diff --git a/v3/src/markdown/identity-api-v3-os-federation-ext.md b/v3/src/markdown/identity-api-v3-os-federation-ext.md index 636656cf..48ecc1fd 100644 --- a/v3/src/markdown/identity-api-v3-os-federation-ext.md +++ b/v3/src/markdown/identity-api-v3-os-federation-ext.md @@ -5,6 +5,13 @@ Provide the ability for users to manage Identity Providers (IdPs) and establish a set of rules to map federation protocol attributes to Identity API attributes. This extension requires v3.0+ of the Identity API. +What's New in Version 1.1 +------------------------- + +These features are not yet considered stable (expected September 4th, 2014). + +- Introduced a mechanism to exchange an Identity Token for a SAML assertion. + Definitions ----------- @@ -992,3 +999,138 @@ Example of an OS-FEDERATION token: "issued_at": "2014-08-06T12:43:43.367288Z" } } + +Generating Assertions +--------------------- + +### Generate a SAML assertion: `POST /auth/OS-FEDERATION/saml2` + +*New in version 1.1* + +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2` + +A user may generate a SAML assertion document based on the scoped token that is +used in the request. + +Request Parameters: + +To generate a SAML assertion, a user must provides a scoped token ID and +region ID in the request body. + +Example request: + + { + "auth": { + "identity": { + "methods": [ + "token" + ], + "token": { + "id": "--token_id--" + } + }, + "scope": { + "region": { + "id": "--region_id--" + } + } + } + } + +The response will be a full SAML assertion. Note that for readability the +certificate has been truncated. + +Response: + + Headers: + Content-Type: text/xml + + + + + https://www.acme.com + + + + + + + https://www.acme.com + + + + + + + + + + + + + + vzR9Hfp8d16576tEDeq/zhpmLoo= + + + + + AzID5hhJeJlG2llUDvZswNUrlrPtR7S37QYH2W+Un1n8c6kTC + Xr/lihEKPcA2PZt86eBntFBVDWTRlh/W3yUgGOqQBJMFOVbhK + M/CbLHbBUVT5TcxIqvsNvIFdjIGNkf1W0SBqRKZOJ6tzxCcLo + 9dXqAyAUkqDpX5+AyltwrdCPNmncUM4dtRPjI05CL1rRaGeyX + 3kkqOL8p0vjm0fazU5tCAJLbYuYgU1LivPSahWNcpvRSlCI4e + Pn2oiVDyrcc4et12inPMTc2lGIWWWWJyHOPSiXRSkEAIwQVjf + Qm5cpli44Pv8FCrdGWpEE0yXsPBvDkM9jIzwCYGG2fKaLBag== + + + + + MIIEATCCAumgAwIBAgIBBTANBgkqhkiG9w0BAQ0FADCBgzELM + + + + + + + saml01@acme.com + + + + + + + + https://saml.acme.com + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + + + + 060D00000000SHZ + + + + 00DD0000000F7L5 + + + + + http://www.acme.com/security/saml/saml20-gen.jsp + + + + + + +For more information about how a SAML assertion is structured, refer to the +[specification](http://saml.xml.org/saml-specifications).