立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - API Development Guide

Authentication (primary)

You can use the imx/login/<API project name> API method for primary authentication on the API project.

To do this, use the POST HTTP method to send a query containing the following:

{ "Module": "RoleBasedPerson", "User": "<user name>", "Password": "<password>" }

TIP: See the SDK for examples.

Security mechanisms

The API Server uses a security mechanism to prevent cross-site request forgery (XSRF) attacks. This randomly generates a token (XSRF-TOKEN) and sends it to the client in a cookie at login. The client must then transmit the value of this token in an HTTP header (X-XSRF-TOKEN) in each request sent to the server. If this header is missing, the request is terminated with error code 400.

NOTE: If an API request breaks off with an error and indicates an incorrect CSRF protection cookie, check if your browser accepts the cookies sent by the browser.

TIP: You can change the name and path of the cookie and the name of the HTTP header in the Administration Portal. To do this, use the Name of the cookie containing the CSRF protection token issued by the server (XsrfProtectionCookieName) and Path for the CSRF protection cookie (XsrfProtectionCookiePath) configuration keys.

You can also disable CSRF protection in the administration portal (Globally disable CSRF protection tokens (XsrfProtectionDisabled) configuration key). One Identity does not recommend doing this.

For more information about editing configuration keys, see the One Identity Manager Web Application Configuration Guide.

Logging out

You can use the imx/logout/<API project name> API method to log out of the API project.

To do this, use the POST HTTP method to send a query without content.

Session status and security tokens

The status a session is saved in a cookie. This cookie contains an encrypted security token which is used to restore a login to the API Server if the API Server was restarted in the mean time. The security token is cryptographically signed by the certificate selected on installation.

NOTE: If the API Server's current user restarts the browser, the cookie and its session information are reset.

Detailed information about this topic

Querying session status

You can use the imx/sessions/<API project name> API method to query the status of the session. The response contains the following information:

  • Permitted authentication module and associated parameters of the respective API project.

  • Type of secondary login

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级