• Identity and Access Management

iam
  1. Help Center
  2. Identity and Access Management
  3. API Reference
  4. Federated Identity Authentication Management
  5. Token
  6. Obtaining an Unscoped Token in Federated Identity Authentication Mode (IdP Initiated)

Obtaining an Unscoped Token in Federated Identity Authentication Mode (IdP Initiated)

Function Description

This interface is used to obtain an unscoped token in IdP-initiated federated identity authentication mode.

An unscoped token cannot be used for authentication. If a federated user needs to use a token for authentication, obtain the scoped token based on section Obtaining a Scoped Token in Federated Identity Authentication Mode.

URI

URI format

POST /v3.0/OS-FEDERATION/tokens

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    X-Idp-Id

    Yes

    String

    ID of an identity provider.

    Content-Type

    Yes

    String

    The client must transfer the SAMLResponse parameter to the server by using the form data submitted by the browser. Therefore, the value of this parameter must be:

    application/x-www-form-urlencoded

  • Request body parameter description

    Parameter

    Mandatory

    Type

    Description

    SAMLResponse

    Yes

    String

    Response body returned when IdP authentication is successful.

    NOTE:

    This interface can only be called on the CLI side. The client needs to obtain SAMLResponse in IdP-initiated federated identity authentication mode and obtain an unscoped token by using the form data submitted by the browser.

  • Sample request
    curl -i -k -H 'Accept:application/json' -H 'x-Idp-Id:test_local_idp' -H 'Content-Type:application/x-www-form-urlencoded' -X POST -d 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBl4WXZ1OGNmYmRzWk1ZeWlLKy96anpEbm1rT2FrVVBrUmlSWEpLYUt5NzJtUmtoRFBCNjgwVQpzalU3R2hKNHE4ZG48L3hlbmM6Q2lwaGVyVmFsdWU%2BPC94ZW5jOkNpcGhlckRhdGE%2BPC94ZW5jOkVuY3J5cHRlZERhdGE%2BPC9zYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B' https://iam.example.com/v3.0/OS-FEDERATION/tokens

Response

  • Response body parameter description

    Response Item

    Parameter

    Type

    Description

    X-Subject-Token

    header

    string

    Signed unscoped token.

    token

    body

    Object

    Information of the unscoped token obtained in federated identity authentication mode, including methods and user information.

  • Sample response
    {
        "token": {
            "expires_at": "2018-03-13T03:00:01.168000Z",
            "methods": ["mapped"],
            "issued_at": "2018-03-12T03:00:01.168000Z",
            "user": {
                "OS-FEDERATION": {
                    "identity_provider": {
                        "id": "test_local_idp"
                    },
                    "protocol": {
                        "id": "saml"
                    },
                    "groups": [{
                        "name": "admin",
                        "id": "45a8c8f1894444e9a016af065e152b91"
                    }]
                },
                "domain": {
                    "name": "hansheng",
                    "id": "c0e20cc993a24ad4aa3251661ef37c87"
                },
                "name": "FederationUser",
                "id": "QNSzD0bycqUXE4hiRNfyFcWfoOs8z6gT"
            }
        }
    }

Status Code

Status Code

Description

201

The request is successful, and a token is returned.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

You are forbidden to access the requested page.

405

You are not allowed to use the method specified in the request.

413

The request entity is too large.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.