check the permitted authentication method, query the /api/authentication/types endpoint.

    • If the types field of the response includes the x509 object, certificate-based authentication is permitted.

    • If it includes only the basic object, password authentication is permitted.

    • If it includes both fields, then certificate-based authentication is permitted for the users, but the admin user can authenticate with password as well. Note that in this case, Safeguard for Privileged Sessions assumes that the admin user will authenticate with a password, and expects password-authentication on the /api/authentication endpoint. To authenticate with a certificate, use the /api/authentication?type=x509 endpoint.

  • You can access the REST server on the same IP address and port that you use to access the Safeguard for Privileged Sessions web interface. Note that management (administrator) access must be enabled on the interface. For details on configuring management access, see "Configuring user and administrator login addresses" in the Administration Guide.

  • The user accessing the Safeguard for Privileged Sessions REST API must have the REST server privilege. For details, see "Modifying group privileges" in the Administration Guide. Note that the built-in api usergroup does not have this privilege by default, it is used to access the SOAP RPC API of Safeguard for Privileged Sessions.

  • Note that the system time of Safeguard for Privileged Sessions and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both Safeguard for Privileged Sessions and most REST clients validate this. As a result, if the system time of Safeguard for Privileged Sessions and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access Safeguard for Privileged Sessions. (If the session_id is missing from the cookies file, check the system clocks.)

  • Make sure that user credentials are encoded in UTF-8.

The authentication procedure:

  1. To authenticate on the Safeguard for Privileged Sessions REST server, send a GET request over HTTPS using the basic HTTP authentication method, including your username and password to the /api/authentication resource.

  2. If the authentication is successful, the server returns the 200 status code, and a meta object in the response body. Also, the HTTP headers of the response include an HTTP cookie named session_id. This cookie is used to identify the client in every subsequent HTTP request.

  3. For every subsequent request, include the session_id header with the value of the received session ID. For example:

    session_id 087658d7e30cdc2552b015dd761b6f7ccb25bbd5

  4. The authenticated session times out after 20 minutes of inactivity.

    Note that the system time of Safeguard for Privileged Sessions and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both Safeguard for Privileged Sessions and most REST clients validate this. As a result, if the system time of Safeguard for Privileged Sessions and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access Safeguard for Privileged Sessions. (If the session_id is missing from the cookies file, check the system clocks.)

URL
GET https://<IP-address-of-Safeguard for Privileged Sessions>/api/authentication
Headers
Header name Description Required Values
Authorization Contains the username and password of the user Required The string Basic followed by the username:password encoded using the RFC2045-MIME. For example, Basic YWRtaW46YQ==
Sample request
Example: Authenticate to the Safeguard for Privileged Sessions REST server using curl

The following command authenticates on Safeguard for Privileged Sessions using the curl HTTP client. The --insecure option used in the example is used to bypass verifying the certificate of Safeguard for Privileged Sessions. (Alternatively, you can use the --cacert option or the CURL_CA_BUNDLE environment variable to specify the Certificate Authority to verify the certificate of Safeguard for Privileged Sessions. For details, see the curl man page).

When using the REST API in production environments, make sure to download the CA certificate of Safeguard for Privileged Sessions from Basic Settings > Management > SSL certificate > CA X.509 certificate, and validate the certificate of Safeguard for Privileged Sessions using this CA certificate, or with the CA certificate you used to sign the Server X.509 certificate of Safeguard for Privileged Sessions.

curl --basic --user <username>:<password> --cookie-jar cookies --insecure https://<Safeguard for Privileged Sessions-IP-address>/api/authentication

The cookie containing the session ID is also received (you can display it for example with the tail -l cookies command).

localhost  FALSE  /  FALSE  1395325830  session_id  600dc0ffeec0ffeec0ffeec0ffeec0ffeec0ffee

The following command retrieves the configuration of Safeguard for Privileged Sessions, using the session ID received during the authentication.

curl --cookie cookies --insecure https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration
Response

The following is a sample response received if the authentication is successful. For details of the meta object, see Introduction.

{
  "meta": {
     "href": "/api",
     "next": "/api",
     "transaction": "/api/transaction"
  }
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Code Description Notes
200 OK Successful authentication
400 InvalidAuthenticationRequest Unable to authenticate: no valid credentials found.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401 AuthenticationFailure Authenticating the user with the given credentials has failed.
405 UnsupportedMethod You tried using an unsupported HTTP method. Use the GET method for authentication.

Authenticate to the Safeguard for Privileged Sessions REST API using X.509 certificate

Prerequisites:

  • The REST server must permit certificate authentication to the Safeguard for Privileged Sessions web interface. If only password-based authentication is permitted, see Authenticate to the Safeguard for Privileged Sessions REST API.

    To check the permitted authentication method, query the /api/authentication/types endpoint.

    • If the types field of the response includes the x509 object, certificate-based authentication is permitted.

    • If it includes only the basic object, password authentication is permitted.

    • If it includes both fields, then certificate-based authentication is permitted for the users, but the admin user can authenticate with password as well. Note that in this case, Safeguard for Privileged Sessions assumes that the admin user will authenticate with a password, and expects password-authentication on the /api/authentication endpoint. To authenticate with a certificate, use the /api/authentication?type=x509 endpoint.

  • You can access the REST server on the same IP address and port that you use to access the Safeguard for Privileged Sessions web interface. Note that management (administrator) access must be enabled on the interface. For details on configuring management access, see "Configuring user and administrator login addresses" in the Administration Guide.

  • The user accessing the Safeguard for Privileged Sessions REST API must have the REST server privilege. For details, see "Modifying group privileges" in the Administration Guide. Note that the built-in api usergroup does not have this privilege by default, it is used to access the SOAP RPC API of Safeguard for Privileged Sessions.

  • Note that the system time of Safeguard for Privileged Sessions and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both Safeguard for Privileged Sessions and most REST clients validate this. As a result, if the system time of Safeguard for Privileged Sessions and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access Safeguard for Privileged Sessions. (If the session_id is missing from the cookies file, check the system clocks.)

  • Make sure that user credentials are encoded in UTF-8.

The authentication procedure:

  1. To authenticate on the Safeguard for Privileged Sessions REST server, send an HTTPS GET request, including your certificate to the /api/authentication?type=x509 resource. The certificate must be signed by the Trusted CA certificate that is configured on the AAA > Settings > X.509 > AUTHENTICATION CA field of the Safeguard for Privileged Sessions web interface, or the /api/configuration/aaa/settings resource.

  2. If the authentication is successful, the server responds with an HTTP 302 redirect to the /api/ resource, and also , sets an HTTP cookie named session_id. This cookie is used to identify the client in every subsequent HTTP request. The response body also includes a meta object.

  3. For every subsequent request, include the session_id header with the value of the received session ID. For example:

    session_id 087658d7e30cdc2552b015dd761b6f7ccb25bbd5

  4. The authenticated session times out after 20 minutes of inactivity.

    Note that the system time of Safeguard for Privileged Sessions and the client must be synchronized. The authentication cookie is valid for twenty minutes, and both Safeguard for Privileged Sessions and most REST clients validate this. As a result, if the system time of Safeguard for Privileged Sessions and the client is significantly different from each other, the authentication seems to be successful, but you will not be able to actually access Safeguard for Privileged Sessions. (If the session_id is missing from the cookies file, check the system clocks.)

URL
GET https:<IP-address-of-Safeguard for Privileged Sessions>/api/authentication
Headers
Header name Description Required Values
Authorization Contains the username and password of the user Required The string Basic followed by the username:password encoded using the RFC2045-MIME. For example, Basic YWRtaW46YQ==
Sample request
Example: Authenticate to the Safeguard for Privileged Sessions REST server using curl

The following command authenticates on Safeguard for Privileged Sessions using the curl HTTP client. The --insecure option used in the example is used to bypass verifying the certificate of Safeguard for Privileged Sessions. (Alternatively, you can use the --cacert option or the CURL_CA_BUNDLE environment variable to specify the Certificate Authority to verify the certificate of Safeguard for Privileged Sessions. For details, see the curl man page).

When using the REST API in production environments, make sure to download the CA certificate of Safeguard for Privileged Sessions from Basic Settings > Management > SSL certificate > CA X.509 certificate, and validate the certificate of Safeguard for Privileged Sessions using this CA certificate, or with the CA certificate you used to sign the Server X.509 certificate of Safeguard for Privileged Sessions.

curl --basic --user <username>:<password> --cookie-jar cookies --insecure https://<Safeguard for Privileged Sessions-IP-address>/api/authentication

The cookie containing the session ID is also received (you can display it for example with the tail -l cookies command).

localhost  FALSE  /  FALSE  1395325830  session_id  600dc0ffeec0ffeec0ffeec0ffeec0ffeec0ffee

The following command retrieves the configuration of Safeguard for Privileged Sessions, using the session ID received during the authentication.

curl --cookie cookies --insecure https://<IP-address-of-Safeguard for Privileged Sessions>/api/configuration
Response

The following is a sample response received if the authentication is successful. For details of the meta object, see Introduction.

{
  "meta": {
     "href": "/api",
     "next": "/api",
     "transaction": "/api/transaction"
  }
}
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Code Description Notes
302 OK Successful authentication. If the authentication is successful, the server returns the 302 status code, and a meta object in the response body. Also, the HTTP headers of the response include an HTTP cookie named session_id. This cookie is used to identify the client in every subsequent HTTP request. The Location header in the response is /api/.
400 InvalidAuthenticationRequest Unable to authenticate: no valid credentials found. Safeguard for Privileged Sessions returns this message if password fallback is enabled for the admin user, but the admin tries to authenticate with a certificate on the /api/authentication endpoint. To authenticate with a certificate, use the /api/authentication?type=x509 endpoint.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401 AuthenticationFailure Authenticating the user with the given credentials has failed.
405 UnsupportedMethod You tried using an unsupported HTTP method. Use the GET method for authentication.

Retrieve user information

You can check the endpoints and methods that a particular user is authorized to access.

Prerequisites:

  • The user must be logged in.

URL
GET https:<IP-address-of-Safeguard for Privileged Sessions>/api/user_info
Headers
Header name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API.

Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format).
Sample request

The following command retrieves user information from Safeguard for Privileged Sessions about the logged in user, using the session ID received during the authentication.

curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/user_info

Response

The following is a sample response received if the request to retrieve user information is successful. For details of the meta object, see Introduction.

{
  "user": {  
    "name": "admin",
  }
  "endpoints": [
    {
      "methods": [
        "DELETE",
        "GET",
        "POST",
        "PUT" 
      ],
      "url": "/api"
    },
    {
      "...": "..."
    }
  ],
  "meta": {
    "href": "/api/user_info",
    "...": "..."
  }
}
Element Type Description
user Top-level element, contains the details of the user whose access rights information has been retrieved.
name string The username of the logged-in user whose information has been retrieved.
endpoints Top-level element, contains the details of the endpoints that the user is authorized to access.
methods string The methods that user is authorized to use.
url string The resource that the user is authorized to access.
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.

Code Description Notes
200 OK User information has been retrieved successfully.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
401 AuthenticationFailure Authenticating the user with the given credentials has failed.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating