Unlike other Access Management products, OpenSSO provides extensive identity operations interfaces for provision and management of those identities. In the REST interfaces arena, there are a slew of methods exposed to perform identity CRUD (create, read, update, and delete) operations. In this section, let us explore some of those methods with specific examples.
The search REST interface will query the configured datastores for identities matching the search filter supplied, using the filter parameter. There are other parameters that are mandatory for this interface. They are as follows:
filter:Defines a set of criteria that controls what is returned by the operationattributes_names:Defines one or more identity attributes for which the search is to be performedattributes_values_{values_of-attributes_names}:Defines the value of the attribute (defined byattributes_names)that is being searchedadmin:Defines the SSO tokenID of the user with the necessary privileges to search the identity objects; for example,amadmin
To search for the users you need to supply the objecttype=user:
curl -d"&filter=*&attributes_names=objecttype&attributes_values_objecttype=user&admin=AQIC5wM2LY4SfcyzMMSQfpvjKfTC1vchgxDh5qFqe1IyWc8.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/search
For example:
string=bob string=anonymous string=andy string=frank string=dave string=newauduin string=thanga string=amAdmin string=chris string=openldap
To list out all the groups in the system, just follow the following command line. However, if you wanted to list roles (which is only supported on the Oracle Directory Server Enterprise Edition) use role in place of group in the search method:
curl -d"&filter=*&attributes_names=objecttype&attributes_values_objecttype=group&admin=AQIC5wM2LY4SfcyzMMSQfpvjKfTC1vchgxDh5qFqe1IyWc8.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/search
For example:
string=manager string=customer string=employee string=everyone
You can use the following command to list all the agents in the server:
curl -d"&filter=*&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4SfcyzMMSQfpvjKfTC1vchgxDh5qFqe1IyWc8.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/search
For example:
string=SecurityTokenService string=payslip string=agentAuth string=wsp string=wsc
Again, all of these operations are performed over HTTP POST.
All of the above commands helped us search and return all the identities matching specific search criteria. What if we wanted to query all or a specific attribute of an authenticated identity? How do we achieve that? Yes, there is a way to get this working in OpenSSO using the REST interface. The attributes REST interface provides the attribute query feature:
curl -d"attributes_names=*&subjectid=AQIC5wM2LY4Sfcy3-h9A1_Tle0Y-TRqor9wzra_KwJRfYYA.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/attributes
Here are a few illustrations:
userdetails.token.id=AQIC5wM2LY4Sfcy3-h9A1_Tle0Y-TRqor9wzra_KwJRfYYA.*AAJTSQACMDE.* userdetails.attribute.name=sunIdentityMSISDNNumber userdetails.attribute.name=mail userdetails.attribute.name=sn userdetails.attribute.value=amAdmin userdetails.attribute.name=givenName userdetails.attribute.value=amAdmin userdetails.attribute.name=telephoneNumber userdetails.attribute.name=employeeNumber userdetails.attribute.name=postalAddress userdetails.attribute.name=iplanet-am-user-success-url userdetails.attribute.name=cn userdetails.attribute.value=amAdmin userdetails.attribute.name=roles userdetails.attribute.value=Top-level Admin Role userdetails.attribute.name=iplanet-am-user-failure-url userdetails.attribute.name=inetUserStatus userdetails.attribute.value=Active userdetails.attribute.name=dn userdetails.attribute.value=uid=amAdmin,ou=people,dc=opensso,dc=java,dc=net userdetails.attribute.name=iplanet-am-user-alias-list
This will get all the user attributes of an authenticated user whose SSO token is provided in the subjectid parameter. In case you are looking for a specific attribute for the user, then you should be leveraging the read interface instead of attributes. The read method requires you to supply the administrative user token or any privileged user token (someone who has search privileges to the user identities). In the following example we see how the inetuserstatus attribute value can be obtained for the user thanga by supplying the top level administrative user token:
curl -d"name=thanga&attributes_names=inetuserstatus&admin=AQIC5wM2LY4Sfcydrf7j_P55uDmbs3lPSlKKaDgWelBI4oQ.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/read
Here are a few examples:
identitydetails.name=thanga identitydetails.type=user identitydetails.realm=dc=opensso,dc=java,dc=net identitydetails.attribute= identitydetails.attribute.name=inetuserstatus identitydetails.attribute.value=Active
In the same way, you can get any other identity attributes.
Creating identities is a straightforward process as it does not involve too many parameters. Let us start with the agent type. The following sequence of commands will create a web agent profile named webagent70, followed by a search for this profile to verify its creation:
curl -d "identity_name=webagent70&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret123&identity_realm=/&identity_type=Agent&admin=AQIC5wM2LY4SfcyAE_hl9mLbroCALqxF6duZrCGSEBNokLk.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/create
This command will return nothing if the process is successful, otherwise you will be noticing the exception as documented in the WSDL.
To make sure the profile has been created successfully, let us search for the agent with the name webagent70:
curl -d "&filter=webagent70&attributes_names=objecttype&attributes_values_objecttype=agent&admin=AQIC5wM2LY4SfcyAE_hl9mLbroCALqxF6duZrCGSEBNokLk.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/search string=webagent70
Creating users from the REST interface method create is relatively more involved than creating an agent. All the attributes associated with their values need to be properly formatted before sending it to the REST call.
Let us see this process with a simple example that shows you how to create the user with minimum required attributes:
curl -d"identity_name=rest_user_created&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret12&identity_attribute_names=sn&identity_attribute_values_sn=sn_for_rest_user&identity_attribute_names=cn&identity_attribute_values_cn=cn_of_REST_user&identity_realm=/&identity_type=user&admin=AQIC5wM2LY4SfcyAE_hl9mLbroCALqxF6duZrCGSEBNokLk.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/create
If you have not noticed any errors after executing this command, then it is most likely that the user creation is successful. Now try the next command to verify whether the identity exists. If it does not exist, you will see the object not found exception. A user with name rest_user_created will be added to the system:
curl -d "&filter=rest_user_created&attributes_names=objectclass&attributes_values_objectclass=person&admin=AQIC5wM2LY4SfcyAE_hl9mLbroCALqxF6duZrCGSEBNokLk.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/searchstring=rest_user_created
Just like users, groups can be created by changing the identity_type=group. Unlike the user identities, the group requires only its name as the required attribute:
curl -d "identity_name=rest_group&identity_realm=/&identity_type=group&admin=AQIC5wM2LY4Sfcw048RQCRtKfR_N1k-eSmONGbH9RR5VAZU.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/create
In order to verify, just execute the following command to view the group you have just created:
curl -d "&filter=rest_group&attributes_names=objecttype&attributes_values_objecttype=group&admin=AQIC5wM2LY4Sfcw048RQCRtKfR_N1k-eSmONGbH9RR5VAZU.*AAJTSQACMDE.*" http://opensso.packt-services.net:9090/opensso/identity/search
string=rest_group