• Native OpenStack API

noa
  1. Help Center
  2. Native OpenStack API
  3. API Reference
  4. Keystone
  5. Token
  6. Obtaining an Unscoped Token in Federated Identity Authentication Mode

Obtaining an Unscoped Token in Federated Identity Authentication Mode

Function Description

This interface is used to obtain an unscoped token in federated identity authentication mode.

URI

  • URI format

    GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth

  • URI parameter description

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    ID of an identity provider.

    protocol _id

    Yes

    String

    ID of a protocol.

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    Accept

    No

    string

    When you obtain a token using the Enhanced Client Proxy (ECP), the value of this parameter is as follows:

    application/vnd.paos+xml

    PAOS

    No

    string

    When you obtain a token using the ECP, the value of this parameter is as follows:

    urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp

    NOTE:
    1. This interface can be used to obtain a token using the Web Single Sign-On (WebSSO) or ECP. The two mechanisms are differentiated based on request headers. For details, see the request header parameter description.
    2. You are not advised to obtain a token by directly calling this interface. You are advised to obtain a token using the OpenStack client.
  • Sample request
    GET /v3/OS-FEDERATION/identity_providers/idptest/protocols/saml/auth

Response

  • Response body parameter description

    Response Item

    Parameter

    Type

    Description

    X-Subject-Token

    header

    string

    Signed unscoped token.

    token

    body

    Object

    Information of the unscoped token obtained in federated identity authentication mode, including methods and user information.

  • Sample response
    {
        "token": {
            "issued_at": "2017-05-23T06:54:51.763000Z",
            "expires_at": "2017-05-24T06:54:51.763000Z",
            "methods": [
                "mapped"
            ],
            "user": {
                "domain": {
                    "id": "e31ac82d778b4d128cb6fed37fd72cdb",
                    "name": "exampledomain"
                },
                "id": "RMQTgtjjSNGDcKy7oUmI3AZg7GgsWG0Z",
                "name": "exampleuser",
                "OS-FEDERATION": {
                    "identity_provider": {
                        "id": "exampleuser"
                    },
                    "protocol": {
                        "id": "saml"
                    },
                    "groups": [
                        {
                            "id": "b40189e26ea44f959877621b4b298db5"
                        }
                    ]
                }
            }
        }
    }

Status Code

Status Code

Description

200

The request is successful. You need to further obtain user information.

201

The request is successful, and a token is returned.

302

The system switches to the identity provider authentication page if the request does not carry user information of the identity provider.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

You are forbidden to access the requested page.

405

You are not allowed to use the method specified in the request.

413

The request entity is too large.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.