• Identity and Access Management

iam
  1. Help Center
  2. Identity and Access Management
  3. API Reference
  4. Federated Identity Authentication Management
  5. Credential
  6. Generating an AK/SK in Federated Identity Authentication Mode

Generating an AK/SK in Federated Identity Authentication Mode

Function Description

This interface is used to generate an AK/SK in federated identity authentication mode. This interface has been deprecated.

NOTE:

This interface has been deprecated and is replaced by the /v3.0/OS-CREDENTIAL/securitytokens interface. For details, see Obtaining a Temporary AK/SK.

Before obtaining a temporary AK/SK in federated identity authentication mode, you need to establish a relationship of trust between the enterprise IdP and IAM. For details about how to query the metadata file, see Querying the Metadata File of Keystone.

URI

  • URI format

    GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/credential

  • URI parameter description

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    ID of an identity provider.

    protocol _id

    Yes

    String

    ID of a protocol.

    duration_seconds

    No

    String

    Validity period of an AK/SK, in seconds. The value is an integer ranging from 900 to 86400. The default value is 900.

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    ID of an identity provider.

    protocol_id

    Yes

    String

    ID of a protocol.

    Accept

    No

    String

    • This parameter is not required when a token is obtained in the WebSSO mode.
    • When you obtain a token using the ECP, the value of this parameter is as follows:

      application/vnd.paos+xml

    PAOS

    No

    String

    • This parameter is not required when a token is obtained in the WebSSO mode.
    • When you obtain a token using the ECP, the value of this parameter is as follows:

      urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp

    NOTE:

    This interface can be used to obtain a token using the Web Single Sign-On (WebSSO) or ECP. The two mechanisms are differentiated based on request headers. For details, see the request header parameter description.

  • Sample request
    GET /v3-ext/OS-FEDERATION/identity_providers/idptest/protocols/saml/credential

Response

  • Response body parameter description

    Response Item

    Parameter

    Type

    Description

    credential

    body

    Object

    Credential obtained in federation authentication mode, including the AK/SK and security token.

    The default validity period of the AK/SK and security token is 900 ms.

  • Sample response
    {
        "credential": {
            "access": "9KDZ9C4FZWDT4R2FCLYT", 
            "secret": "An7Qo7j7jmKduupYaJDZd1s2oxFkfujkD23fr3uO", 
            "expires_at": "2017-09-14T09:35:22.002000Z", 
            "securitytoken": "gAAAAABZuPvamyED44aYAZgdSvxxareklLGR9V4TwrsGNacjbs_8Z7CUtYdoI39-RzebqX55VkMZ46HpbaETlrSXqP1Wcdq-scxRt7WfCCV0CH987zruTPeb8Hd0Hb0fYZzi-OZO9lfIluQuHp8OUF2KwYliQFGIZMdwrgrHQCOg-49CbzhgGj4H2SCaMKT9VkpF9dquNgvoDG5a_j-_q1pMsoRJMrQyAZwt1vAYEadZ4gEklNprre0KS4D5wefTxsF_BQJfF-wCgeSTc9ggV0zld1t2G0qR5g=="
        }
    }

Status Codes

Status Code

Description

200

The request is successful. You need to further obtain user information.

201

The request is successful, and an AK/SK is returned.

302

The system switches to the identity provider authentication page if the request does not carry user information of the identity provider.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

You are forbidden to access the requested page.

405

You are not allowed to use the method specified in the request.

413

The request entity is too large.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.