Hybrid

Hybrid payload

{
    "initial_system_admin_team_code": "KyndrylAdmin", (optional),
    "initial_system_admin_org_code": "", (optional)
    "initial_system_admin_team_external_ref_id": "IdPAdmin", (mandatory)
    "auth_type": "hybrid", (mandatory) Enum(“internal”, “hybrid”)
    "name": "unique_name" (mandatory) - for filtering - unique - case insensitive
}

"initial_system_admin_team_external_ref_id" is mandatory in the payload. It must not be already associated to any existing team.
"initial_system_admin_team_code" is the team with which the external_ref_id will be associated.
"initial_system_admin_team_code" must be a new team code.
A new team will be created with the code.
"initial_system_admin_team_code" will be assigned the "System Admin" role.
"initial_system_admin_org_code" is not a mandatory field.
If "initial_system_admin_org_code" is not specified, "admin-org" is used.
If the org is not available in the system, it will be created.
"name" should be unique.

Sample hybrid payload

{
    "initial_system_admin_team_code": "Team_Code",
    "initial_system_admin_team_external_ref_id": "IdPAdmin",
    "auth_type": "hybrid",
    "name": "hybrid_conf"
}

Sample hybrid response

{
    "initial_system_admin_team_code": "TeamCode",
    "initial_system_admin_org_code": "admin_org"
    "initial_system_admin_team_external_ref_id": "IdPAdmin",
    "auth_type": "hybrid",
    "name": "hybrid_conf",
    "id": "5e6f6044d707bb9e0ec4e8da"
}

Internal

Internal payload

{
    "auth_type": "internal", (mandatory) Enum(“internal”, “hybrid”)
    "name": "unique_name" (mandatory)
}

"auth_type" and "name" are both mandatory fields.
Only one internal auth type config can be persisted.

Sample internal payload

{
    "auth_type": "internal",
    "name": "internal_conf"
}

Sample internal response

{
    "auth_type": "internal",
    "name": "internal_conf",
    "id": "5e6f6044d707bb9e0ec4e8da"
}

The response contains the payload along with a unique "id" for the auth type config.

GET All Authtype Config
returns List of Auth Type Configs
Filters: name, auth_type

Sample GET All Authtype configuration response

[
    {
        "initial_system_admin_team_code": "TeamCode",
        "initial_system_admin_team_external_ref_id": "Super Admin",
        "auth_type": "hybrid",
        "name": "conf_hybrid",
        "initial_system_admin_org_code": "admin_org",
        "id": "5e6f6044d707bb9e0ec4e8da"
    },
    {
        "auth_type": "internal",
        "name": "intenal_conf",
        "id": "5e6f67472e73bd1faf1a0245"
    }
]

Get Auth Type Config by ID

Sample GET Authtype Config by ID response

{
    "initial_system_admin_team_code": "TeamCode",
    "initial_system_admin_team_external_ref_id": "Super Admin",
    "auth_type": "hybrid",
    "name": "conf_hybrid",
    "initial_system_admin_org_code": "admin_org",
    "id": "5e6f6044d707bb9e0ec4e8da"
}

idp_id is an optional field when creating the mapping of the IDP and authtype.
The auth_type_id is an id that is unique from the authtype configuration document that is fetched based on the id provided in the payload.
The configurations are also verified for team and org and external_ref_id if available or not, before mapping. If not available, it is created and then mapped.
If provided, the idp_id is cross-checked with the idp_id of the logged user's corelite-token. If the idp_id is not provided, it will be fetched directly from the corelite-token and then used for mapping.

IDP-Authtype mapping

{
"idp_id": "unique_id"(optional), (correlate it with idp coming from token)
"auth_type_id": "auth_type_config id"
}

When you create the mapping, the cache will be cleared so that the authtype will be updated and JWT will be with the new configuration.

When updating the IDP and authtype mapping, idp_id is a mandatory param.
The auth_type_id is unique from the authtype configuration document that is fetched based on the id provided in the payload.
The configurations are verified for team and org and external_ref_id if available or not. If not available, they are being created as a part of process and then mapped.
The idp_id provided is cross-checked with the idp_id of the logged in user's corelite-token.

IDP-Authtype mapping

{
"auth_type_id": "auth_type_config_id"
}

Updating IDP-authtype clears the cache of previously stored conf so that the new configuration changes are reflected as part of new JWT.

If Configuration is mapped to an IDP:
The mapped IDP should match the logged-in System Admins' IDP.
name, if being patched, should continue to be unique.
If the configuration being patched is of auth type hybrid:
There should be groups present in the logged in user's SAML/CL JWT Token/CP JWT Refresh token.
Validate if the newly provided "external idp reference" is one of the groups in the CP Refresh JWT token. If not, error out.
Match each of the groups in the token with Team.externalref. At least one of the groups should match the external Ref in a team, and the matched team should have a System Admin role. If not, error out.

Patch internal auth_config

IDP-Authtype mapping

{   
    "name": "unique_name"
}

Patch hybrid auth_config

IDP-Authtype mapping

{   
    "initial_system_admin_team_external_ref_id": "IdPAdmin", (optional)
    "name": "unique_name" (optional)
}

Updating IDP-authtype clears the cache of previously stored conf so that the new configuration changes are reflected as part of new JWT.

Deletion is to be treated the same as switching authtype to internal.
While deleting mapping of the IDP, idp_id is a mandatory param.
Cannot delete the internal mapping.
Cannot delete the last mapping present in the database.
If deleting the hybrid mapping, the user will be assigned to the INITIAL-SETUP-ADMIN team and admin_org and will be given a System Admin Role, so that user call uses Internal authorization.

Deletion is to be treated the same as switching authtype to internal.
The respective idp_mapping with auth_config must also be deleted.
If deleting the hybrid mapping, the user will be assigned to INITIAL-SETUP-ADMIN team and admin_org and will be given a System Admin Role, so that user call uses Internal authorization.