Obtaining an Unscoped Token (IdP Initiated)

Function

This API is used to obtain an unscoped token in IdP-initiated federated identity authentication mode.

An unscoped token cannot be used for authentication. If a federated user needs to use a token for authentication, obtain the scoped token based on section Obtaining a Scoped Token.

URI

POST /v3.0/OS-FEDERATION/tokens

Request Parameters

  • Parameters in the request header

    Parameter

    Mandatory

    Type

    Description

    X-Idp-Id

    Yes

    String

    ID of an identity provider.

    Content-Type

    Yes

    String

    The client must transfer the SAMLResponse parameter to the server by using the form data submitted by the browser. Therefore, the value of this parameter must be:

    application/x-www-form-urlencoded

  • Parameters in the request body

    Parameter

    Mandatory

    Type

    Description

    SAMLResponse

    Yes

    String

    Response body returned when IdP authentication is successful.

    Note

    This API can only be called on the CLI side. The client needs to obtain SAMLResponse in IdP-initiated federated identity authentication mode and obtain an unscoped token by using the form data submitted by the browser.

  • Example request

    curl -i -k -H 'Accept:application/json' -H 'x-Idp-Id:test_local_idp' -H 'Content-Type:application/x-www-form-urlencoded' -X POST -d 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBl4WXZ1OGNmYmRzWk1ZeWlLKy96anpEbm1rT2FrVVBrUmlSWEpLYUt5NzJtUmtoRFBCNjgwVQpzalU3R2hKNHE4ZG48L3hlbmM6Q2lwaGVyVmFsdWU%2BPC94ZW5jOkNpcGhlckRhdGE%2BPC94ZW5jOkVuY3J5cHRlZERhdGE%2BPC9zYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B' https://sample.domain.com/v3.0/OS-FEDERATION/tokens
    

Response Parameters

  • Parameters in the response body

    Response Item

    Parameter

    Type

    Description

    X-Subject-Token

    header

    String

    Signed unscoped token.

    token

    body

    Object

    Information of the unscoped token obtained in federated identity authentication mode, including methods and user information.

  • Example response

    {
        "token": {
            "expires_at": "2018-03-13T03:00:01.168000Z",
            "methods": ["mapped"],
            "issued_at": "2018-03-12T03:00:01.168000Z",
            "user": {
                "OS-FEDERATION": {
                    "identity_provider": {
                        "id": "test_local_idp"
                    },
                    "protocol": {
                        "id": "saml"
                    },
                    "groups": [{
                        "name": "admin",
                        "id": "45a8c8f1894444e9a016af065e152b91"
                    }]
                },
                "domain": {
                    "name": "hansheng",
                    "id": "c0e20cc993a24ad4aa3251661ef37c87"
                },
                "name": "FederationUser",
                "id": "QNSzD0bycqUXE4hiRNfyFcWfoOs8z6gT"
            }
        }
    }
    

Status Code

Status Code

Description

201

The request is successful, and a token is returned.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

405

The method specified in the request is not allowed for the requested resource.

413

The request entity is too large.

500

Internal server error.

503

Service unavailable.