Cloud Services

ModernOps

APIs for Mapping Authtype with IdP
Published On May 16, 2024 - 1:22 PM

APIs for Mapping Authtype with IdP

Learn what APIs are needed to configure the mapping of Authtype.
POST /core/authorization/v1/authtype/configurations (Authtype configuration)
These configurations work for only multi-tenancy and only on a 1:1 mapping basis.
Authtype can be either
internal
" or "
hybrid
.

Hybrid

Hybrid payload

{ "initial_system_admin_team_code": "KyndrylAdmin", (optional), "initial_system_admin_org_code": "", (optional) "initial_system_admin_team_external_ref_id": "IdPAdmin", (mandatory) "auth_type": "hybrid", (mandatory) Enum(“internal”, “hybrid”) "name": "unique_name" (mandatory) - for filtering - unique - case insensitive }
  • "initial_system_admin_team_external_ref_id" is mandatory in the payload. It must not be already associated to any existing team.
  • "initial_system_admin_team_code" is the team with which the external_ref_id will be associated.
  • "initial_system_admin_team_code" must be a new team code.
  • A new team will be created with the code.
  • "initial_system_admin_team_code" will be assigned the "System Admin" role.
  • "initial_system_admin_org_code" is not a mandatory field.
  • If "initial_system_admin_org_code" is not specified, "admin-org" is used.
  • If the org is not available in the system, it will be created.
  • "name" should be unique.

Sample hybrid payload

{ "initial_system_admin_team_code": "Team_Code", "initial_system_admin_team_external_ref_id": "IdPAdmin", "auth_type": "hybrid", "name": "hybrid_conf" }

Sample hybrid response

{ "initial_system_admin_team_code": "TeamCode", "initial_system_admin_org_code": "admin_org" "initial_system_admin_team_external_ref_id": "IdPAdmin", "auth_type": "hybrid", "name": "hybrid_conf", "id": "5e6f6044d707bb9e0ec4e8da" }
The response contains the payload along with a unique "id" for the auth type config.

Internal

Internal payload

{ "auth_type": "internal", (mandatory) Enum(“internal”, “hybrid”) "name": "unique_name" (mandatory) }
  • "auth_type" and "name" are both mandatory fields.
  • Only one internal auth type config can be persisted.

Sample internal payload

{ "auth_type": "internal", "name": "internal_conf" }

Sample internal response

{ "auth_type": "internal", "name": "internal_conf", "id": "5e6f6044d707bb9e0ec4e8da" }
  • The response contains the payload along with a unique "id" for the auth type config.
GET /core/authorization/v1/authtype/configurations: (Auth-ype configuration)
  • GET All Authtype Config
  • returns List of Auth Type Configs
  • Filters: name, auth_type

Sample GET All Authtype configuration response

[ { "initial_system_admin_team_code": "TeamCode", "initial_system_admin_team_external_ref_id": "Super Admin", "auth_type": "hybrid", "name": "conf_hybrid", "initial_system_admin_org_code": "admin_org", "id": "5e6f6044d707bb9e0ec4e8da" }, { "auth_type": "internal", "name": "intenal_conf", "id": "5e6f67472e73bd1faf1a0245" } ]
GET /core/authorization/v1/authtype/configurations/{id}: (Authtype Configuration)
  • Get Auth Type Config by ID

Sample GET Authtype Config by ID response

{ "initial_system_admin_team_code": "TeamCode", "initial_system_admin_team_external_ref_id": "Super Admin", "auth_type": "hybrid", "name": "conf_hybrid", "initial_system_admin_org_code": "admin_org", "id": "5e6f6044d707bb9e0ec4e8da" }
POST /core/authorization/v1/configuration/idp (IDP-Authtype mapping)
  • idp_id is an optional field when creating the mapping of the IDP and authtype.
  • The auth_type_id is an id that is unique from the authtype configuration document that is fetched based on the id provided in the payload.
  • The configurations are also verified for team and org and external_ref_id if available or not, before mapping. If not available, it is created and then mapped.
  • If provided, the idp_id is cross-checked with the idp_id of the logged user's corelite-token. If the idp_id is not provided, it will be fetched directly from the corelite-token and then used for mapping.

IDP-Authtype mapping

{ "idp_id": "unique_id"(optional), (correlate it with idp coming from token) "auth_type_id": "auth_type_config id" }
  • When you create the mapping, the cache will be cleared so that the authtype will be updated and JWT will be with the new configuration.
PATCH /core/authorization/v1/configuration/idp/{idp_id} (IDP-Authtype mapping)
  • When updating the IDP and authtype mapping, idp_id is a mandatory param.
  • The auth_type_id is unique from the authtype configuration document that is fetched based on the id provided in the payload.
  • The configurations are verified for team and org and external_ref_id if available or not. If not available, they are being created as a part of process and then mapped.
  • The idp_id provided is cross-checked with the idp_id of the logged in user's corelite-token.

IDP-Authtype mapping

{ "auth_type_id": "auth_type_config_id" }
  • Updating IDP-authtype clears the cache of previously stored conf so that the new configuration changes are reflected as part of new JWT.
PATCH /core/authorization/v1/configuration/authtype/{id} (IDP-Authtype mapping)
  • If Configuration is mapped to an IDP:
    • The mapped IDP should match the logged-in System Admins' IDP.
    • name, if being patched, should continue to be unique.
  • If the configuration being patched is of auth type hybrid:
    • There should be groups present in the logged in user's SAML/CL JWT Token/CP JWT Refresh token.
    • Validate if the newly provided "external idp reference" is one of the groups in the CP Refresh JWT token. If not, error out.
    • Match each of the groups in the token with Team.externalref. At least one of the groups should match the external Ref in a team, and the matched team should have a System Admin role. If not, error out.

Patch internal auth_config

IDP-Authtype mapping

{ "name": "unique_name" }

Patch hybrid auth_config

IDP-Authtype mapping

{ "initial_system_admin_team_external_ref_id": "IdPAdmin", (optional) "name": "unique_name" (optional) }
  • Updating IDP-authtype clears the cache of previously stored conf so that the new configuration changes are reflected as part of new JWT.
DELETE /core/authorization/v1/configuration/idp/{idp_id} (IDP-Authtype mapping)
  • Deletion is to be treated the same as switching authtype to internal.
  • While deleting mapping of the IDP, idp_id is a mandatory param.
  • Cannot delete the internal mapping.
  • Cannot delete the last mapping present in the database.
  • If deleting the hybrid mapping, the user will be assigned to the INITIAL-SETUP-ADMIN team and admin_org and will be given a System Admin Role, so that user call uses Internal authorization.
DELETE /core/authorization/v1/authtype/configurations/{auth_type_id} (IDP-Authtype mapping)
  • Deletion is to be treated the same as switching authtype to internal.
  • The respective idp_mapping with auth_config must also be deleted.
  • If deleting the hybrid mapping, the user will be assigned to INITIAL-SETUP-ADMIN team and admin_org and will be given a System Admin Role, so that user call uses Internal authorization.
Do you have two minutes for a quick survey?
Take Survey