This section guides you through using the Identity Application Management API to create a service provider, update it, delete it and the different operations you can use to work with it. See Calling Admin Services to enable the admin service. The following operations are available:
...
The service contract of this admin service can be found at https://<IS_HOST>:<IS_PORT>/services/IdentityApplicationManagementService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example: https://localhost:9443/services/IdentityApplicationManagementService?wsdl
createApplication
Permission Level: /permission/admin/manage
...
| Parameter | Type | Description | ||
|---|---|---|---|---|
| applicationID | Integer | Unique application id for the service provider. This is an optional parameter, if you have not specified this value, Identity Server will assign a unique application id. | ||
| applicationName | String | The desired service provider name. Adding a service provider creates an internal application role for the given name as Internal/<applicationName>. Thus, creating another service provider for the name is not possible and will throw an IdentityApplicationManagementException.
| ||
| description | String | Some text describing the service provider |
The format of the create request should be as follows.
Request:
| Code Block | ||
|---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:createApplication>
<!--Optional:-->
<xsd:serviceProvider>
<!--Optional:-->
<xsd1:applicationName>?</xsd1:applicationName>
<!--Optional:-->
<xsd1:description>?</xsd1:description>
</xsd:serviceProvider>
</xsd:createApplication>
</soapenv:Body>
</soapenv:Envelope> |
| Expand | |||||
|---|---|---|---|---|---|
| |||||
|
Request with Application Id:
| Code Block | ||
|---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:createApplication>
<!--Optional:-->
<xsd:serviceProvider>
<!--Optional:-->
<xsd1:applicationID>?</xsd1:applicationID>
<!--Optional:-->
<xsd1:applicationName>?</xsd1:applicationName>
<!--Optional:-->
<xsd1:description>?</xsd1:description>
</xsd:serviceProvider>
</xsd:createApplication>
</soapenv:Body>
</soapenv:Envelope> |
| Expand | |||||
|---|---|---|---|---|---|
| |||||
|
Response:
| Code Block | ||
|---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:createApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:createApplicationResponse>
</soapenv:Body>
</soapenv:Envelope> |
updateApplication
Permission Level: /permission/admin/manage
After creating the service provider, it can be configured and updated with the following configurations:
- Claim configuration
- Role/Permission configuration
- Inbound and Outbound authentication configuration
- Inbound and Outbound provisioning configuration
The service provider is updated based on its application id. So you need to retrieve it from the identity server if you haven't provided an application id while creating the service provider. You can use getApplication service method to get the application id value.
The format of the update request should be as follows.
Request:
| Code Block | ||
|---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:updateApplication>
<!--Optional:-->
<xsd:serviceProvider>
<!--Optional:-->
<xsd1:applicationID>?</xsd1:applicationID>
<!--Optional:-->
<xsd1:applicationName>?</xsd1:applicationName>
<!--Optional:-->
<xsd1:claimConfig>
</xsd1:claimConfig>
<!--Optional:-->
<xsd1:description>?</xsd1:description>
<!--Optional:-->
<xsd1:inboundAuthenticationConfig>...</xsd1:inboundAuthenticationConfig>
<!--Optional:-->
<xsd1:inboundProvisioningConfig>...</xsd1:inboundProvisioningConfig>
<!--Optional:-->
<xsd1:localAndOutBoundAuthenticationConfig>...</xsd1:localAndOutBoundAuthenticationConfig>
<!--Optional:-->
<xsd1:outboundProvisioningConfig>...</xsd1:outboundProvisioningConfig>
<!--Optional:-->
<xsd1:owner>...</xsd1:owner>
<!--Optional:-->
<xsd1:permissionAndRoleConfig>...</xsd1:permissionAndRoleConfig>
<!--Zero or more repetitions:-->
<xsd1:requestPathAuthenticatorConfigs>...</xsd1:requestPathAuthenticatorConfigs>
<!--Optional:-->
<xsd1:saasApp>?</xsd1:saasApp>
</xsd:serviceProvider>
</xsd:updateApplication>
</soapenv:Body>
</soapenv:Envelope> |
| Expand | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
For SAML
For OAuth
|
Response:
| Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:updateApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:updateApplicationResponse>
</soapenv:Body>
</soapenv:Envelope> |
Input parameters
Service provider level parameters
Parameter | Type | Description |
|---|---|---|
applicationID | Integer | Application ID of the service provider. This is mandatory when updating the SP |
applicationName | String | Service provider name |
claimConfig | ClaimConfig | Claims related configurations |
description | String | Description of the SP |
inboundAuthenticationConfig | InboundAuthenticationConfig | Inbound authentication related configurations |
inboundProvisioningConfig | InboundProvisioningConfig | Inbound provisioning related configurations |
localAndOutBoundAuthenticationConfig | LocalAndOutboundAuthenticationConfig | Local and outbound authentication configurations |
outboundProvisioningConfig | OutboundProvisioningConfig | Outbound provisioning related configurations |
owner | User | Applicationn Application owner |
permissionAndRoleConfig | PermissionsAndRoleConfig | Permission and role related configurations |
requestPathAuthenticatorConfigs | RequestPathAuthenticatorConfig | Request patch authenticator related configurations |
| saasApp | Optional | This parameter allows you to determine whether the service provider is a SaaS application. true - enable SaaS application false - disable SaaS application If no value is passed for this parameter, the service provider is marked as SaaS disabled by default. Thus, the web application is not shared among tenants so only users in the current tenant (the one you are logged in when creating the service provider) are allowed to log into the web application. Alternatively, if you enabled SaaS application, it means that this web application is shared among tenants so users from any tenant are allowed to log into the web application. |
Claim configuration level parameters
The <claimConfig> element defines all claim configuration level inputs. This element can have zero or more <claimMappings> elements that specify claims referred by this service provider. A <claimMappings> element includes two elements; <localClaim> and <remoteClaim> where each is represented by a claimId and a claimURI. The <localClaim> denotes a standard claim which is local to the WSO2 Identity Server and the <remoteClaim> denotes some remote claim value that maps to the local claim under the same claim mapping. Remote claims are specifically used with identity federation scenarios to map claims received from the federated Identity Provider to local claims.
Parameter | Type | Description |
|---|---|---|
alwaysSendMappedLocalSubjectId | Boolean | This configuration specifies whether subject attribute which returns to the service provider is taken from the locally mapped user or from the federated user. |
localClaimDialect | Boolean | This is a boolean that specifies whether this service provider is using the local claim dialect or a custom claim dialect. true - using the local claim dialect false - using the custom claim dialect If it is using the custom claim dialect, the local claim should map with a remote claim in each claim mapping otherwise, both the local claim URI and the remote claim URI should be the same (i.e. a URI defined under a dialect local to the WSO2 Identity Server). |
claimMappings.localClaim.claimId claimMappings.remoteClaim.claimId | Integer | Integer value that identifies the claim. Applies to both localClaim and remoteClaim elements. |
claimMappings.localClaim.claimUri claimMappings.remoteClaim.claimUri | String | URI specific to the claim. Applies to both localClaim and remoteClaim elements. When defined under localClaim, this is a URI defined under the dialect specific to the claim. If defined under the remoteClaim, this is a remote claim URI which maps with the local claim defined under the same parent claimMappings element. If only the local claim dialect is used, the same claimURI in localClaim should be used with claimURI in remoteClaim, since there are no explicit local to remote claim mappings. |
claimMappings.requested | Boolean | This is a boolean that marks a mapped claim as a requested claim which ensures that the service provider definitely sends this claim to the Identity Server. true - mark as requested false - mark as not requested |
roleClaimURI | String | Role claim URI is used to identify the claim that equates to the role of the user. This is linked to the permissions that you can apply for specific user roles. This is a remote claim URI mapped via claim mappings. |
userClaimURI | String | User claim URI is also referred to as Subject claim URI in the management console. It is the claim that is used to uniquely identiy identify a user. For example, mapping the claims to the users email or ID attribute. |
claimConfig Request Element:
| Code Block | ||
|---|---|---|
| ||
<xsd1:claimConfig>
<!--Optional:-->
<xsd1:alwaysSendMappedLocalSubjectId>?</xsd1:alwaysSendMappedLocalSubjectId>
<!--Zero or more repetitions:-->
<xsd1:claimMappings>
<!--Optional:-->
<xsd1:defaultValue>?</xsd1:defaultValue>
<!--Optional:-->
<xsd1:localClaim>
<!--Optional:-->
<xsd1:claimId>?</xsd1:claimId>
<!--Optional:-->
<xsd1:claimUri>?</xsd1:claimUri>
</xsd1:localClaim>
<!--Optional:-->
<xsd1:mandatory>?</xsd1:mandatory>
<!--Optional:-->
<xsd1:remoteClaim>
<!--Optional:-->
<xsd1:claimId>?</xsd1:claimId>
<!--Optional:-->
<xsd1:claimUri>?</xsd1:claimUri>
</xsd1:remoteClaim>
<!--Optional:-->
<xsd1:requested>?</xsd1:requested>
</xsd1:claimMappings>
<!--Zero or more repetitions:-->
<xsd1:idpClaims>
<!--Optional:-->
<xsd1:claimId>?</xsd1:claimId>
<!--Optional:-->
<xsd1:claimUri>?</xsd1:claimUri>
</xsd1:idpClaims>
<!--Optional:-->
<xsd1:localClaimDialect>?</xsd1:localClaimDialect>
<!--Optional:-->
<xsd1:roleClaimURI>?</xsd1:roleClaimURI>
<!--Optional:-->
<xsd1:userClaimURI>?</xsd1:userClaimURI>
</xsd1:claimConfig> |
| Expand | |||||
|---|---|---|---|---|---|
| |||||
|
Permissions and roles configuration parameters
The <permissionAndRoleConfig> element defines all permission and role configuration level inputs. Under this element, specific permissions can be specified via zero or more <permissions> blocks.
...