1.  Introduction

This part of document covers the basic syntax and the corresponding expected output of each supported OpenSSO REST operation. There are about eleven REST operations are exposed in the OpenSSO server, These operations are supported out if the box configuration of OpenSSO, there are no special configurations required. Following table illustrate those operations.

Authentication
http://localhost:8080/
opensso/identity/authenticate
username
password
uri1
subjectid
Token validation
http://localhost:8080/
opensso/identity/isTokenValid
tokenid
boolean
Logout
http://localhost:8080/
opensso/identity/logout
subjectid
void
Authorization
http://localhost:8080/
opensso/identity/authorize
uri
action
subjectid
boolean
Log
http://localhost:8080/
opensso/identity/log
appid
subjectid
logname
message1
void
Search
http://localhost:8080/
opensso/identity/search
filter
attributes_names1
attribute_values_attributename1
identitydetails
Attributes
http://localhost:8080/
opensso/identity/attributes
attributes_names1
subjectid
userdetails
Read
http://localhost:8080/
opensso/identity/read
name
attributes_names1
admin
identitydetails
Creation
http://localhost:8080/
opensso/identity/create
identity_name
identity_attribute_names
identity_attribute_values_attributename
admin
void
Update
http://localhost:8080/
opensso/identity/update
identity_name
identity_attribute_names
identity_attribute_values_attributename
admin
void
Deletion
http://localhost:8080/
opensso/identity/delete

identity_name

identity_type
admin

void


1 Optional parameter

2. Prerequisites

The only prerequisite is to deploy and configure the OpenSSO web application on a supported container like Glassfish V2.  For this exercise I have deployed the EA version of OpenSSO on Glassfish V2 Container. I have leveraged the embedded identity datastore to perform these simple operations. If you would like to work on the "role" idtype then you must use a supported identity datastore like Sun Directory Server 6.x.

Another key thing here like I mentioned earlier I like the intepretive languages so my natural choice is CURL to  verify these REST operations. I have used CURL version curl 7.18.1 (sparc-sun-solaris2.10) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.1.4 libidn/1.8
 with HTTP POST to avoid any url encoding issues.

3  Invoking  REST Interfaces  

I have used some terminal outputs some of the tokenid and subjectid may be different some cases because I needed to recreate certain times due to various reasons, It is not my intent to use the same tokenid for all the operations, where ever it is mandatory I did use the same SSO Token IDs.  

3.1 Authenticate

The authentication happens at the root realm using the
root realm’s default authentication chain, if you want to specifically
authenticate to a specific realm and authentication instance, then
follow the next version below
with authentication URL parameters.

3.1.1 Authenticate with URL parameters

This
command authenticate as user "thanga" with password "secret" to the
subrealm "red" using the LDAP authentication instance "abc"

3.2 Validate Token

3.3 Invalidate Token

3.4 To Log data at the server side

the sequence

  1. subjectid ===> curl -d
    "&username=thanga&password=secret"
    http://slapd.red.iplanet.com:28080/fam/identity/authenticate
  2. appid===> curl -d
    "&username=amadmin&password=secret12"
    http://slapd.red.iplanet.com:28080/fam/identity/authenticate

where appid – is the authz token has permission to write to log files.(token of logadmin or amadmin)
subjectid – is the subject whom log is being written

[slapd]:/export/fam-28080/fam/log>more CURLdb
#Version: 1.0
#Fields: time   Data    ModuleName      MessageID       Domain  ContextID       LogLevel        LoginID NameID  IPAddr  LoggedBy        HostName
"2008-06-19 21:54:28"   test    CURLdb  "Not Available" "Not Available" 7d1917c9aa9002b301      "Not Available" INFO    "Not Available" "Not Available" id=amadmin,ou=user,dc=opensso,dc=java,dc=net    "Not Available"

3.5 Authorization

boolean=false
boolean=true

Policy for the resource http://www.sun.com:90 with authenticated
users as subject should have been created (GET=allow,POST=deny) at the
opensso server
for GET will return boolean=true, for POST boolean=false

3.6 Search Identities

This will return the available agents types

string=wsc
string=wsp
string=SecurityTokenService

To search all the user entries

admin
is any administrator who has privilege to search the user entries for eg: amadmin token

string=thanga

3.7 Display Identity Attributes

userdetails.token.id=AQIC5wM2LY4Sfcz6eH4abOQ0el7pnDqmOn6nnn1nrcuE8/w=@AAJTSQACMDE=#
userdetails.attribute.name=sn
userdetails.attribute.value=thanga
userdetails.attribute.name=cn
userdetails.attribute.value=thanga
userdetails.attribute.name=objectclass
userdetails.attribute.value=sunFederationManagerDataStore
userdetails.attribute.value=top
userdetails.attribute.value=iplanet-am-managed-person
userdetails.attribute.value=iplanet-am-user-service
userdetails.attribute.value=organizationalperson
userdetails.attribute.value=inetadmin
userdetails.attribute.value=iPlanetPreferences
userdetails.attribute.value=person
userdetails.attribute.value=inetuser
userdetails.attribute.value=sunAMAuthAccountLockout
userdetails.attribute.value=sunIdentityServerLibertyPPService
userdetails.attribute.value=inetorgperson
userdetails.attribute.value=sunFMSAML2NameIdentifier
userdetails.attribute.name=userpassword
userdetails.attribute.value={SSHA}XhiE0RMwO/D7SSQ5fYLrTlFjmbHmYbQkIU43FA==
userdetails.attribute.name=uid
userdetails.attribute.value=thanga
userdetails.attribute.name=givenname
userdetails.attribute.value=thanga
userdetails.attribute.name=inetuserstatus
userdetails.attribute.value=Active

3.8 Read Particular Identity Attributes

identitydetails.name=thanga
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=uid
identitydetails.attribute.value=thanga

3.9 Create Identities 

3.9.1 Create an agent type

  • curl -d
    "identity_name=webagent70&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret123&identity_realm=/&identity_type=Agent&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/create

verify it

string=wsc
string=webagent70
string=wsp
string=SecurityTokenService

3.9.2 Create an user

  • curl -d
    "identity_name=rest_user_created&identity_attribute_names=userpassword&identity_attribute_values_userpassword=secret12&identity_attribute_names=sn&identity_attribute_values_sn=sn_for_rest_user&identity_attribute_names=cn&identity_attribute_values_cn=cn_of_REST_user&identity_realm=/&identity_type=user&admin=AQIC5wM2LY4Sfcwbg2YdVMaYsfEqdxHDMUc47WSLBNTOlrk=@AAJTSQACMDE=#"
    http://slapd.red.iplanet.com:28080/fam/identity/create

Verify it

string=thanga
string=rest_user_created

3.10 Idenity Update

identitydetails.name=rest_user_created
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=mail

Verify it

                         identitydetails.name=rest_user_created
identitydetails.type=user
identitydetails.realm=dc=opensso,dc=java,dc=net
identitydetails.attribute=
identitydetails.attribute.name=mail
identitydetails.attribute.value=restUser@rest.orgDelete an Identity

3.11 Identity Delete 

3.11.1 Make sure it exists

string=thanga
string=rest_user_created

3.11.2 Delete it

3.11.3 Verify it is gone

string=thanga

Advertisements