REST based Identity Services in OpenSSO

1.  Introduction


This part of document covers the basic syntax and the corresponding expected output of each supported OpenSSO REST operation. There are about eleven REST operations are exposed in the OpenSSO server, These operations are supported out if the box configuration of OpenSSO, there are no special configurations required. Following table illustrate those operations.











































































Authentication


http://localhost:8080/
opensso/identity/authenticate


username
password
uri1


subjectid


Token validation


http://localhost:8080/
opensso/identity/isTokenValid


tokenid


boolean


Logout


http://localhost:8080/
opensso/identity/logout


subjectid


void


Authorization


http://localhost:8080/
opensso/identity/authorize


uri
action
subjectid


boolean


Log


http://localhost:8080/
opensso/identity/log


appid
subjectid
logname
message1


void


Search


http://localhost:8080/
opensso/identity/search


filter
attributes_names1
attribute_values_attributename1


identitydetails


Attributes


http://localhost:8080/
opensso/identity/attributes


attributes_names1
subjectid


userdetails


Read


http://localhost:8080/
opensso/identity/read


name
attributes_names1
admin


identitydetails


Creation


http://localhost:8080/
opensso/identity/create


identity_name
identity_attribute_names
identity_attribute_values_attributename
admin


void


Update


http://localhost:8080/
opensso/identity/update


identity_name
identity_attribute_names
identity_attribute_values_attributename
admin


void


Deletion


http://localhost:8080/
opensso/identity/delete



identity_name


identity_type
admin




void



1 Optional parameter



2. Prerequisites


The only prerequisite is to deploy and configure the OpenSSO web application on a supported container like Glassfish V2.  For this exercise I have deployed the EA version of OpenSSO on Glassfish V2 Container. I have leveraged the embedded identity datastore to perform these simple operations. If you would like to work on the "role" idtype then you must use a supported identity datastore like Sun Directory Server 6.x.



Another key thing here like I mentioned earlier I like the intepretive languages so my natural choice is CURL to  verify these REST operations. I have used CURL version curl 7.18.1 (sparc-sun-solaris2.10) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.1.4 libidn/1.8
 with HTTP POST to avoid any url encoding issues.





3  Invoking  REST Interfaces  


I have used some terminal outputs some of the tokenid and subjectid may be different some cases because I needed to recreate certain times due to various reasons, It is not my intent to use the same tokenid for all the operations, where ever it is mandatory I did use the same SSO Token IDs.  


3.1 Authenticate



  • curl -d "&username=amadmin&password=secret12" http://slapd.red.iplanet.com:28080/fam/identity/authenticate


The authentication happens at the root realm using the
root realm's default authentication chain, if you want to specifically
authenticate to a specific realm and authentication instance, then
follow the next version below
with authentication URL parameters.


3.1.1 Authenticate with URL parameters


This
command authenticate as user "thanga" with password "secret" to the
subrealm "red" using the LDAP authentication instance "abc"


  • curl -d "&username=thanga&password=secret&module=abc&realm=red" http://slapd.red.iplanet.com:28080/fam/identity/authenticate


3.2 Validate Token



  • curl -d "tokenid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=-AT-AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/isTokenValid



  • curl
    -b"iPlanetDirectoryPro=AQIC5wM2LY4SfczqMIOj3DJKQZiwLjxWsm+EEzVYhtGEVfQ=-AT-AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/isTokenValid


3.3 Invalidate Token



  • curl
    -b"iPlanetDirectoryPro=AQIC5wM2LY4SfcwUjNHoGBwMRUoeWRGxfIXYR7RLY7rKbMU=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/logou

  • curl -d "subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/logout


3.4 To Log data at the server side


the sequence


  1. subjectid ===> curl -d
    "&username=thanga&password=secret"
    http://slapd.red.iplanet.com:28080/fam/identity/authenticate

  2. appid===> curl -d
    "&username=amadmin&password=secret12"
    http://slapd.red.iplanet.com:28080/fam/identity/authenticate



  • curl -d "appid=AQIC5wM2LY4Sfcz24GvZCdv6ie9dTJBa3Co7Rn2QUjKCDuM=@AAJTSQACMDE=#&subjectid=AQIC5wM2LY4SfcwTCcRKSDXEsiJXt71PDAUmN1bm/draPZI=@AAJTSQACMDE=#& logname=CURLdb&message=test" http://slapd.red.iplanet.com:28080/fam/identity/log



where appid - is the authz token has permission to write to log files.(token of logadmin or amadmin)

subjectid - is the subject whom log is being written

[slapd]:/export/fam-28080/fam/log>more CURLdb
#Version: 1.0
#Fields: time Data ModuleName MessageID Domain ContextID LogLevel LoginID NameID IPAddr LoggedBy HostName
"2008-06-19 21:54:28" test CURLdb "Not Available" "Not Available" 7d1917c9aa9002b301 "Not Available" INFO "Not Available" "Not Available" id=amadmin,ou=user,dc=opensso,dc=java,dc=net "Not Available"


3.5 Authorization



  • curl -d "uri=http://www.sun.com:90&action=POST&subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/authorize


boolean=false


  • curl -d "uri=http://www.sun.com:90&action=GET&subjectid=AQIC5wM2LY4SfczeSHZ5cHJMmQYU3f5imB2fBBTpkCXADS0=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/authorize


boolean=true


Policy for the resource http://www.sun.com:90 with authenticated
users as subject should have been created (GET=allow,POST=deny) at the
opensso server

for GET will return boolean=true, for POST boolean=false


3.6 Search Identities



  • curl -d
    "&filter=\*&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/search



This will return the available agents types


string=wsc
string=wsp
string=SecurityTokenService


To search all the user entries



  • curl -d "&filter=\*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#" http://slapd.red.iplanet.com:28080/fam/identity/search


admin
is any administrator who has privilege to search the user entries for eg: amadmin token

string=thanga


3.7 Display Identity Attributes



  • curl -d
    "attributes_names=uid&subjectid=AQIC5wM2LY4Sfcz6eH4abOQ0el7pnDqmOn6nnn1nrcuE8/w=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/attributes


userdetails.token.id=AQIC5wM2LY4Sfcz6eH4abOQ0el7pnDqmOn6nnn1nrcuE8/w=@AAJTSQACMDE=#
userdetails.attribute.name=sn
userdetails.attribute.value=thanga
userdetails.attribute.name=cn
userdetails.attribute.value=thanga
userdetails.attribute.name=objectclass
userdetails.attribute.value=sunFederationManagerDataStore
userdetails.attribute.value=top
userdetails.attribute.value=iplanet-am-managed-person
userdetails.attribute.value=iplanet-am-user-service
userdetails.attribute.value=organizationalperson
userdetails.attribute.value=inetadmin
userdetails.attribute.value=iPlanetPreferences
userdetails.attribute.value=person
userdetails.attribute.value=inetuser
userdetails.attribute.value=sunAMAuthAccountLockout
userdetails.attribute.value=sunIdentityServerLibertyPPService
userdetails.attribute.value=inetorgperson
userdetails.attribute.value=sunFMSAML2NameIdentifier
userdetails.attribute.name=userpassword
userdetails.attribute.value={SSHA}XhiE0RMwO/D7SSQ5fYLrTlFjmbHmYbQkIU43FA==
userdetails.attribute.name=uid
userdetails.attribute.value=thanga
userdetails.attribute.name=givenname
userdetails.attribute.value=thanga
userdetails.attribute.name=inetuserstatus
userdetails.attribute.value=Active


3.8 Read Particular Identity Attributes



  • curl -d
    "name=thanga&attributes_names=uid&admin=AQIC5wM2LY4SfcxCWBCNON1gTsaMaHISbYmTyYosv8pCPVw=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/read


identitydetails.name=thanga
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=uid
identitydetails.attribute.value=thanga

3.9 Create Identities 


3.9.1 Create an agent type



  • curl -d
    "identity_name=webagent70&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret123&identity_realm=/&identity_type=Agent&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/create


verify it



  • curl -d
    "&filter=\*&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/search


string=wsc
string=webagent70
string=wsp
string=SecurityTokenService

3.9.2 Create an user



  • curl -d
    "identity_name=rest_user_created&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret12&identity_attribute_names=sn&identity_attribute_values_sn=sn_for_rest_user&identity_attribute_names=cn&identity_attribute_values_cn=cn_of_REST_user&identity_realm=/&identity_type=user&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/create


Verify it



  • curl -d
    "&filter=\*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/search


string=thanga
string=rest_user_created

3.10 Idenity Update



  • curl -d
    "attributes_names=mail&name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/read


identitydetails.name=rest_user_created
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=mail


  • curl -d
    "identity_name=rest_user_created&identity_attribute_names=mail&identity_attribute_values_mail=restUser@rest-DOT-org&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/update


Verify it



  • curl -d
    "attributes_names=mail&name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/read


                         identitydetails.name=rest_user_created
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=mail
identitydetails.attribute.value=restUser@rest-DOT-orgDelete an Identity

3.11 Identity Delete 


3.11.1 Make sure it exists



  • curl -d
    "&filter=\*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/search


string=thanga
string=rest_user_created

3.11.2 Delete it



  • curl -d
    "identity_name=rest_user_created&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#&identity_type=user"
    http://slapd.red.iplanet.com:28080/fam/identity/delete


3.11.3 Verify it is gone



  • curl -d
    "&filter=\*&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/search


string=thanga


Comments:

Great writeup and really useful info! Will add a pointer to this blog entry of yours, from the opensso wiki.

Posted by sidharth on July 05, 2008 at 04:10 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Indira Thangasamy, I manage the OpenSSO Quality engineering team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today