openstack
/
keystone
Code Issues Proposed changes

Migrate OS-FEDERATION from specs repo 

This commit migrates OS-FEDERATION docs from the spec repo to keystone server
repo under api-ref/source/v3-ext/ directory.

Change-Id: I2423030bd0849c051d22f63bf60b6a5f41f72574
This commit is contained in:
Samuel de Medeiros Queiroz 2016-07-14 15:04:55 -03:00 committed by Steve Martinelli
parent 852bda4eae
commit 53b5b99785
36 changed files with 1646 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

839
api-ref/source/v3-ext/federation.inc Normal file
View File

@ -0,0 +1,839 @@
.. -*- rst -*-
===================
OS-FEDERATION API
===================
Provide the ability for users to manage Identity Providers (IdPs) and establish
a set of rules to map federation protocol attributes to Identity API
attributes. Requires v3.0+ of the Identity API.
What's New in Version 1.3
=========================
Corresponding to Identity API v3.5 release.
- Added Identity Provider specific websso routes.
What's New in Version 1.2
=========================
Corresponding to Identity API v3.4 release.
- Add websso routes.
What's New in Version 1.1
=========================
Corresponding to Identity API v3.3 release. These features are considered
stable as of September 4th, 2014.
- Deprecate list projects and domains in favour of core functionality available
in Identity API v3.3.
- Introduced a mechanism to exchange an Identity Token for a SAML assertion.
- Introduced a mechanism to retrieve Identity Provider Metadata.
Definitions
===========
- *Trusted Identity Provider*: An identity provider set up within the Identity
API that is trusted to provide authenticated user information.
- *Service Provider*: A system entity that provides services to principals or
other system entities, in this case, the OpenStack Identity API is the
Service Provider.
- *Attribute Mapping*: The user information passed by a federation protocol for
an already authenticated identity are called ``attributes``. Those
``attributes`` may not align directly with the Identity API concepts. To help
overcome such mismatches, a mapping can be done either on the sending side
(third party identity provider), on the consuming side (Identity API
service), or both.
- *Protocol*: A protocol capable of performing federated identity authentication.
For example, the OpenID Connect or SAML 2.0 protocols.
API Resources
=============
Identity Providers
------------------
::
/OS-FEDERATION/identity_providers
An Identity Provider (IdP) is a third party service that is trusted by the
Identity API to authenticate identities.
Optional attributes:
- ``description`` (string)
Describes the identity provider.
If a value is not specified by the client, the service will default this
value to ``null``.
- ``enabled`` (boolean)
Indicates whether this identity provider should accept federated
authentication requests.
If a value is not specified by the client, the service will default this to
``false``.
- ``remote_ids`` (list)
Valid remote IdP entity values from Identity Providers. If a value is not
specified by the client, the list will be empty.
Protocols
---------
::
/OS-FEDERATION/identity_providers/{idp_id}/protocols
A protocol entry contains information that dictates which mapping rules to use
for a given incoming request. An IdP may have multiple supported protocols.
Required attributes:
- ``mapping_id`` (string)
Indicates which mapping should be used to process federated authentication
requests.
Mappings
--------
::
/OS-FEDERATION/mappings
A ``mapping`` is a set of rules to map federation protocol attributes to
Identity API objects. An Identity Provider can have a single ``mapping``
specified per protocol. A mapping is simply a list of ``rules``.
Required attributes:
- ``rules`` (list of objects)
Each object contains a rule for mapping attributes to Identity API concepts.
A rule contains a ``remote`` attribute description and the destination
``local`` attribute.
- ``local`` (list of objects)
References a local Identity API resource, such as a ``group`` or ``user`` to
which the remote attributes will be mapped.
Each object has one of two structures, as follows.
To map a remote attribute value directly to a local attribute, identify the
local resource type and attribute:
::
{
"user": {
"name": "{0}"
}
}
If the ``user`` attribute is missing when processing an assertion, server
tries to directly map ``REMOTE_USER`` environment variable. If this variable
is also unavailable the server returns an HTTP ``401 Unauthorized`` error.
If the ``user`` has domain specified, the user is treated as existing in the
backend, hence the server will fetch user details (id, name, roles, groups).
If, however, the user does not exist in the backend, the server will
respond with an appropriate HTTP error code.
If no domain is specified in the local rule, user is deemed ephemeral
and becomes a member of service domain named ``Federated``.
An example of user object mapping to an existing user:
::
{
"user": {
"name": "username"
"domain": {
"name": "domain_name"
}
}
}
For attribute type and value mapping, identify the local resource type,
attribute, and value:
::
{
"group": {
"id": "89678b"
}
}
This assigns authorization attributes, by way of role assignments on the
specified group, to ephemeral users.
::
{
"group_ids": "{0}"
}
It is also possible to map multiple groups by providing a list of group ids.
Those group ids can also be white/blacklisted.
- ``remote`` (list of objects)
At least one object must be included.
If more than one object is included, the local attribute is applied only if
all remote attributes match.
The value identified by ``type`` is always passed through unless a constraint
is specified using either ``any_one_of`` or ``not_one_of``.
- ``type`` (string)
This represents an assertion type keyword.
- ``any_one_of`` (list of strings)
This is mutually exclusive with ``not_any_of``.
The rule is matched only if any of the specified strings appear in the
remote attribute ``type``.
- ``not_any_of`` (list of strings)
This is mutually exclusive with ``any_one_of``.
The rule is not matched if any of the specified strings appear in the
remote attribute ``type``.
- ``regex`` (boolean)
If ``true``, then each string will be evaluated as a `regular expression
<http://docs.python.org/2/library/re.html>`__ search against the remote
attribute ``type``.
The ``blacklist`` and ``whitelist`` rules are always used in conjuction with
``type``.
- ``blacklist`` (list of strings)
This is mutually exclusive with ``whitelist``.
The rule works as a filter, removing any specified strings that are
listed there from the remote attribute ``type``.
- ``whitelist`` (list of strings)
This is mutually exclusive with ``blacklist``.
The rule works as a filter, allowing only the specified strings in
the remote attribute ``type`` to be passed ahead.
Service Providers
-----------------
::
/OS-FEDERATION/service_providers
A service provider is a third party service that is trusted by the Identity
Service.
Required attributes:
- ``auth_url`` (string)
Specifies the protected URL where tokens can be retrieved once the user is
authenticated.
- ``sp_url`` (string)
Specifies the URL at the remote peer where assertion should be sent.
Optional attributes:
- ``description`` (string)
Describes the service provider
If a value is not specified by the client, the service may default this value
to ``null``.
- ``enabled`` (boolean)
Indicates whether bursting into this service provider is enabled by cloud
administrators. If set to ``false`` the SP will not appear in the catalog and
requests to generate an assertion will result in a 403 error.
If a value is not specified by the client, the service will default this to
``false``.
- ``relay_state_prefix`` (string)
Indicates the relay state prefix, used in the ECP wrapped SAML messages, by the
Service Provider.
If a value is not specified by the client, the service will default this value
to ``ss:mem:``.
.. TODO(samueldmq): This is the Identity Provider API, move it to its own file.
Register an Identity Provider
=============================
.. rest_method:: PUT /OS-FEDERATION/identity_providers/{idp_id}
Normal response codes: 201
Error response codes: 409
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-register-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-register-response.json
:language: javascript
List identity providers
=======================
.. rest_method:: GET /OS-FEDERATION/identity_providers
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-list-response.json
:language: javascript
Get Identity provider
=====================
.. rest_method:: GET /OS-FEDERATION/identity_providers/{idp_id}
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-get-response.json
:language: javascript
Delete identity provider
========================
.. rest_method:: DELETE /OS-FEDERATION/identity_providers/{idp_id}
When an identity provider is deleted, any tokens generated by that identity
provider will be revoked.
Normal response codes: 204
Update identity provider
========================
.. rest_method:: PATCH /OS-FEDERATION/identity_providers/{idp_id}
When an identity provider is disabled, any tokens generated by that identity
provider will be revoked.
Normal response codes: 200
Error response codes: 409
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-update-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-update-response.json
:language: javascript
Add a protocol and attribute mapping to an identity provider
============================================================
.. rest_method:: PUT /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Normal response codes: 201
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-add-protocol-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-add-protocol-response.json
:language: javascript
List all protocol and attribute mappings of an identity provider
================================================================
.. rest_method:: GET /OS-FEDERATION/identity_providers/{idp_id}/protocols
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-list-protocol-response.json
:language: javascript
Get a protocol and attribute mapping for an identity provider
=============================================================
.. rest_method:: GET /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-get-protocol-response.json
:language: javascript
Update the attribute mapping for an identity provider and protocol
==================================================================
.. rest_method:: PATCH /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Normal response codes: 200
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-update-protocol-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/idp-update-protocol-response.json
:language: javascript
Delete a protocol and attribute mapping from an identity provider
=================================================================
.. rest_method:: DELETE /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Normal response codes: 204
.. TODO(samueldmq): This is the Mapping API, move it to its own file.
Create a mapping
================
.. rest_method:: PUT /OS-FEDERATION/mappings/{mapping_id}
Normal response codes: 201
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-create-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-create-response.json
:language: javascript
Get a mapping
=============
.. rest_method:: GET /OS-FEDERATION/mappings/{mapping_id}
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-get-response.json
:language: javascript
Update a mapping
================
.. rest_method:: PATCH /OS-FEDERATION/mappings/{mapping_id}
Normal response codes: 200
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-update-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-update-response.json
:language: javascript
List all mappings
=================
.. rest_method:: GET /OS-FEDERATION/mappings
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/mapping-list-response.json
:language: javascript
Delete a mapping
================
.. rest_method:: DELETE /OS-FEDERATION/mappings/{mapping_id}
Normal response codes: 204
.. TODO(samueldmq): This is the Service Provider API, move it to its own file.
Register a Service Provider
===========================
.. rest_method:: PUT /OS-FEDERATION/service_providers/{sp_id}
Normal response codes: 201
Error response codes: 400 Bad Request when registering a service provider with
invalid URLs for either `auth_url` or `sp_url`.
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-register-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-register-response.json
:language: javascript
Listing Service Providers
=========================
.. rest_method:: GET /OS-FEDERATION/service_providers
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-list-response.json
:language: javascript
Get Service Provider
====================
.. rest_method:: GET /OS-FEDERATION/service_providers/{sp_id}
Normal response codes: 200
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-get-response.json
:language: javascript
Delete Service Provider
=======================
.. rest_method:: DELETE /OS-FEDERATION/service_providers/{sp_id}
Normal response codes: 204
Update Service Provider
=======================
.. rest_method:: PATCH /OS-FEDERATION/service_providers/{sp_id}
Normal response codes: 200
Error response codes: 400 Bad Request when updating a service provider with
invalid URLs for either `auth_url` or `sp_url`.
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-update-request.json
:language: javascript
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/sp-update-response.json
:language: javascript
.. TODO(samueldmq): This is the Listing Projects and Domains API, move it to its
own file.
.. **Deprecated in v1.1**. This section is deprecated as the functionality is
available in the core Identity API.
List projects a federated user can access
=========================================
.. rest_method:: GET /OS-FEDERATION/projects
Normal response codes: 200
**Deprecated in v1.1**. Use core ``GET /auth/projects``. This call has the same
response format.
Returns a collection of projects to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a project and request a scoped token. Note that only enabled
projects will be returned.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/project-list-response.json
:language: javascript
List domains a federated user can access
========================================
.. rest_method:: GET /OS-FEDERATION/domains
Normal response codes: 200
**Deprecated in v1.1**. Use core ``GET /auth/domains``. This call has the same
response format.
Returns a collection of domains to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a domain and request a scoped token. Note that only enabled domains
will be returned.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/domain-list-response.json
:language: javascript
.. TODO(samueldmq): This is the Federation Authentication API, move it to its
own file.
Request an unscoped OS-FEDERATION token
=======================================
.. rest_method:: GET /OS-FEDERATION/identity_providers/{identity_provider}/protocols/{protocol}/auth
A federated ephemeral user may request an unscoped token, which can be used to
get a scoped token.
If the user is mapped directly (mapped to an existing user), a standard,
unscoped token will be issued.
Due to the fact that this part of authentication is strictly connected with the
SAML2 authentication workflow, a client should not send any data, as the
content may be lost when a client is being redirected between Service Provider
and Identity Provider. Both HTTP methods - GET and POST should be allowed as
Web Single Sign-On (WebSSO) and Enhanced Client Proxy (ECP) mechanisms have
different authentication workflows and use different HTTP methods while
accessing protected endpoints.
The returned token will contain information about the groups to which the
federated user belongs.
Example Identity API token response: `Various OpenStack token responses
<identity-api-v3.md#authentication-responses>`__
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/unscoped-token-response.json
:language: javascript
Request a scoped OS-FEDERATION token
====================================
.. rest_method:: POST /auth/tokens
A federated user may request a scoped token, by using the unscoped token. A
project or domain may be specified by either id or name. An id is sufficient to
uniquely identify a project or domain.
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/scoped-token-request.json
:language: javascript
Similarly to the returned unscoped token, the returned scoped token will have
an ``OS-FEDERATION`` section added to the ``user`` portion of the token.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/scoped-token-response.json
:language: javascript
Web Single Sign On authentication (New in version 1.2)
======================================================
.. rest_method:: GET /auth/OS-FEDERATION/websso/{protocol}?origin=https%3A//horizon.example.com
For Web Single Sign On (WebSSO) authentication, users are expected to enter
another URL endpoint. Upon successful authentication, instead of issuing a
standard unscoped token, keystone will issue JavaScript code that redirects
the web browser to the originating Horizon. An unscoped federated token will
be included in the form being sent.
Web Single Sign On authentication (New in version 1.3)
======================================================
.. rest_method:: GET /auth/OS-FEDERATION/identity_providers/{idp_id}/protocol/{protocol_id}/websso?origin=https%3A//horizon.example.com
In contrast to the above route, this route begins a Web Single Sign On request
that is specific to the supplied Identity Provider and Protocol. Keystone will
issue JavaScript that handles redirections in the same way as the other route.
An unscoped federated token will be included in the form being sent.
.. TODO(samueldmq): This is the Generating Assertions API, move it to its own
file.
.. *New in version 1.1*
Generate a SAML assertion
=========================
.. rest_method:: POST /auth/OS-FEDERATION/saml2
A user may generate a SAML assertion document based on the scoped token that is
used in the request.
Request Parameters:
To generate a SAML assertion, a user must provides a scoped token ID and
Service Provider ID in the request body.
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/saml-assertion-request.json
:language: javascript
The response will be a full SAML assertion. Note that for readability the
certificate has been truncated. Server will also set two HTTP headers:
``X-sp-url`` and ``X-auth-url``. The former is the URL where assertion should
be sent, whereas the latter remote URL where token will be issued once the
client is finally authenticated.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/saml-assertion-response.xml
:language: xml
For more information about how a SAML assertion is structured, refer to the
`specification <http://saml.xml.org/saml-specifications>`__.
Generate an ECP wrapped SAML assertion
======================================
.. rest_method:: POST /auth/OS-FEDERATION/saml2/ecp
A user may generate a SAML assertion document to work with the
*Enhanced Client or Proxy* (ECP) profile based on the scoped token that is
used in the request.
Request Parameters:
To generate an ECP wrapped SAML assertion, a user must provides a scoped token
ID and Service Provider ID in the request body.
Request Example
---------------
.. literalinclude:: ./samples/OS-FEDERATION/ecp-saml-assertion-request.json
:language: javascript
The response will be an ECP wrapped SAML assertion. Note that for readability
the certificate has been truncated. Server will also set two HTTP headers:
``X-sp-url`` and ``X-auth-url``. The former is the URL where assertion should
be sent, whereas the latter remote URL where token will be issued once the
client is finally authenticated.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/ecp-saml-assertion-response.xml
:language: xml
Retrieve Metadata properties
============================
.. rest_method:: GET /OS-FEDERATION/saml2/metadata
A user may retrieve Metadata about an Identity Service acting as an Identity
Provider.
The response will be a full document with Metadata properties. Note that for
readability, this example certificate has been truncated.
Response Example
----------------
.. literalinclude:: ./samples/OS-FEDERATION/metadata-response.xml
:language: xml
For more information about how a SAML assertion is structured, refer to the
`specification <http://saml.xml.org/saml-specifications>`__.

2
api-ref/source/v3-ext/index.rst
View File

@ -11,6 +11,7 @@ This page describes these Identity API v3 extensions:
* `OS-TRUST API`_
* `OS-REVOKE API`_
* `OS-EP-FILTER API`_
* `OS-FEDERATION API`_
.. rest_expand_all::
@ -19,3 +20,4 @@ This page describes these Identity API v3 extensions:
.. include:: trust.inc
.. include:: revoke.inc
.. include:: ep-filter.inc
.. include:: federation.inc

18
api-ref/source/v3-ext/samples/OS-FEDERATION/domain-list-response.json Normal file
View File

@ -0,0 +1,18 @@
{
"domains": [
{
"description": "desc of domain",
"enabled": true,
"id": "37ef61",
"links": {
"self": "http://identity:35357/v3/domains/37ef61"
},
"name": "my domain"
}
],
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/domains",
"previous": null,
"next": null
}
}

17
api-ref/source/v3-ext/samples/OS-FEDERATION/ecp-saml-assertion-request.json Normal file
View File

@ -0,0 +1,17 @@
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "--token_id--"
}
},
"scope": {
"service_provider": {
"id": "--sp_id--"
}
}
}
}

82
api-ref/source/v3-ext/samples/OS-FEDERATION/ecp-saml-assertion-response.xml Normal file
View File

@ -0,0 +1,82 @@
Headers:
Content-Type: text/xml
X-sp-url: http://beta.example.com/Shibboleth.sso/POST/ECP
X-auth-url: http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/auth
<?xml version='1.0' encoding='UTF-8'?>
<ns0:Envelope
xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xmldsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns0:Header>
<ns1:RelayState ns0:actor="http://schemas.xmlsoap.org/soap/actor/next" ns0:mustUnderstand="1">ss:mem:1ddfe8b0f58341a5a840d2e8717b0737</ns1:RelayState>
</ns0:Header>
<ns0:Body>
<ns2:Response Destination="http://beta.example.com/Shibboleth.sso/POST/ECP" ID="8c21de08d2f2435c9acf13e72c982846" IssueInstant="2015-03-25T14:43:21Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:Issuer>
<ns2:Status>
<ns2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</ns2:Status>
<saml:Assertion ID="a5f02efb0bff4044b294b4583c7dfc5d" IssueInstant="2015-03-25T14:43:21Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:Issuer>
<xmldsig:Signature>
<xmldsig:SignedInfo>
<xmldsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<xmldsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<xmldsig:Reference URI="#a5f02efb0bff4044b294b4583c7dfc5d">
<xmldsig:Transforms>
<xmldsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<xmldsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</xmldsig:Transforms>
<xmldsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<xmldsig:DigestValue>0KH2CxdkfzU+6eiRhTC+mbObUKI=</xmldsig:DigestValue>
</xmldsig:Reference>
</xmldsig:SignedInfo>
<xmldsig:SignatureValue>m2jh5gDvX/1k+4uKtbb08CHp2b9UWsLwjtMijs9C9gZV2dIJKiF9SJBWE4C79qT4
uktgeB0RQiFrgxOGfpp1gyQunmNyZcipcetOk4PebH4/z+po/59w8oGp89fPfdRj
WhWA0fWP32Pr5eslRQjbHnSRTFMp3ycBZHsCCsTWdhyiWC6aERsspHeeGjkzxRAZ
HxJ8oLMj/TWBJ2iaUDUT6cxa1svmtumoC3GPPOreuGELXTL5MtKotTVqYN6lZP8B
Ueaji11oRI1HE9XMuPu0iYlSo1i3JyejciSFgplgdHsebpM29PMo8oz2TCybY39p
kmuD4y9XX3lRBcpJRxku7w==</xmldsig:SignatureValue>
<xmldsig:KeyInfo>
<xmldsig:X509Data>
<xmldsig:X509Certificate>...</xmldsig:X509Certificate>
</xmldsig:X509Data>
</xmldsig:KeyInfo>
</xmldsig:Signature>
<saml:Subject>
<saml:NameID>admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2015-03-25T15:43:21.172385Z" Recipient="http://beta.example.com/Shibboleth.sso/POST/ECP" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2015-03-25T14:43:21Z" SessionIndex="9790eb729858456f8a33b7a11f0a637e" SessionNotOnOrAfter="2015-03-25T15:43:21.172385Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="openstack_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_user_domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Default</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_project" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_project_domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Default</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</ns2:Response>
</ns0:Body>
</ns0:Envelope>

5
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-add-protocol-request.json Normal file
View File

@ -0,0 +1,5 @@
{
"protocol": {
"mapping_id": "xyz234"
}
}

10
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-add-protocol-response.json Normal file
View File

@ -0,0 +1,10 @@
{
"protocol": {
"id": "saml2",
"links": {
"identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2"
},
"mapping_id": "xyz234"
}
}

10
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-get-protocol-response.json Normal file
View File

@ -0,0 +1,10 @@
{
"protocol": {
"id": "saml2",
"links": {
"identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2"
},
"mapping_id": "xyz234"
}
}

12
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-get-response.json Normal file
View File

@ -0,0 +1,12 @@
{
"identity_provider": {
"description": "Stores ACME identities",
"remote_ids": ["acme_id_1", "acme_id_2"],
"enabled": false,
"id": "ACME",
"links": {
"protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME"
}
}
}

17
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-list-protocol-response.json Normal file
View File

@ -0,0 +1,17 @@
{
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols"
},
"protocols": [
{
"id": "saml2",
"links": {
"identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2"
},
"mapping_id": "xyz234"
}
]
}

29
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-list-response.json Normal file
View File

@ -0,0 +1,29 @@
{
"identity_providers": [
{
"description": "Stores ACME identities",
"remote_ids": ["acme_id_1", "acme_id_2"],
"enabled": true,
"id": "ACME",
"links": {
"protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME"
}
},
{
"description": "Stores contractor identities",
"remote_ids": ["sore_id_1", "store_id_2"],
"enabled": false,
"id": "ACME-contractors",
"links": {
"protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME-contractors/protocols",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME-contractors"
}
}
],
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers"
}
}

7
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-register-request.json Normal file
View File

@ -0,0 +1,7 @@
{
"identity_provider": {
"description": "Stores ACME identities.",
"remote_ids": ["acme_id_1", "acme_id_2"],
"enabled": true
}
}

12
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-register-response.json Normal file
View File

@ -0,0 +1,12 @@
{
"identity_provider": {
"description": "Stores ACME identities",
"remote_ids": ["acme_id_1", "acme_id_2"],
"enabled": true,
"id": "ACME",
"links": {
"protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME"
}
}
}

5
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-update-protocol-request.json Normal file
View File

@ -0,0 +1,5 @@
{
"protocol": {
"mapping_id": "xyz234"
}
}

10
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-update-protocol-response.json Normal file
View File

@ -0,0 +1,10 @@
{
"protocol": {
"id": "saml2",
"links": {
"identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml2"
},
"mapping_id": "xyz234"
}
}

6
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-update-request.json Normal file
View File

@ -0,0 +1,6 @@
{
"identity_provider": {
"remote_ids": ["beta_id_1", "beta_id_2"],
"enabled": true
}
}

12
api-ref/source/v3-ext/samples/OS-FEDERATION/idp-update-response.json Normal file
View File

@ -0,0 +1,12 @@
{
"identity_provider": {
"description": "Beta dev idp",
"remote_ids": ["beta_id_1", "beta_id_2"],
"enabled": true,
"id": "ACME",
"links": {
"protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols",
"self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME"
}
}
}

32
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-create-request.json Normal file
View File

@ -0,0 +1,32 @@
{
"mapping": {
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
"Contractor",
"Guest"
]
}
]
}
]
}
}

36
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-create-response.json Normal file
View File

@ -0,0 +1,36 @@
{
"mapping": {
"id": "ACME",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/mappings/ACME"
},
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
"Contractor",
"Guest"
]
}
]
}
]
}
}

36
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-get-response.json Normal file
View File

@ -0,0 +1,36 @@
{
"mapping": {
"id": "ACME",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/mappings/ACME"
},
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"not_any_of": [
"Contractor",
"Guest"
]
}
]
}
]
}
}

43
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-list-response.json Normal file
View File

@ -0,0 +1,43 @@
{
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-FEDERATION/mappings"
},
"mappings": [
{
"id": "ACME",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/mappings/ACME"
},
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
"Contractor",
"SubContractor"
]
}
]
}
]
}
]
}

32
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-update-request.json Normal file
View File

@ -0,0 +1,32 @@
{
"mapping": {
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
"Contractor",
"SubContractor"
]
}
]
}
]
}
}

36
api-ref/source/v3-ext/samples/OS-FEDERATION/mapping-update-response.json Normal file
View File

@ -0,0 +1,36 @@
{
"mapping": {
"id": "ACME",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/mappings/ACME"
},
"rules": [
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "0cd5e9"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "orgPersonType",
"any_one_of": [
"Contractor",
"SubContractor"
]
}
]
}
]
}
}

29
api-ref/source/v3-ext/samples/OS-FEDERATION/metadata-response.xml Normal file
View File

@ -0,0 +1,29 @@
Headers:
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" entityID="k2k.com/v3/OS-FEDERATION/idp"
validUntil="2014-08-19T21:24:17.411289Z">
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:KeyDescriptor use="signing">
<ns1:KeyInfo>
<ns1:X509Data>
<ns1:X509Certificate>MIIDpTCCAo0CAREwDQYJKoZIhvcNAQEFBQAwgZ</ns1:X509Certificate>
</ns1:X509Data>
</ns1:KeyInfo>
</ns0:KeyDescriptor>
</ns0:IDPSSODescriptor>
<ns0:Organization>
<ns0:OrganizationName xml:lang="en">openstack</ns0:OrganizationName>
<ns0:OrganizationDisplayName xml:lang="en">openstack</ns0:OrganizationDisplayName>
<ns0:OrganizationURL xml:lang="en">openstack</ns0:OrganizationURL>
</ns0:Organization>
<ns0:ContactPerson contactType="technical">
<ns0:Company>openstack</ns0:Company>
<ns0:GivenName>first</ns0:GivenName>
<ns0:SurName>lastname</ns0:SurName>
<ns0:EmailAddress>admin@example.com</ns0:EmailAddress>
<ns0:TelephoneNumber>555-555-5555</ns0:TelephoneNumber>
</ns0:ContactPerson>
</ns0:EntityDescriptor>

27
api-ref/source/v3-ext/samples/OS-FEDERATION/project-list-response.json Normal file
View File

@ -0,0 +1,27 @@
{
"projects": [
{
"domain_id": "37ef61",
"enabled": true,
"id": "12d706",
"links": {
"self": "http://identity:35357/v3/projects/12d706"
},
"name": "a project name"
},
{
"domain_id": "37ef61",
"enabled": true,
"id": "9ca0eb",
"links": {
"self": "http://identity:35357/v3/projects/9ca0eb"
},
"name": "another project"
}
],
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/projects",
"previous": null,
"next": null
}
}

17
api-ref/source/v3-ext/samples/OS-FEDERATION/saml-assertion-request.json Normal file
View File

@ -0,0 +1,17 @@
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "--token_id--"
}
},
"scope": {
"service_provider": {
"id": "--sp_id--"
}
}
}
}

69
api-ref/source/v3-ext/samples/OS-FEDERATION/saml-assertion-response.xml Normal file
View File

@ -0,0 +1,69 @@
Headers:
Content-Type: text/xml
X-sp-url: http://beta.example.com/Shibboleth.sso/POST/ECP
X-auth-url: http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/auth
<?xml version="1.0" encoding="UTF-8"?>
<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xmldsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://beta.example.com/Shibboleth.sso/POST/ECP" ID="818dee98a5d44a238ae3038d26cbebb6" IssueInstant="2015-05-27T13:23:48Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:Issuer>
<ns0:Status>
<ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</ns0:Status>
<saml:Assertion ID="68237000470e47a690bdd513bb264460" IssueInstant="2015-05-27T13:23:47Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:Issuer>
<xmldsig:Signature>
<xmldsig:SignedInfo>
<xmldsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<xmldsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<xmldsig:Reference URI="#68237000470e47a690bdd513bb264460">
<xmldsig:Transforms>
<xmldsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<xmldsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</xmldsig:Transforms>
<xmldsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<xmldsig:DigestValue>IgfoWcCoBpmv64ianaK/qj63QQQ=</xmldsig:DigestValue>
</xmldsig:Reference>
</xmldsig:SignedInfo>
<xmldsig:SignatureValue>H6GvkAcDW0BSoBaktpVTxUFtvUAcFMXRqYXLFvmse5DeOSnByvGOgW/yJMjIqzwG
LjCqJXYMePIkEUYb4kqbbkN1wNFuxKtmACcC3T3/7rAavrIz3I4cT6mCipN9qFlE
tzR0mD2IZhExuTzyMaON8krTWWoddx8LIYEfQ03O4eSYObi5fHmGJRGs9D5De0aK
XkIeKo7HRAjZsU5fAMGlEKfazemTZMBbnpUD//oFsxf1yFcFTOyiAHddAaG7Rqv3
4SYjYo4dRKAI/yQuA+MVmHDcJUE+KVqVoJZJSVJe+Lz+X1ReRlEgvP0mhaM0yY+R
w7FozqQyKSKJW9abmxJTFQ==</xmldsig:SignatureValue>
<xmldsig:KeyInfo>
<xmldsig:X509Data>
<xmldsig:X509Certificate>...</xmldsig:X509Certificate>
</xmldsig:X509Data>
</xmldsig:KeyInfo>
</xmldsig:Signature>
<saml:Subject>
<saml:NameID>admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2015-05-27T14:23:47.711682Z" Recipient="http://beta.example.com/Shibboleth.sso/POST/ECP/">
</saml:SubjectConfirmation>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2015-05-27T13:23:47Z" SessionIndex="cd839a3ff0fc4a4aab52e55fae8094a2" SessionNotOnOrAfter="2015-05-27T14:23:47.711682Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>http://keystone.idp/v3/OS-FEDERATION/saml2/idp</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="openstack_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_user_domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Default</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_project" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="openstack_project_domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Default</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</ns0:Response>

17
api-ref/source/v3-ext/samples/OS-FEDERATION/scoped-token-request.json Normal file
View File

@ -0,0 +1,17 @@
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "--federated-token-id--"
}
},
"scope": {
"project": {
"id": "263fd9"
}
}
}
}

71
api-ref/source/v3-ext/samples/OS-FEDERATION/scoped-token-response.json Normal file
View File

@ -0,0 +1,71 @@
{
"token": {
"methods": [
"token"
],
"roles": [
{
"id": "36a8989f52b24872a7f0c59828ab2a26",
"name": "admin"
}
],
"expires_at": "2014-08-06T13:43:43.367202Z",
"project": {
"domain": {
"id": "1789d1",
"links": {
"self": "http://identity:35357/v3/domains/1789d1"
},
"name": "example.com"
},
"id": "263fd9",
"links": {
"self": "http://identity:35357/v3/projects/263fd9"
},
"name": "project-x"
},
"catalog": [
{
"endpoints": [
{
"id": "39dc322ce86c4111b4f06c2eeae0841b",
"interface": "public",
"region": "RegionOne",
"url": "http://localhost:5000"
},
{
"id": "ec642f27474842e78bf059f6c48f4e99",
"interface": "internal",
"region": "RegionOne",
"url": "http://localhost:5000"
},
{
"id": "c609fc430175452290b62a4242e8a7e8",
"interface": "admin",
"region": "RegionOne",
"url": "http://localhost:35357"
}
],
"id": "266c2aa381ea46df81bb05ddb02bd14a",
"name": "keystone",
"type": "identity"
}
],
"user": {
"domain": {
"id": "Federated"
},
"id": "username%40example.com",
"name": "username@example.com",
"OS-FEDERATION": {
"identity_provider": "ACME",
"protocol": "SAML",
"groups": [
{"id": "abc123"},
{"id": "bcd234"}
]
}
},
"issued_at": "2014-08-06T12:43:43.367288Z"
}
}

13
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-get-response.json Normal file
View File

@ -0,0 +1,13 @@
{
"service_provider": {
"auth_url": "https://example.com:5000/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth",
"description": "Remote Service Provider",
"enabled": true,
"id": "ACME",
"links": {
"self": "https://identity:35357/v3/OS-FEDERATION/service_providers/ACME"
},
"relay_state_prefix": "ss:mem:",
"sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP"
}
}

31
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-list-response.json Normal file
View File

@ -0,0 +1,31 @@
{
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-FEDERATION/service_providers"
},
"service_providers": [
{
"auth_url": "https://example.com:5000/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth",
"description": "Stores ACME identities",
"enabled": true,
"id": "ACME",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/service_providers/ACME"
},
"relay_state_prefix": "ss:mem:",
"sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP"
},
{
"auth_url": "https://other.example.com:5000/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth",
"description": "Stores contractor identities",
"enabled": false,
"id": "ACME-contractors",
"links": {
"self": "http://identity:35357/v3/OS-FEDERATION/service_providers/ACME-contractors"
},
"relay_state_prefix": "ss:mem:",
"sp_url": "https://other.example.com:5000/Shibboleth.sso/SAML2/ECP"
}
]
}

8
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-register-request.json Normal file
View File

@ -0,0 +1,8 @@
{
"service_provider": {
"auth_url": "https://example.com:5000/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth",
"description": "Remote Service Provider",
"enabled": true,
"sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP"
}
}

13
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-register-response.json Normal file
View File

@ -0,0 +1,13 @@
{
"service_provider": {
"auth_url": "https://example.com:5000/v3/OS-FEDERATION/identity_providers/acme/protocols/saml2/auth",
"description": "Remote Service Provider",
"enabled": true,
"id": "ACME",
"links": {
"self": "https://identity:35357/v3/OS-FEDERATION/service_providers/ACME"
},
"relay_state_prefix": "ss:mem:",
"sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP"
}
}

8
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-update-request.json Normal file
View File

@ -0,0 +1,8 @@
{
"service_provider": {
"auth_url": "https://new.example.com:5000/v3/OS-FEDERATION/identity_providers/protocol/saml2/auth",
"enabled": true,
"relay_state_prefix": "ss:temp:",
"sp_auth": "https://new.example.com:5000/Shibboleth.sso/SAML2/ECP"
}
}

13
api-ref/source/v3-ext/samples/OS-FEDERATION/sp-update-response.json Normal file
View File

@ -0,0 +1,13 @@
{
"service_provider": {
"auth_url": "https://new.example.com:5000/v3/OS-FEDERATION/identity_providers/protocol/saml2/auth",
"description": "Remote Service Provider",
"enabled": true,
"id": "ACME",
"links": {
"self": "https://identity:35357/v3/OS-FEDERATION/service_providers/ACME"
},
"relay_state_prefix": "ss:temp:",
"sp_url": "https://new.example.com:5000/Shibboleth.sso/SAML2/ECP"
}
}

22
api-ref/source/v3-ext/samples/OS-FEDERATION/unscoped-token-response.json Normal file
View File

@ -0,0 +1,22 @@
{
"token": {
"methods": [
"mapped"
],
"user": {
"domain": {
"id": "Federated"
},
"id": "username%40example.com",
"name": "username@example.com",
"OS-FEDERATION": {
"identity_provider": "ACME",
"protocol": "SAML",
"groups": [
{"id": "abc123"},
{"id": "bcd234"}
]
}
}
}
}