An Identity Provider (IdP) is responsible for issuing identification information for users looking to interact with a system. We can add and configure such identity providers and link them with the Identity Server through the Identity Provider Management Service API.
This is exposed as a web service and the following operations are available.
The service contract of this admin service can be found at https://<IS_HOST>:<IS_PORT>/services/IdentityProviderMgtService?wsdl. Replace the tag <IS_HOST>:<IS_PORT> with the relevant host and port number, for example: https://localhost:9443/services/IdentityProviderMgtService?wsdl.
addIdp
To add an Identity Provider, you should add some basic Identity Provider information and configuring claims, roles, federated authenticators, just-in-time provisioning information, and outbound provisioning connectors as seen in the request below.
Permission Level: /permission/admin/manage
Request :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <mgt:addIdP> <!--Optional:--> <mgt:identityProvider> <xsd:alias>https://localhost:9443/oauth2/token/</xsd:alias> <xsd:certificate>BASE64 encoded String goes here</xsd:certificate> <xsd:displayName>Sample IdP</xsd:displayName> <xsd:enable>true</xsd:enable> <xsd:federationHub>false</xsd:federationHub> <xsd:homeRealmId>-</xsd:homeRealmId> <xsd:identityProviderDescription>Sample Description</xsd:identityProviderDescription> <xsd:identityProviderName>TestIdP</xsd:identityProviderName> <xsd:primary>true</xsd:primary> <xsd:provisioningRole>-</xsd:provisioningRole> </mgt:identityProvider> </mgt:addIdP> </soapenv:Body> </soapenv:Envelope>
Response:
None
In addition to the basic details for the IdP, it is also possible to include claims configuration, role configuration, federated authenticators, just-in-time provisioning information, and outbound provisioning connectors details to the addIdp request body. Properties related to those configurations are listed below. However, even without these details, an IdP can be added and updated later on.
Claim configuration
<xsd:claimConfig> <localClaimDialect>true</localClaimDialect> <roleClaimURI>http://wso2.org/claims/role</roleClaimURI> <userClaimURI>http://wso2.org/claims/organization</userClaimURI> </xsd:claimConfig>
When configuring advance claims to the custom claim dialect, the following parameters can be added to the <claimMappings>
element. A sample <claimMappings>
element configured with advance claim configurations is similiar to the following:
<xsd:claimConfig> <localClaimDialect>true</localClaimDialect> <roleClaimURI>http://wso2.org/claims/role</roleClaimURI> <userClaimURI>http://wso2.org/claims/organization</userClaimURI> <claimMappings> <defaultValue>defaultVal</defaultValue> <localClaim> <claimUri>http://wso2.org/claims/title</claimUri> </localClaim> <remoteClaim> <claimUri>Role</claimUri> </remoteClaim> <requested>true</requested> </claimMappings> <claimMappings> <defaultValue>defaultVal</defaultValue> <localClaim> <claimUri>http://wso2.org/claims/emailaddress</claimUri> </localClaim> <remoteClaim> <claimUri>EmailID</claimUri> </remoteClaim> <requested>true</requested> </claimMappings> </xsd:claimConfig>
Just-in-time (JiT) provisioning
With Just-in-Time provisioning, you can create users on the fly without having to create user accounts in advance. To configure JiT provisioning, add the following snippet to the addIdp
request body.
<xsd:justInTimeProvisioningConfig> <xsd:provisioningEnabled>true</xsd:provisioningEnabled> <xsd:provisioningUserStore>PRIMARY</xsd:provisioningUserStore> <xsd:userStoreClaimUri>?</xsd:userStoreClaimUri> </xsd:justInTimeProvisioningConfig>
Role configuration
<permissionAndRoleConfig xmlns="http://model.common.application.identity.carbon.wso2.org/xsd"> <idpRoles>IDPRole</idpRoles> <roleMappings> <localRole> <localRoleName>Role1</localRoleName> </localRole> <remoteRole>IDPRole</remoteRole> </roleMappings> </permissionAndRoleConfig>
Federated authenticator
The <federatedAuthenticatorConfigs>
parameter can be used to configure zero or more federated authenticators. For sample federated authenticator configurations, see Federated Authenticator Configuration Samples.
<provisioningConnectorConfigs>
parameter can be used to configure zero or more outbound provisioning connectors. For sample outbound provisioning connector configurations, see Outbound Provisioning Connectors Configuration Samples.Parameter | Type | Description |
---|---|---|
enabled | boolean | Set 'true' to enable the provisioning connector. |
name | String | Name of the connector. |
provisioningProperties | Property | Zero or more properties related to the connector. Attributes of the property are similar to properties mentioned in Federated Authenticators Configuration. Contains: confidential, defaultValue, description, displayName, name, required, type value. |
deleteIdp
To delete an identity provider, call the deleteIdp()
operation. The IdP name should be included in the request.
Permission Level: /permission/admin/manage
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:deleteIdP> <!--Optional:--> <mgt:idPName>TestIDP</mgt:idPName> </mgt:deleteIdP> </soapenv:Body> </soapenv:Envelope>
None
getAllFederatedAuthenticators
The getAllFederatedAuthenticators()
operation returns a detailed list of available federated authenticators in WSO2 Identity Server.
Permission Level: /permission/admin/manage
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getAllFederatedAuthenticators/> </soapenv:Body> </soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getAllFederatedAuthenticatorsResponse xmlns:ns="http://mgt.idp.carbon.wso2.org" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd"> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>facebook</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>FacebookAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>openidconnect</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>OpenIDConnectAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>microsoft(hotmail, msn, live)</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>MicrosoftWindowsLive</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>true</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description>Enter Microsoft Live client secret value</ax2392:description> <ax2392:displayName>Client Secret</ax2392:displayName> <ax2392:name>ClientSecret</ax2392:name> <ax2392:required>true</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description>Enter value corresponding to callback url.</ax2392:description> <ax2392:displayName>Callback Url</ax2392:displayName> <ax2392:name>windows-live-callback-url</ax2392:name> <ax2392:required>true</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description>Enter Microsoft Live client identifier value</ax2392:description> <ax2392:displayName>Client Id</ax2392:displayName> <ax2392:name>ClientId</ax2392:name> <ax2392:required>true</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>openid</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>OpenIDAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>google</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>GoogleOpenIDAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>yahoo</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>YahooOpenIDAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:FederatedAuthenticatorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:displayName>samlsso</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>SAMLSSOAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ns:return> </ns:getAllFederatedAuthenticatorsResponse> </soapenv:Body> </soapenv:Envelope>
getAllIdPs
Use the getAlIdPs()
operation to obtain a detailed list of Identity Providers registered in WSO2 Identity Server.
Permission Level: /permission/admin/login
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getAllIdPs/> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getAllIdPsResponse xmlns:ns="http://mgt.idp.carbon.wso2.org" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd"> <ns:return xsi:type="ax2392:IdentityProvider" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:alias xsi:nil="true"/> <ax2392:certificate xsi:nil="true"/> <ax2392:claimConfig xsi:type="ax2392:ClaimConfig"> <ax2392:alwaysSendMappedLocalSubjectId>false</ax2392:alwaysSendMappedLocalSubjectId> <ax2392:localClaimDialect>true</ax2392:localClaimDialect> <ax2392:roleClaimURI xsi:nil="true"/> <ax2392:userClaimURI xsi:nil="true"/> </ax2392:claimConfig> <ax2392:defaultAuthenticatorConfig xsi:nil="true"/> <ax2392:defaultProvisioningConnectorConfig xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:enable>true</ax2392:enable> <ax2392:federationHub>false</ax2392:federationHub> <ax2392:homeRealmId xsi:nil="true"/> <ax2392:identityProviderDescription xsi:nil="true"/> <ax2392:identityProviderName>TestIdP</ax2392:identityProviderName> <ax2392:justInTimeProvisioningConfig xsi:nil="true"/> <ax2392:permissionAndRoleConfig xsi:nil="true"/> <ax2392:primary>false</ax2392:primary> <ax2392:provisioningRole xsi:nil="true"/> </ns:return> </ns:getAllIdPsResponse> </soapenv:Body> </soapenv:Envelope>
getAllLocalClaimURIs
Use the getAlILocalClaimUris()
operation to obtain a list of local claim URIs available in IS.
Permission Level: /permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getAllLocalClaimUris/> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getAllLocalClaimUrisResponse xmlns:ns="http://mgt.idp.carbon.wso2.org" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd"> <ns:return>http://wso2.org/claims/otherphone</ns:return> <ns:return>http://wso2.org/claims/dob</ns:return> <ns:return>http://wso2.org/claims/primaryChallengeQuestion</ns:return> <ns:return>http://wso2.org/claims/role</ns:return> <ns:return>http://wso2.org/claims/challengeQuestion1</ns:return> <ns:return>http://wso2.org/claims/telephone</ns:return> <ns:return>http://wso2.org/claims/mobile</ns:return> <ns:return>http://wso2.org/claims/country</ns:return> <ns:return>http://wso2.org/claims/challengeQuestionUris</ns:return> <ns:return>http://wso2.org/claims/postalcode</ns:return> <ns:return>http://wso2.org/claims/challengeQuestion2</ns:return> <ns:return>http://wso2.org/claims/identity/accountLocked</ns:return> <ns:return>http://wso2.org/claims/nickname</ns:return> <ns:return>http://wso2.org/claims/streetaddress</ns:return> <ns:return>http://wso2.org/claims/url</ns:return> <ns:return>http://wso2.org/claims/givenname</ns:return> <ns:return>http://wso2.org/claims/emailaddress</ns:return> <ns:return>http://wso2.org/claims/oneTimePassword</ns:return> <ns:return>http://wso2.org/claims/region</ns:return> <ns:return>http://wso2.org/claims/gender</ns:return> <ns:return>http://wso2.org/claims/fullname</ns:return> <ns:return>http://wso2.org/claims/passwordTimestamp</ns:return> <ns:return>http://wso2.org/claims/title</ns:return> <ns:return>http://wso2.org/claims/locality</ns:return> <ns:return>http://wso2.org/claims/stateorprovince</ns:return> <ns:return>http://wso2.org/claims/im</ns:return> <ns:return>http://wso2.org/claims/organization</ns:return> <ns:return>http://wso2.org/claims/lastname</ns:return> </ns:getAllLocalClaimUrisResponse> </soapenv:Body> </soapenv:Envelope>
getAllProvisioningConnectors
Use the getAlIProvisioningConnectors()
operation to obtain a detailed list of Outbound Provisioning Connectors available in WSO2 Identity Server.
Permission Level:
/permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getAllProvisioningConnectors/> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getAllProvisioningConnectorsResponse xmlns:ns="http://mgt.idp.carbon.wso2.org" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd"> <ns:return xsi:type="ax2392:ProvisioningConnectorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:blocking>false</ax2392:blocking> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>googleapps</ax2392:name> <ax2392:valid>false</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:ProvisioningConnectorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:blocking>false</ax2392:blocking> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>salesforce</ax2392:name> <ax2392:valid>false</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:ProvisioningConnectorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:blocking>false</ax2392:blocking> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>scim</ax2392:name> <ax2392:valid>false</ax2392:valid> </ns:return> <ns:return xsi:type="ax2392:ProvisioningConnectorConfig" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:blocking>false</ax2392:blocking> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>spml</ax2392:name> <ax2392:valid>false</ax2392:valid> </ns:return> </ns:getAllProvisioningConnectorsResponse> </soapenv:Body> </soapenv:Envelope>
getEnabledAllIdPs
Use the getEnabledAllIdPs()
operation to obtain a detailed list of IdPs which are enabled in WSO2 Identity Server.
Permission Level: /permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getEnabledAllIdPs/> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getEnabledAllIdPsResponse xmlns:ns="http://mgt.idp.carbon.wso2.org" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd"> <ns:return xsi:type="ax2392:IdentityProvider" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:alias xsi:nil="true"/> <ax2392:certificate xsi:nil="true"/> <ax2392:claimConfig xsi:nil="true"/> <ax2392:defaultAuthenticatorConfig xsi:nil="true"/> <ax2392:defaultProvisioningConnectorConfig xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:enable>true</ax2392:enable> <ax2392:federationHub>false</ax2392:federationHub> <ax2392:homeRealmId xsi:nil="true"/> <ax2392:identityProviderDescription xsi:nil="true"/> <ax2392:identityProviderName>TestIdP</ax2392:identityProviderName> <ax2392:justInTimeProvisioningConfig xsi:nil="true"/> <ax2392:permissionAndRoleConfig xsi:nil="true"/> <ax2392:primary>false</ax2392:primary> <ax2392:provisioningRole xsi:nil="true"/> </ns:return> </ns:getEnabledAllIdPsResponse> </soapenv:Body> </soapenv:Envelope>
getIdPByName
Use the getIdPByName
operation to retrieve an identity provider by including the IdP name in the request.
Permission Level: /permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getIdPByName> <!--Optional:--> <mgt:idPName>TestIdP</mgt:idPName> </mgt:getIdPByName> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getIdPByNameResponse xmlns:ns="http://mgt.idp.carbon.wso2.org"> <ns:return xsi:type="ax2392:IdentityProvider" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:alias>https://localhost:9443/oauth2/token/</ax2392:alias> <ax2392:certificate xsi:nil="true"/> <ax2392:claimConfig xsi:type="ax2392:ClaimConfig"> <ax2392:alwaysSendMappedLocalSubjectId>false</ax2392:alwaysSendMappedLocalSubjectId> <ax2392:localClaimDialect>true</ax2392:localClaimDialect> <ax2392:roleClaimURI>http://wso2.org/claims/role</ax2392:roleClaimURI> <ax2392:userClaimURI>http://wso2.org/claims/organization</ax2392:userClaimURI> </ax2392:claimConfig> <ax2392:defaultAuthenticatorConfig xsi:nil="true"/> <ax2392:defaultProvisioningConnectorConfig xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:enable>true</ax2392:enable> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName>yahoo</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>YahooOpenIDAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName>openid</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>OpenIDAuthenticator</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>commonAuthQueryParams</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>IsUserIdInClaims</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>false</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>RealmId</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>OpenIdUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/openid/</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName>passivests</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>PassiveSTSAuthenticator</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>commonAuthQueryParams</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>IsUserIdInClaims</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>false</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>RealmId</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value xsi:nil="true"/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>PassiveSTSUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/passivests/</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName>google</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>GoogleOpenIDAuthenticator</ax2392:name> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName>microsoft(hotmail,</ax2392:displayName> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>MicrosoftWindowsLive</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>ClientSecret</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>windows-live-callback-url</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value/> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>ClientId</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value/> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federationHub>false</ax2392:federationHub> <ax2392:homeRealmId xsi:nil="true"/> <ax2392:identityProviderDescription xsi:nil="true"/> <ax2392:identityProviderName>TestIdP</ax2392:identityProviderName> <ax2392:justInTimeProvisioningConfig xsi:type="ax2392:JustInTimeProvisioningConfig"> <ax2392:provisioningEnabled>false</ax2392:provisioningEnabled> <ax2392:provisioningUserStore xsi:nil="true"/> <ax2392:userStoreClaimUri xsi:nil="true"/> </ax2392:justInTimeProvisioningConfig> <ax2392:permissionAndRoleConfig xsi:type="ax2392:PermissionsAndRoleConfig"> <ax2392:idpRoles>IDPRole1</ax2392:idpRoles> <ax2392:roleMappings xsi:type="ax2392:RoleMapping"> <ax2392:localRole xsi:type="ax2392:LocalRole"> <ax2392:localRoleName>Role1</ax2392:localRoleName> <ax2392:userStoreId xsi:nil="true"/> </ax2392:localRole> <ax2392:remoteRole>IDPRole1</ax2392:remoteRole> </ax2392:roleMappings> </ax2392:permissionAndRoleConfig> <ax2392:primary>false</ax2392:primary> <ax2392:provisioningRole>IDPRole1, IDPRole2</ax2392:provisioningRole> </ns:return> </ns:getIdPByNameResponse> </soapenv:Body> </soapenv:Envelope>
getResidentIdP
Permission Level: /permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <mgt:getResidentIdP/> </soapenv:Body> </soapenv:Envelope>
Response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getResidentIdPResponse xmlns:ns="http://mgt.idp.carbon.wso2.org"> <ns:return xsi:type="ax2392:IdentityProvider" xmlns:ax2392="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2390="http://common.application.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ax2392:alias xsi:nil="true"/> <ax2392:certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ax2392:certificate> <ax2392:claimConfig xsi:type="ax2392:ClaimConfig"> <ax2392:alwaysSendMappedLocalSubjectId>false</ax2392:alwaysSendMappedLocalSubjectId> <ax2392:localClaimDialect>false</ax2392:localClaimDialect> <ax2392:roleClaimURI xsi:nil="true"/> <ax2392:userClaimURI xsi:nil="true"/> </ax2392:claimConfig> <ax2392:defaultAuthenticatorConfig xsi:nil="true"/> <ax2392:defaultProvisioningConnectorConfig xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:enable>true</ax2392:enable> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName xsi:nil="true"/> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>openidconnect</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>OAUTH2TokenUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/oauth2/token</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>UserInfoUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/oauth2/userinfo</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>OAuth2AuthzUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/oauth2/authz</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName xsi:nil="true"/> <ax2392:enabled>true</ax2392:enabled> <ax2392:name>samlsso</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>LogoutReqUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/samlsso</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>IdPEntityId</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>localhost</ax2392:value> </ax2392:properties> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>SSOUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/samlsso</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName xsi:nil="true"/> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>openid</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>OpenIdUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/openid</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federatedAuthenticatorConfigs xsi:type="ax2392:FederatedAuthenticatorConfig"> <ax2392:displayName xsi:nil="true"/> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>passivests</ax2392:name> <ax2392:properties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>PassiveSTSUrl</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/services/wso2carbon-sts</ax2392:value> </ax2392:properties> <ax2392:valid>true</ax2392:valid> </ax2392:federatedAuthenticatorConfigs> <ax2392:federationHub>false</ax2392:federationHub> <ax2392:homeRealmId>localhost</ax2392:homeRealmId> <ax2392:identityProviderDescription xsi:nil="true"/> <ax2392:identityProviderName>LOCAL</ax2392:identityProviderName> <ax2392:justInTimeProvisioningConfig xsi:type="ax2392:JustInTimeProvisioningConfig"> <ax2392:provisioningEnabled>false</ax2392:provisioningEnabled> <ax2392:provisioningUserStore xsi:nil="true"/> <ax2392:userStoreClaimUri xsi:nil="true"/> </ax2392:justInTimeProvisioningConfig> <ax2392:permissionAndRoleConfig xsi:type="ax2392:PermissionsAndRoleConfig"/> <ax2392:primary>false</ax2392:primary> <ax2392:provisioningConnectorConfigs xsi:type="ax2392:ProvisioningConnectorConfig"> <ax2392:blocking>false</ax2392:blocking> <ax2392:enabled>false</ax2392:enabled> <ax2392:name>scim</ax2392:name> <ax2392:provisioningProperties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>scimUserEndpoint</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/wso2/scim/Users</ax2392:value> </ax2392:provisioningProperties> <ax2392:provisioningProperties xsi:type="ax2392:Property"> <ax2392:confidential>false</ax2392:confidential> <ax2392:defaultValue xsi:nil="true"/> <ax2392:description xsi:nil="true"/> <ax2392:displayName xsi:nil="true"/> <ax2392:name>scimGroupEndpoint</ax2392:name> <ax2392:required>false</ax2392:required> <ax2392:type xsi:nil="true"/> <ax2392:value>https://localhost:9443/wso2/scim/Groups</ax2392:value> </ax2392:provisioningProperties> <ax2392:valid>false</ax2392:valid> </ax2392:provisioningConnectorConfigs> <ax2392:provisioningRole xsi:nil="true"/> </ns:return> </ns:getResidentIdPResponse> </soapenv:Body> </soapenv:Envelope>
updateIdP
The updateIdP()
operation can be used to update an existing identity provider. The <oldIdPName>
element is mandatory in the updateIdP request. All the other parameters in updateIdP request is similar to the parameters in addIdP request.
Permission Level: /permission/admin/manage
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <mgt:updateIdP> <!--Optional:--> <mgt:oldIdPName>?</mgt:oldIdPName> <!--Optional:--> <mgt:identityProvider> <!--Optional:--> <xsd:alias>?</xsd:alias> <!--Optional:--> <xsd:certificate>?</xsd:certificate> <!--Optional:--> <xsd:claimConfig>...</xsd:claimConfig> <!--Optional:--> <xsd:defaultAuthenticatorConfig>...</xsd:defaultAuthenticatorConfig> <!--Optional:--> <xsd:defaultProvisioningConnectorConfig>... </xsd:defaultProvisioningConnectorConfig> <!--Optional:--> <xsd:displayName>?</xsd:displayName> <!--Optional:--> <xsd:enable>?</xsd:enable> <!--Zero or more repetitions:--> <xsd:federatedAuthenticatorConfigs>...</xsd:federatedAuthenticatorConfigs> <!--Optional:--> <xsd:federationHub>?</xsd:federationHub> <!--Optional:--> <xsd:homeRealmId>?</xsd:homeRealmId> <!--Optional:--> <xsd:identityProviderDescription>?</xsd:identityProviderDescription> <!--Optional:--> <xsd:identityProviderName>?</xsd:identityProviderName> <!--Optional:--> <xsd:justInTimeProvisioningConfig>...</xsd:justInTimeProvisioningConfig> <!--Optional:--> <xsd:permissionAndRoleConfig>...</xsd:permissionAndRoleConfig> <!--Optional:--> <xsd:primary>?</xsd:primary> <!--Zero or more repetitions:--> <xsd:provisioningConnectorConfigs>...</xsd:provisioningConnectorConfigs> <!--Optional:--> <xsd:provisioningRole>?</xsd:provisioningRole> </mgt:identityProvider> </mgt:updateIdP> </soapenv:Body> </soapenv:Envelope>
Response
None
updateResidentIdP
The updateResidentIdP()
operation can be used to alter certain parameters of the resident identity provider. These parameters are:
- Home Realm Identifier
- SAML2 Web SSO Configuration Entity ID
Permission Level: /permission/admin/manage
The following request show how to update the above parameters.
Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.idp.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <mgt:updateResidentIdP> <!--Optional:--> <mgt:identityProvider> <!--Optional:--> <xsd:alias>?</xsd:alias> <!--Optional:--> <xsd:certificate>?</xsd:certificate> <!--Optional:--> <xsd:claimConfig>...</xsd:claimConfig> <!--Optional:--> <xsd:defaultAuthenticatorConfig>...</xsd:defaultAuthenticatorConfig> <!--Optional:--> <xsd:defaultProvisioningConnectorConfig>... </xsd:defaultProvisioningConnectorConfig> <xsd:displayName>?</xsd:displayName> <!--Optional:--> <xsd:enable>?</xsd:enable> <!--Zero or more repetitions:--> <xsd:federatedAuthenticatorConfigs>...</xsd:federatedAuthenticatorConfigs> <!--Optional:--> <xsd:federationHub>?</xsd:federationHub> <!--Optional:--> <xsd:homeRealmId>?</xsd:homeRealmId> <!--Optional:--> <xsd:identityProviderDescription>?</xsd:identityProviderDescription> <!--Optional:--> <xsd:identityProviderName>?</xsd:identityProviderName> <!--Optional:--> <xsd:justInTimeProvisioningConfig>...</xsd:justInTimeProvisioningConfig> <!--Optional:--> <xsd:permissionAndRoleConfig>...</xsd:permissionAndRoleConfig> <!--Optional:--> <xsd:primary>?</xsd:primary> <!--Zero or more repetitions:--> <xsd:provisioningConnectorConfigs>...</xsd:provisioningConnectorConfigs> <!--Optional:--> <xsd:provisioningRole>?</xsd:provisioningRole> </mgt:identityProvider> </mgt:updateResidentIdP> </soapenv:Body> </soapenv:Envelope>
Response
None