Comment ajouter des IDPs à la fédération OpenAM via l'API CREST?

Question

Je sais qu'il existe des API REST pour OpenAM pour certaines fonctions comme le self-service, l'authentification etc., mais je ne suis pas capable de trouver les bonnes API pour ajouter un fournisseur d'identités distantes etc.,

Il me manque quelque chose ou il n'y a pas d'API REST pour OpenAM pour une raison quelconque. La raison pourrait être qu'ils ne planifient pas dessus, ou qu'il n'y en a pas encore dans la version actuelle.

Y a-t-il un moyen d'enregistrer les IDPs SAML dans OpenAM sans utiliser la console d'administration OpenAM ou la commande ssoadm?

Les pointeurs vers les bons composants de code seront également très appréciés.

Answer 1

Dans Access Manager 5 (OpenAM 14), vous pouvez gérer les entités SAML à l'aide des API REST. Pour créer un nouveau IdP SAMLv2 hébergé, vous aurez besoin de quelque chose comme ceci:

curl -X POST \ 
    'http://idp.example.com:8080/openam/json/realm-config/federation/entityproviders/saml2?_action=create' \ 
    -H 'content-type: application/json' \ 
    -H 'iplanetdirectorypro: <ADMIN_SESSION_ID>' \ 
    -d '{ 
     "_id": "http://idp.example.com:8080/openam", 
     "metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<EntityDescriptor entityID=\"http://idp.example.com:8080/openam\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n <IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n  <KeyDescriptor use=\"signing\">\n   <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n    <ds:X509Data>\n     <ds:X509Certificate>MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9</ds:X509Certificate>\n    </ds:X509Data>\n   </ds:KeyInfo>\n  </KeyDescriptor>\n  <ArtifactResolutionService index=\"0\" isDefault=\"true\" Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/ArtifactResolver/metaAlias/idp\"/>\n  <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/IDPSloRedirect/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPSloRedirect/metaAlias/idp\"/>\n  <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/IDPSloPOST/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPSloPOST/metaAlias/idp\"/>\n  <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/IDPSloSoap/metaAlias/idp\"/>\n  <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/IDPMniRedirect/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPMniRedirect/metaAlias/idp\"/>\n  <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/IDPMniPOST/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPMniPOST/metaAlias/idp\"/>\n  <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/IDPMniSoap/metaAlias/idp\"/>\n  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>\n  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>\n  <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/SSORedirect/metaAlias/idp\"/>\n  <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/SSOPOST/metaAlias/idp\"/>\n  <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/SSOSoap/metaAlias/idp\"/>\n  <NameIDMappingService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/NIMSoap/metaAlias/idp\"/>\n  <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/AIDReqSoap/IDPRole/metaAlias/idp\"/>\n  <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:URI\" Location=\"http://idp.example.com:8080/openam/AIDReqUri/IDPRole/metaAlias/idp\"/>\n </IDPSSODescriptor>\n</EntityDescriptor>\n\n", 
     "entityConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<EntityConfig entityID=\"http://idp.example.com:8080/openam\" hosted=\"true\" xmlns=\"urn:sun:fm:SAML:2.0:entityconfig\">\n <IDPSSOConfig metaAlias=\"/idp\">\n  <Attribute name=\"description\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"signingCertAlias\">\n   <Value>test</Value>\n  </Attribute>\n  <Attribute name=\"encryptionCertAlias\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"basicAuthOn\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"basicAuthUser\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"basicAuthPassword\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"autofedEnabled\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"autofedAttribute\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"assertionEffectiveTime\">\n   <Value>600</Value>\n  </Attribute>\n  <Attribute name=\"idpAuthncontextMapper\">\n   <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>\n  </Attribute>\n  <Attribute name=\"idpAuthncontextClassrefMapping\">\n   <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>\n  </Attribute>\n  <Attribute name=\"idpAccountMapper\">\n   <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>\n  </Attribute>\n  <Attribute name=\"idpDisableNameIDPersistence\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"idpAttributeMapper\">\n   <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>\n  </Attribute>\n  <Attribute name=\"assertionIDRequestMapper\">\n   <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value>\n  </Attribute>\n  <Attribute name=\"nameIDFormatMap\">\n   <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>\n   <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>\n   <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>\n   <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>\n   <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>\n  </Attribute>\n  <Attribute name=\"idpECPSessionMapper\">\n   <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>\n  </Attribute>\n  <Attribute name=\"attributeMap\"/>\n  <Attribute name=\"wantNameIDEncrypted\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"wantArtifactResolveSigned\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"wantLogoutRequestSigned\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"wantLogoutResponseSigned\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"wantMNIRequestSigned\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"wantMNIResponseSigned\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"cotlist\">\n   <Value>test</Value>\n  </Attribute>\n  <Attribute name=\"discoveryBootstrappingEnabled\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"assertionCacheEnabled\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"assertionNotBeforeTimeSkew\">\n   <Value>600</Value>\n  </Attribute>\n  <Attribute name=\"saeAppSecretList\"/>\n  <Attribute name=\"saeIDPUrl\">\n   <Value>http://idp.example.com:8080/openam/idpsaehandler/metaAlias/idp</Value>\n  </Attribute>\n  <Attribute name=\"AuthUrl\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"appLogoutUrl\">\n   <Value/>\n  </Attribute>\n  <Attribute name=\"idpSessionSyncEnabled\">\n   <Value>false</Value>\n  </Attribute>\n  <Attribute name=\"relayStateUrlList\"/>\n </IDPSSOConfig>\n</EntityConfig>\n\n", 
     "_type": { 
     "_id": "saml2", 
     "name": "Entity Descriptor ", 
     "collection": true 
     } 
    }'