REST based Identity Services in OpenSSO

1.  Introduction

This part of document covers the basic syntax and the corresponding expected output of each supported OpenSSO REST operation. There are about eleven REST operations are exposed in the OpenSSO server, These operations are supported out if the box configuration of OpenSSO, there are no special configurations required. Following table illustrate those operations.

Authentication	http://localhost:8080/ opensso/identity/authenticate	username password uri1	subjectid
Token validation	http://localhost:8080/ opensso/identity/isTokenValid	tokenid	boolean
Logout	http://localhost:8080/ opensso/identity/logout	subjectid	void
Authorization	http://localhost:8080/ opensso/identity/authorize	uri action subjectid	boolean
Log	http://localhost:8080/ opensso/identity/log	appid subjectid logname message1	void
Search	http://localhost:8080/ opensso/identity/search	filter attributes_names1 attribute_values_attributename1	identitydetails
Attributes	http://localhost:8080/ opensso/identity/attributes	attributes_names1 subjectid	userdetails
Read	http://localhost:8080/ opensso/identity/read	name attributes_names1 admin	identitydetails
Creation	http://localhost:8080/ opensso/identity/create	identity_name identity_attribute_names identity_attribute_values_attributename admin	void
Update	http://localhost:8080/ opensso/identity/update	identity_name identity_attribute_names identity_attribute_values_attributename admin	void
Deletion	http://localhost:8080/ opensso/identity/delete	identity_name identity_type admin	void

¹ Optional parameter

2. Prerequisites

The only prerequisite is to deploy and configure the OpenSSO web application on a supported container like Glassfish V2.  For this exercise I have deployed the EA version of OpenSSO on Glassfish V2 Container. I have leveraged the embedded identity datastore to perform these simple operations. If you would like to work on the "role" idtype then you must use a supported identity datastore like Sun Directory Server 6.x.

Another key thing here like I mentioned earlier I like the intepretive languages so my natural choice is CURL to  verify these REST operations. I have used CURL version curl 7.18.1 (sparc-sun-solaris2.10) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.1.4 libidn/1.8
 with HTTP POST to avoid any url encoding issues.

3  Invoking  REST Interfaces  

I have used some terminal outputs some of the tokenid and subjectid may be different some cases because I needed to recreate certain times due to various reasons, It is not my intent to use the same tokenid for all the operations, where ever it is mandatory I did use the same SSO Token IDs.  

3.1 Authenticate

• curl -d "&username=amadmin&password=secret12" http://slapd.red.iplanet.com:28080/fam/identity/authenticate
  

The authentication happens at the root realm using the
root realm's default authentication chain, if you want to specifically
authenticate to a specific realm and authentication instance, then
follow the next version below
with authentication URL parameters.

3.1.1 Authenticate with URL parameters

• curl -d "&username=thanga&password=secret&module=abc&realm=red" http://slapd.red.iplanet.com:28080/fam/identity/authenticate
  

3.2 Validate Token

• curl -d "tokenid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=-AT-AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/isTokenValid
  

• curl
  -b"iPlanetDirectoryPro=AQIC5wM2LY4SfczqMIOj3DJKQZiwLjxWsm+EEzVYhtGEVfQ=-AT-AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/isTokenValid
  

3.3 Invalidate Token

• curl
  -b"iPlanetDirectoryPro=AQIC5wM2LY4SfcwUjNHoGBwMRUoeWRGxfIXYR7RLY7rKbMU=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/logou
  


• curl -d "subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/logout
  

3.4 To Log data at the server side

the sequence

1. subjectid ===> curl -d
   "&username=thanga&password=secret"
   http://slapd.red.iplanet.com:28080/fam/identity/authenticate


2. appid===> curl -d
   "&username=amadmin&password=secret12"
   http://slapd.red.iplanet.com:28080/fam/identity/authenticate
   

• curl -d "appid=AQIC5wM2LY4Sfcz24GvZCdv6ie9dTJBa3Co7Rn2QUjKCDuM=@AAJTSQACMDE=#&subjectid=AQIC5wM2LY4SfcwTCcRKSDXEsiJXt71PDAUmN1bm/draPZI=@AAJTSQACMDE=#& logname=CURLdb&message=test" http://slapd.red.iplanet.com:28080/fam/identity/log
  

where appid - is the authz token has permission to write to log files.(token of logadmin or amadmin)

subjectid - is the subject whom log is being written

[slapd]:/export/fam-28080/fam/log>more CURLdb

#Version: 1.0

#Fields: time   Data    ModuleName      MessageID       Domain  ContextID       LogLevel        LoginID NameID  IPAddr  LoggedBy        HostName       

"2008-06-19 21:54:28"   test    CURLdb  "Not Available" "Not Available" 7d1917c9aa9002b301      "Not Available" INFO    "Not Available" "Not Available" id=amadmin,ou=user,dc=opensso,dc=java,dc=net    "Not Available"

3.5 Authorization

• curl -d "uri=http://www.sun.com:90&action=POST&subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/authorize
  

boolean=false

• curl -d "uri=http://www.sun.com:90&action=GET&subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/authorize
  

boolean=true

Policy for the resource http://www.sun.com:90 with authenticated
users as subject should have been created (GET=allow,POST=deny) at the
opensso server

for GET will return boolean=true, for POST boolean=false

3.6 Search Identities

• curl -d
  "&filter=*&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/search

This will return the available agents types

string=wsc

string=wsp

string=SecurityTokenService

To search all the user entries

• curl -d "&filter=*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/search
  

admin
is any administrator who has privilege to search the user entries for eg: amadmin token

string=thanga

3.7 Display Identity Attributes

• curl -d
  "attributes_names=uid&subjectid=AQIC5wM2LY4Sfcz6eH4abOQ0el7pnDqmOn6nnn1nrcuE8/w=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/attributes
  

userdetails.token.id=AQIC5wM2LY4Sfcz6eH4abOQ0el7pnDqmOn6nnn1nrcuE8/w=@AAJTSQACMDE=#

userdetails.attribute.name=sn

userdetails.attribute.value=thanga

userdetails.attribute.name=cn

userdetails.attribute.value=thanga

userdetails.attribute.name=objectclass

userdetails.attribute.value=sunFederationManagerDataStore

userdetails.attribute.value=top

userdetails.attribute.value=iplanet-am-managed-person

userdetails.attribute.value=iplanet-am-user-service

userdetails.attribute.value=organizationalperson

userdetails.attribute.value=inetadmin

userdetails.attribute.value=iPlanetPreferences

userdetails.attribute.value=person

userdetails.attribute.value=inetuser

userdetails.attribute.value=sunAMAuthAccountLockout

userdetails.attribute.value=sunIdentityServerLibertyPPService

userdetails.attribute.value=inetorgperson

userdetails.attribute.value=sunFMSAML2NameIdentifier

userdetails.attribute.name=userpassword

userdetails.attribute.value={SSHA}XhiE0RMwO/D7SSQ5fYLrTlFjmbHmYbQkIU43FA==

userdetails.attribute.name=uid

userdetails.attribute.value=thanga

userdetails.attribute.name=givenname

userdetails.attribute.value=thanga

userdetails.attribute.name=inetuserstatus

userdetails.attribute.value=Active

3.8 Read Particular Identity Attributes

• curl -d
  "name=thanga&attributes_names=uid&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/read
  

identitydetails.name=thanga

identitydetails.type=user

identitydetails.realm=dc=opensso,dc=java,dc=net

identitydetails.attribute=

identitydetails.attribute.name=uid

identitydetails.attribute.value=thanga

3.9 Create Identities 

3.9.1 Create an agent type

• curl -d
  "identity_name=webagent70&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret123&identity_realm=/&identity_type=Agent&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/create
  

verify it

• curl -d
  "&filter=*&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/search
  

string=wsc

string=webagent70

string=wsp

string=SecurityTokenService

3.9.2 Create an user

• curl -d
  "identity_name=rest_user_created&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret12&identity_attribute_names=sn&identity_attribute_values_sn=sn_for_rest_user&identity_attribute_names=cn&identity_attribute_values_cn=cn_of_REST_user&identity_realm=/&identity_type=user&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/create
  

Verify it

• curl -d
  "&filter=*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/search
  

string=thanga

string=rest_user_created

3.10 Idenity Update

• curl -d
  "attributes_names=mail&name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/read
  

identitydetails.name=rest_user_created

identitydetails.type=user

identitydetails.realm=dc=opensso,dc=java,dc=net

identitydetails.attribute=

identitydetails.attribute.name=mail

• curl -d
  "identity_name=rest_user_created&identity_attribute_names=mail&identity_attribute_values_mail=restUser@rest-DOT-org&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/update
  

Verify it

• curl -d
  "attributes_names=mail&name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/read

                         identitydetails.name=rest_user_created

identitydetails.type=user

identitydetails.realm=dc=opensso,dc=java,dc=net

identitydetails.attribute=

identitydetails.attribute.name=mail

identitydetails.attribute.value=restUser@rest-DOT-orgDelete an Identity

3.11 Identity Delete 

3.11.1 Make sure it exists

• curl -d
  "&filter=*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/search
  

string=thanga

string=rest_user_created

3.11.2 Delete it

• curl -d
  "identity_name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#&identity_type=user"
  http://slapd.red.iplanet.com:28080/fam/identity/delete
  

3.11.3 Verify it is gone

• curl -d
  "&filter=*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
  http://slapd.red.iplanet.com:28080/fam/identity/search
  

string=thanga

Posted at 09:38AM Jul 01, 2008 by indira in opensso  |