Advanced Authentication SaaS Concepts

API Endpoint

Products

An AA product file is a json representation of a purchasable block of functionality. The json defines UI representations, AA licenses which are to be granted, and optionally information about policies, as well as onboarding actions. See create product rest api for details. Products may also be installed via the au-saas script. Sample product definition files:

  • aa-base.json an AA instance with support for all authentication methods, the billing dimension is per user per month. Used when a customer buys AA. Requires aa-client-usage and aa-data-usage be installed in tandem.

  • aa-client-usage.json Mandatory add-on product to aa-base and aa-risk instances. Allows for billing for enhanced authentication methods. The billing dimension is per user per month. (ex. In a given month, if a user uses one or more of the enhanced methods, they will be billed for that user).

  • aa-data-overage.json Mandatory add-on product to aa-limited, aa-base and aa-risk instances. Allows for billing for overages of data usage methods (SMS_OTP, Voice_OTP, Voice). Billing is for data blocks of 1000. Every month, each user is allotted a number of usages of data methods. Any overages are billed for. (ex In a given month, we calculate the number of data usages per user and total the number of data overages for all users. 1-1000 overages = 1 aa-data-usage block, 1001-2000 overages = 2 aa-data-usage block etc).

  • aa-identity-proofing.json (Future)

  • ig-aa-addon.json Optional add-on product that must be added when customer purchases IG SaaS. No billing.

  • aa-limited.json an AA instance with support for limited authentication methods (email otp, emergency password, HOTP, ldap password, password, radius, SMS otp and TOTP). There is no billing for the entitlement, however there is billing for entitlement overages, currently aa-data overages. Requires aa-data-usage be installed in tandem.

  • aa-limited-overage.json (Future)

  • aa-trial.json an AA instance with full AA support including risk. Limited number of users and limited time.

  • aa-risk.json A Risk based Adaptive AA instance with support for all authentication methods, the billing dimension is per user per month. Used when a customer buys Adaptive AA. Requires aa-client-usage and aa-data-usage be installed in tandem.

Tenants may be associated with more than one product, each association is made via a customer definition.

Product definitions have two identifiers, one is the database id used to identify the product within the AA system, this is dynamically assigned. The other identifier is the external_product_id, this identifier is how the product is defined in an external system. This could be a SKU, salesforce product definition id or Control Tower Asset Id.

Onboarding Actions

In the json product file there is a section for onboarding actions to be taken when the tenant is created ‘’’ “onboarding_actions”: { “issue_token”: true, “scim_repo_create_name”: “ig_bootstraping” “scim_repo_create_config”: {} “create_scim_repos”: [ {“name”: “Users”, “scim_repo_create_config”: {}} ] } ‘’’

  • issue_token results in a 7 day bearer token being issued which allows for public APIs to be called.

  • scim_repo_create_name results in a scim repo of the specified name to be created, the onboarding response will contain a bearer token valid for 1 year that allows all operations on the SCIM repo.

  • scim_repo_create_config any configuration options valid on a SCIM repo.

  • create_scim_repos - allows multiple scim repos to be created instead of just one, this is the prefered format, the ‘scim_repo_create_name’ will be phased out in the future.

Customers

An AA Customer is an association between a Product and a Tenant, and the state of that association. Every SaaS tenant should have at least one customer record associating it with a product.

Customer definitions have two identifiers, one is the database id used to identify the customer within the AA system, this is dynamically assigned. The other identifier is the external_customer_id, this identifier is how the customer is defined in an external system. This could be something like a salesforce customer id. In addition the customer record contains the current state of the relationship (enabled/disabled).1A

Current SaaS Deployed Implementation

In the COE environment some customers may be have only AA, some may have limited access to AA for example IG customers, or they might have bought the greater cyberres product family and be allowed full access to AA and every other Cyperres product. The functionality that is permitted and billed for is dependent on which product definitions are associated with a tenant.

IG customers may upgrade to full AA license, or may be given a trial license to full AA+risk, after the trial license expires they would revert back to a limited license.

Advanced Authentication Hosted SaaS API doc

The rest apis in this section are intended only for use when Advanced Authentication has been installed as a SaaS Product.

Authentication

Acceptable authentication is either a login_session_id passed on each call or a bearer token passed in the http header as ‘Authorization: Bearer {token}’

SaaS Specific AA Scripts

Each of these scripts have cmd line help.

  • au-saas-install - Called once and only once during initial setup of a SaaS system.

  • au-saas - Used to manage products and their associated licenses.

  • manage_token.py - create tokens used for SCIM and other API access.

  • onboard_tenant.py - used to call the rest apis to onboard tenants, or add additional products to tenants.

  • configure_cloudbridge.py - setup the tenant for cloudbridge sync.

Tenant Onboarding

Advanced Authentication Onboarding Tenants

This is the process of creating a customer instance, and associating that instance with one or more products. The assumption in the IAM SaaS is that Advanced Authentication provides the authentication for all services, therefore AA will be the first product installed. All IAM products are permitted free access to the AA functionality of authentication, and a few second factors with no AA contract or billing. For access to all AA second factors, risk integration, and federation services an AA contract is required, resulting in the customer being billed for AA services consumed.

Onboarding Assumptions

  • System has been setup for SaaS and multi tenant mode.

  • The AA system has been configured with SaaS products. An AA product is a json representation of a purchasable block of functionality. The json defines UI representations, AA licenses which are to be granted, and optionally information about policies. See create product rest api for details. Products may also be installed via the au-saas script.

  • Authorization for onboarding is only available as a TOP superadmin user.

Onboarding via AWS Marketplace

Onboarding functionality in AA was originally designed around the AWS Marketplace model.

  • Create the the product description in the AWS marketplace portal.

    • Billing dimension should be listed as user_month.
    • Point the SaaS url to ‘https://{saas_dns}/api/v1/awsonboard’.
  • Use the au-saas script to create the product description in the AA system.

  • Visit the marketplace and select the newly created product. The user is directed through the following actions:

    • AWS marketplace makes a post to the /api/v1/awsonboard url with a aws-marketplace-token.
    • AA Server code resolves token to product and customer ids, returns a aa-onboard-token, and redirects the browser.
    • Browser is redirected to /cloudui which allows the user to enter required information or login to an existing tenant.
      • For new tenants the /cloudui passes the aa-onboard-token and user input to a POST on /api/v1/saastenant which finalizes tenant creation.
      • For existing tenants the /cloudui passes the aa-onboard-token and authenticated session to a PUT on /api/v1/saastenant which finalizes tenant creation.

Onboarding a new Tenant via the AA admin UI for internal and trial customers

This is primarily for testing, it does not allow for adding additional products to existing tenants. On tenant create a single product may be associated with a tenant. The customerid is not passed random

Onboarding additional products to an existing tenant

Onboarding via scripts or lambda functions - Used by Micro Focus Center of Excellence

This is a UI less onboarding of new tenants or association of new products with the existing tenant.

Onboarding Authentication and Authorization

Creating new tenants and removal of any product associations requires TOP superadmin privileges. Tenant admins my add additional products to their tenant.

The script manage_token.py may be used to obtain tokens for use with this script or if only user/password is required then that may be used in this script.

Script Examples

python3 onboard_tenant.py --host https://localhost --user admin --password admin create -pid 1 -ch None -f ../app/aucore/products/aa-limited.json
python3 onboard_tenant.py --host https://localhost --user admin --password admin create -pid 2 -ch None -f ../app/aucore/products/aa-limited-overage.json
python3 onboard_tenant.py --host https://localhost --user admin --password admin create -pid 3 -ch None -f ../app/aucore/products/ig-aa-addon.json

python3 onboard_tenant.py --host https://localhost --user admin --password admin create -pids 1,2,3 -cids c1,c2,c3 -tn FROGGY -td "Froggy Tenant" -tp admin -te=fakeadmin@froggy.com

( { 'results': [ { 'admin': { 'id': 'ddb37d7d4cf43586abaa911e9a44fb80',
                              'last_fail_at': None,
                              'loginame': 'fakeadmin@froggy.com',
                              'obj_id': '5de91d34ddd811eba5e00242ac110004',
                              'repo_id': '5dde8414ddd811eba5e00242ac110004',
                              'repo_name': 'LOCAL',
                              'user_name': 'LOCAL\\fakeadmin@froggy.com'},
                   'chains': [ {'id': '5dc63f30ddd811eba5e00242ac110004', 'methods': ['LDAP_PASSWORD:1'], 'name': 'LDAP Password Only'},
                               {'id': '5dc418f4ddd811eba5e00242ac110004', 'methods': ['PASSWORD:1'], 'name': 'Password Only'}],
                   'customer': { 'billing': {'dimensions': ['user_month'], 'history': [{'user_month': []}]},
                                 'external_customer_id': 'c1',
                                 'external_product_id': '1',
                                 'id': '5de10b1cddd811eba5e00242ac110004',
                                 'product_id': 'b3ebcb3addb211eb98800242ac110004',
                                 'state': 'subscribe',
                                 'tenant_id': '5daafd56ddd811eba5e00242ac110004',
                                 'tenant_name': 'FROGGY'},
                   'domains': ['froggy.com'],
                   'product': { 'data': { 'billing': {'dimensions': ['user_month']},
                                          'description': { 'fulldesc': 'Adaptive Authentication Limited Active User Entitled Monthly Subscription SaaS',
                                                           'fulldescid': 'SA-AB805',
                                                           'name': 'AA Limited',
                                                           'nameid': 'SA-AB805'},
                                          'licenses': [ { 'restricts': [ { 'methods': { 'EMAIL_OTP:1': {},
                                                                                        'EMERG_PASSWORD:1': {},
                                                                                        'HOTP:1': {},
                                                                                        'LDAP_PASSWORD:1': {},
                                                                                        'PASSWORD:1': {},
                                                                                        'RADIUS:1': {},
                                                                                        'SMS_OTP:1': {},
                                                                                        'TOTP:1': {}},
                                                                           'type': 'limited'}]}]},
                                'external_product_id': '1',
                                'id': 'b3ebcb3addb211eb98800242ac110004',
                                'notification_channel': 'None'},
                   'tenant': { 'desc': 'Froggy Tenant',
                               'disabled': False,
                               'expired_warning': False,
                               'id': '5daafd56ddd811eba5e00242ac110004',
                               'license_min': '9999-12-31T00:00:00.0',
                               'name': 'FROGGY',
                               'repo_count': 1}},
                 { 'admin': { 'id': '79450d085a98148221e7b1a03468397a',
                              'last_fail_at': None,
                              'loginame': 'ADMIN',
                              'obj_id': '4ece8bf2db5011eb89260242ac110004',
                              'repo_id': '4ecc8690db5011eb89260242ac110004',
                              'repo_name': 'LOCAL',
                              'user_name': 'LOCAL\\ADMIN'},
                   'chains': [ {'id': '5dc63f30ddd811eba5e00242ac110004', 'methods': ['LDAP_PASSWORD:1'], 'name': 'LDAP Password Only'},
                               {'id': '5dc418f4ddd811eba5e00242ac110004', 'methods': ['PASSWORD:1'], 'name': 'Password Only'}],
                   'customer': { 'billing': {'dimensions': ['user_month'], 'history': [{'user_month': []}]},
                                 'external_customer_id': 'c2',
                                 'external_product_id': '2',
                                 'id': '5e5acf42ddd811eba5e00242ac110004',
                                 'product_id': 'b41f0392ddb211eb98800242ac110004',
                                 'state': 'subscribe',
                                 'tenant_id': '5daafd56ddd811eba5e00242ac110004',
                                 'tenant_name': 'FROGGY'},
                   'domains': ['froggy.com'],
                   'product': { 'data': { 'description': { 'fulldesc': 'Adaptive Authentication Limited Active User Overage Monthly Subscription SaaS',
                                                           'fulldescid': 'SA-AB806',
                                                           'name': 'AA Limited Overage',
                                                           'nameid': 'SA-AB806'}},
                                'external_product_id': '2',
                                'id': 'b41f0392ddb211eb98800242ac110004',
                                'notification_channel': 'None'},
                   'tenant': { 'desc': 'Froggy Tenant',
                               'disabled': False,
                               'expired_warning': False,
                               'id': '5daafd56ddd811eba5e00242ac110004',
                               'license_min': '9999-12-31T00:00:00.0',
                               'name': 'FROGGY',
                               'repo_count': 1}},
                 { 'admin': { 'id': '79450d085a98148221e7b1a03468397a',
                              'last_fail_at': None,
                              'loginame': 'ADMIN',
                              'obj_id': '4ece8bf2db5011eb89260242ac110004',
                              'repo_id': '4ecc8690db5011eb89260242ac110004',
                              'repo_name': 'LOCAL',
                              'user_name': 'LOCAL\\ADMIN'},
                   'bearer_token': 'eyJhbGciOiJkaXIiLCJhdWQiOiJ0cyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJpc3MiOiJ0cyIsInRlbiI6IjVkYWFmZDU2ZGRkODExZWJhNWUwMDI0MmFjMTEwMDA0In0..XqkAl0siA_70szbBKTFkGA.WxDs-b3sqekZ328UdgcHQGqEQ6-2xCuytcR4o21IL3oGnBkt7NfNifTD1AL1Q-cYSdp8b_Rb_WIDIay_j9PvBYaFnf0Gf99tkTwG9BkouYOiMGNeKJ3wgv-5TH5TLRfm6DsVRkdIUdSRFuREtAkldlmw-zNZXTgknLhxutO4xU3t1TVcwOCYfqs2qNimHPTH9eAOq-QZlwe0XivwGPeqxg2oE1_d_W7QUgIT5kXleBNXVV9DxHrG19eINDzaz0MRgkn6zgOV1gx2kBS1F1ScLoheqzOg1ooNaBctEe8-dOfaE9R6H6bCDoSI4pZ0hO2yUTQd8lYydoLSt7dBiq0VXC-xO5eUDL-xQ3aY42gJDsXsBFGaNnomnc4VFQMtSB2t.TIxPCYHhGv_hKC5iFurTxA',
                   'chains': [ {'id': '5dc63f30ddd811eba5e00242ac110004', 'methods': ['LDAP_PASSWORD:1'], 'name': 'LDAP Password Only'},
                               {'id': '5dc418f4ddd811eba5e00242ac110004', 'methods': ['PASSWORD:1'], 'name': 'Password Only'}],
                   'customer': { 'billing': {'dimensions': ['user_month'], 'history': [{'user_month': []}]},
                                 'external_customer_id': 'c3',
                                 'external_product_id': '3',
                                 'id': '5eacc84cddd811eba5e00242ac110004',
                                 'product_id': 'b453f462ddb211eb98800242ac110004',
                                 'state': 'subscribe',
                                 'tenant_id': '5daafd56ddd811eba5e00242ac110004',
                                 'tenant_name': 'FROGGY'},
                   'domains': ['froggy.com'],
                   'product': { 'data': { 'description': { 'fulldesc': 'Identitiy Governance Integration with Advanced Authentication',
                                                           'fulldescid': 'IG-AA-Integration',
                                                           'name': 'IG-AA',
                                                           'nameid': 'IG-AA-Integration'},
                                          'onboarding_actions': {'issue_token': True, 'scim_repo_create_name': 'ig_bootstraping'}},
                                'external_product_id': '3',
                                'id': 'b453f462ddb211eb98800242ac110004',
                                'notification_channel': 'None'},
                   'scim_repo': { 'bearer_token': 'eyJhbGciOiJkaXIiLCJhdWQiOiJ0cyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJpc3MiOiJ0cyIsInRlbiI6IjVkYWFmZDU2ZGRkODExZWJhNWUwMDI0MmFjMTEwMDA0In0..pqXpckYrIrJJ7zbBzKgs8w.TCfEBoPeH0peCUrI0lUDp8lfCe-BbtG9M_feVyYdEgZ9qPsRNXjrT24xc0nK6NHSpqjaAuZjTAYF6Kd6xEsZM_19LYr_v2hjWxkCwRpJ3KWjDTlEFZo7e_nGnLG9QaQ8ZX3ByRkFYJjL4WaY0lINhff_JXw8TbxcXlUeIJpxz00LBIs2prxBpAaKwW3_j-vqhaLPs5bAjbfZ7Ug61pMdUAnKqGbYnhOnk2jkV1iMdt7_8foJ61olzNV4IIeGM1pBCWjkUM5zEUaCFnLyPmEch_tlEGxa5K3RIcNHO_XqAI-KJBRXPgFmmZ6AT-F4n7tJ2-lSUSsN4o6y-uaYdGR0ccEXIECjENDjiquN-zD9_Q9Hei94YRrMtqK013yF_2y4wORO-p_jZBJCRKZmvzHWPJCXIj_OfBOweL61vhy5v-Y.xPj5oFI6wVcJlfjDHq3x8w',
                                  'name': 'ig_bootstraping'},
                   'tenant': { 'desc': 'Froggy Tenant',
                               'disabled': False,
                               'expired_warning': False,
                               'id': '5daafd56ddd811eba5e00242ac110004',
                               'license_min': '9999-12-31T00:00:00.0',
                               'name': 'FROGGY',
                               'repo_count': 1}}]},)

AA show all customers and products associated with a tenant:

GET /api/v1/saastenant

AA show all customers and products associated with a tenant:
GET/api/v1/saastenant


AA new tenant onboarding:

POST /api/v1/saastenant
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe',
'tenant_name': "Tenant43',
'tenant_desc': "Tenant 43 description',
'tenant_admin_password': '1234567890Ab',
'tenant_admin_email': 'admin@frog.com',
'tenant_admin_mobile': '+18018615555',
'associations': [{'external_product_id': 'original', 'external_customer_id': 'internal:original:1'}]
}
Responses200
Headers
Content-Type: application/json
Body
{
'results': [
    {
        'admin':
        {
            'id': '633196a3a49269609003fe3ef2270c9a',
            'last_fail_at': None,
            'loginame': 'froggy@1.frog.com',
            'obj_id': 'e5308514de7b11ea87b10242ac110004',
            'repo_id': 'e517bc5ade7b11ea87b10242ac110004',
            'repo_name': 'LOCAL',
            'user_name': 'LOCAL\froggy@1.frog.com'
        },
        'customer':
        {
            'external_customer_id': '1',
            'external_product_id': 'trial',
            'id': 'e517f058de7b11ea87b10242ac110004',
            'product_id': '81d4a014de4d11eab9570242ac110004',
            'state': 'subscribe',
            'tenant_id': 'e502a1b2de7b11ea87b10242ac110004',
            'tenant_name': '1FROG'
        },
        'domains':
            ['1.frog.com'],
        'product':
        {
            'data':
            {
                'description':
                {
                    'fulldesc': 'Allows total of 50 users to access all Advanced Authentication functionality for 45 days',
                    'fulldescid': 'trial-fulldesc-id',
                    'name': 'Trial AA License (50 users, 45 days)',
                    'nameid': 'trial-name-id'
                },
                'licenses':
                [
                    {
                        'days': 45,
                        'restricts':
                        [
                            {
                                'type': 'risk_service'
                            },
                            {
                                'type': 'trial',
                                'users': 50
                            }
                        ]
                    }
                ],
            'external_product_id': 'trial',
            'id': '81d4a014de4d11eab9570242ac110004',
            'notification_channel': 'rad'
        },
        'tenant':
        {
            'desc': 'test desc',
            'expired_warning': False,
            'id': 'e502a1b2de7b11ea87b10242ac110004',
            'license_min': '9999-12-31T00:00:00.0',
            'name': '1frog',
            'repo_count': 1
        }
    }
]
}

AA new tenant onboarding:
POST/api/v1/saastenant

Create a new tenant, create admin user, associate products, run any policy/license updates, and perform onboarding actions.

Can also be used to finish new tenant onboarding started via AWS markeplace flow. In this case instead of passing associations the caller should pass the state from the marketplace flow.


Associate existing tenant with additional SaaS product:

PUT /api/v1/saastenant
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe',
'tenant_name': "Tenant43',
'associations': [{'external_product_id': 'original', 'external_customer_id': 'internal:original:1'}]
}
Responses200
Headers
Content-Type: application/json
Body
{
'results': [
    {
        'admin':
        {
            'id': '633196a3a49269609003fe3ef2270c9a',
            'last_fail_at': None,
            'loginame': 'froggy@1.frog.com',
            'obj_id': 'e5308514de7b11ea87b10242ac110004',
            'repo_id': 'e517bc5ade7b11ea87b10242ac110004',
            'repo_name': 'LOCAL',
            'user_name': 'LOCAL\froggy@1.frog.com'
        },
        'customer':
        {
            'external_customer_id': '1',
            'external_product_id': 'trial',
            'id': 'e517f058de7b11ea87b10242ac110004',
            'product_id': '81d4a014de4d11eab9570242ac110004',
            'state': 'subscribe',
            'tenant_id': 'e502a1b2de7b11ea87b10242ac110004',
            'tenant_name': '1FROG'
        },
        'domains':
            ['1.frog.com'],
        'product':
        {
            'data':
            {
                'description':
                {
                    'fulldesc': 'Allows total of 50 users to access all Advanced Authentication functionality for 45 days',
                    'fulldescid': 'trial-fulldesc-id',
                    'name': 'Trial AA License (50 users, 45 days)',
                    'nameid': 'trial-name-id'
                },
                'licenses':
                [
                    {
                        'days': 45,
                        'restricts':
                        [
                            {
                                'type': 'risk_service'
                            },
                            {
                                'type': 'trial',
                                'users': 50
                            }
                        ]
                    }
                ],
            'external_product_id': 'trial',
            'id': '81d4a014de4d11eab9570242ac110004',
            'notification_channel': 'rad'
        },
        'tenant':
        {
            'desc': 'test desc',
            'expired_warning': False,
            'id': 'e502a1b2de7b11ea87b10242ac110004',
            'license_min': '9999-12-31T00:00:00.0',
            'name': '1frog',
            'repo_count': 1
        }
    }]
}
}

[GET /api/v1/awsonboard]

Associate existing tenant with additional SaaS product:
PUT/api/v1/saastenant

Accepts a number of associations

When called from a maketplace flow, this takes the state from the AWS flow and finishes the association.


Start AA tenant onboarding flow - AWS Marketplace:

POST /api/v1/awsonboard
Requestsexample 1
Headers
Content-Type: application/json
Body
{
  "x-amzn-marketplace-token": "token value"
}
Responses302
Headers
Content-Type: application/json
Location: /nexturl?sate=xxxxxxxxxxxxxxx

Start AA tenant onboarding flow - AWS Marketplace:
POST/api/v1/awsonboard

For use by AWS Marketplace only. For AWS description see onboarding The non-aws version of this call is GET


SaaS Management

Return a list of all currently configured SaaS Products:

POST /api/v1/saasproductlist
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe'
}
Responses200
Headers
Content-Type: application/json
Body
{
'products'
[
    {
        'data':
        {
            'description':
            {
                'fulldesc': 'Allows total of 50 users to access all Advanced Authentication functionality for 45 days',
                'fulldescid': 'trial-fulldesc-id',
                'name': 'Trial AA License (50 users, 45 days)',
                'nameid': 'trial-name-id'
            },
            'licenses':
            [
                {
                    'days': 45,
                    'restricts':
                    [
                        {
                            'type': 'risk_service'
                        },
                        {
                            'type': 'trial',
                            'users': 50
                        }
                    ]
                }
            ],
        'external_product_id': 'trial',
        'id': '81d4a014de4d11eab9570242ac110004',
        'notification_channel': 'rad'
    }
]
}

Return a list of all currently configured SaaS Products:
POST/api/v1/saasproductlist


Update a SaaS Product definition:

PUT /api/v1/saasproduct/1234567890
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe',
'external_product_id': 'trial-changed',
'notification_channel': 'rad-changed'
}
Responses200
Headers
Content-Type: application/json
Body
{
'id': '123456789999',
'external_product_id': 'trial-changed',
'notification_channel': 'rad-changed'
'data':
{
    'description':
    {
        'fulldesc': 'Allows total of 50 users to access all Advanced Authentication functionality for 45 days',
        'fulldescid': 'trial-fulldesc-id',
        'name': 'Trial AA License (50 users, 45 days)',
        'nameid': 'trial-name-id'
    },
    'licenses':
    [
        {
            'days': 45,
            'restricts':
            [
                {
                    'type': 'risk_service'
                },
                {
                    'type': 'trial',
                    'users': 50
                }
            ]
        }
    ]
}
}

Update a SaaS Product definition:
PUT/api/v1/saasproduct/{product_id}

Pass in the fields to be updated in the product definition, the updated product be returned.

URI Parameters
HideShow
product_id
string (required) Example: 1234567890

Delete a Product definition:

DELETE /api/v1/saasproduct/1234567890?login_session_id=xx
Requestsexample 1
Headers
Content-Type: application/json
Body
{}
Responses200
Headers
Content-Type: application/json
Body
{}

Delete a Product definition:
DELETE/api/v1/saasproduct/{product_id}?login_session_id=xx

URI Parameters
HideShow
product_id
string (required) Example: 1234567890
login_session_id
string (required) Example: LRvql8GD946V7ryN8fesWBLhN1I7dpEe

ID of the login session


Return a list of all currently configured SaaS Customers:

POST /api/v1/saascustomerlist
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe'
}
Responses200
Headers
Content-Type: application/json
Body
{
'customers'
[
    {
        'external_customer_id': '1',
        'external_product_id': 'trial',
        'id': 'e517f058de7b11ea87b10242ac110004',
        'product_id': '81d4a014de4d11eab9570242ac110004',
        'state': 'subscribe',
        'tenant_id': 'e502a1b2de7b11ea87b10242ac110004',
        'tenant_name': '1FROG'
    }
]
}

Return a list of all currently configured SaaS Customers:
POST/api/v1/saascustomerlist


Update a SaaS Customer:

PUT /api/v1/saascustomer/1234567890
Requestsexample 1
Headers
Content-Type: application/json
Body
{
'login_session_id': 'LRvql8GD946V7ryN8fesWBLhN1I7dpEe',
'external_product_id': 'trial-changed',
'external_customer_id': 'rad-changed',
'state':
}
Responses200
Headers
Content-Type: application/json
Body
{
'external_customer_id': '1',
'external_product_id': 'trial',
'id': 'e517f058de7b11ea87b10242ac110004',
'product_id': '81d4a014de4d11eab9570242ac110004',
'state': 'subscribe',
'tenant_id': 'e502a1b2de7b11ea87b10242ac110004',
'tenant_name': '1FROG'
}

Update a SaaS Customer:
PUT/api/v1/saascustomer/{customer_id}

Pass in the fields to be updated, the updated customer will be returned. Either external_product_id or state must be passed. Valid states: ‘subscribe’, ‘enabled’, ‘unsubscribe-pending’, ‘disabled’ To remove a customer association set the state to unsubscribe-pending, not disabled. This allows for final processing of the any reports or billing information.

URI Parameters
HideShow
customer_id
string (required) Example: 1234567890

Delete a customer definition:

DELETE /api/v1/saascustomer/1234567890?login_session_id=xx
Requestsexample 1
Headers
Content-Type: application/json
Body
{}
Responses200
Headers
Content-Type: application/json
Body
{}

Delete a customer definition:
DELETE/api/v1/saascustomer/{customer_id}?login_session_id=xx

URI Parameters
HideShow
customer_id
string (required) Example: 1234567890
login_session_id
string (required) Example: LRvql8GD946V7ryN8fesWBLhN1I7dpEe

ID of the login session


Configure required Cloudbridge data:

PUT /api/v1/saascloudbridge/23456788
Requestsexample 1
Headers
Content-Type: application/json
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"docker_image_download": "",
"docker_image_name": "",
"agents":
    [
        {"agent file as delivered from the COE"}
    ]
}
Responses200
Headers
Content-Type: application/json
Body
{
null
}

Configure required Cloudbridge data:
PUT/api/v1/saascloudbridge/{tenant_id}

URI Parameters
HideShow
tenant_id
string (required) Example: 23456788

Tenant name or ID


Read and update tenant domains

Read and update logon domains associated with this tenant

Register logon domains for the current tenant:

PUT /api/v1/logondomains
Requestsexample 1
Headers
Content-Type: application/json
Body
{
  "login_session_id": "B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o",
  "domains": [
    {
      "name": "test.com"
    },
    {
      "name": "example.com"
    }
  ]
}
Responses200
Headers
Content-Type: application/json
Body
{
  "domains": [
    {
      "name": "foo.example.com"
    },
    {
      "name": "bar.example.com"
    }
  ]
}

Register logon domains for the current tenant:
PUT/api/v1/logondomains

Replaces any existing logon domains with the passed domains


Logon domains lookup:

POST /api/v1/logondomains/get
Requestsexample 1
Headers
Content-Type: application/json
Body
{
  "login_session_id": "JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX"
}
Responses200
Headers
Content-Type: application/json
Body
{
  "domains": [
    {
      "name": "foo.example.com"
    },
    {
      "name": "bar.example.com"
    }
  ]
}

Logon domains lookup:
POST/api/v1/logondomains/get

Reads any existing logon domains


API Tokens

API Tokens are long lived tokens for use by services, not all APIs currently support token based access.The token is passed as a bearer token to the API in an Authorization header. The APIs in this section login_session_id or a bearer token as authentication to the API.

Read information about an existing token:

GET /api/v1/accesstoken/
Responses200
Headers
Content-Type: application/json
Body
{
    'bearer_token': 'eyJhbGciOiJkaXIiLCJhdWQiOiJ0cyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJpc3MiOiJ0cyIsInRlbiI6ImRlZjBkZWYwZGVmMGRlZjBkZWYwZGVmMGRlZjBkZWYwIn0..3gUu7fbR7Qfl_BbyeQ71PQ.t_wFI-NWhiFTPB9IYVH5RXyIzhjtIRNwhBnyU1yhacppvuZcuCYYSnlVbPSU-ZQGlwz-ooZKFEkQZwJnYCPU54Vs7qTrsAXIt5zMdGV7XHzf0Arqev-Oa7O3Nq0yHP_1v84YUL_WkrAqLuQ1zleU5ySvQUHjB8MPt58r24zBhPBQChcza4XeZcOIiLTrRqDPnXCT-rucyp7Bs9XtGsROIqEv5HP8yGBrq_Z6mN_8CQQrBtEwrMl_RvowLorfioYzEqJkCrZe_yw50wItiAyM3iSpOJ_gRTtCtyL3aUbxSIp7TKQGYE4IGwBBCdI1nq0xYRFGFSMOPlaimokfAzlVsA.MO0ONkAqVS084E4mxjTLqg',
    'details': {
        'guid': '2ac6e4195cfb0ff83e55a0518e69d7d56e9ffcab',
        'created': '2021-11-04T14:01:21.278973',
        'revoked': None,
        'expired_after': '2022-11-05T14:01:21.276665',
        'scopes': []
    }
}

Read information about an existing token:
GET/api/v1/accesstoken/

Returns information about a previously issued token. Authorization may be accomplished via login_session_id or bearer token.

URI Parameters
HideShow
login_session_id
string (optional) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

ID of the login session


Revoke an existing token:

DELETE /api/v1/accesstoken/token_guid
Requestsexample 1
Headers
Authorization: 'Bearer:xyz' (optional, string) The token passed in the authorization header is revoked.
Responses204
This response has no content.

Revoke an existing token:
DELETE/api/v1/accesstoken/token_guid

The token identified by {token_guid} is revoked. Authorization may be accomplished via login_session_id or bearer token.

URI Parameters
HideShow
login_session_id
string (optional) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

ID of the login session


Renew an existing token:

POST /api/v1/accesstokenrefresh
Requestsexample 1
Headers
Authorization: 'Bearer:xyz' (required, string) The token passed in the authorization header is revoked.
Responses200
Headers
Content-Type: application/json
Body
{
    'bearer_token': 'eyJhbGciOiJkaXIiLCJhdWQiOiJ0cyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJpc3MiOiJ0cyIsInRlbiI6ImRlZjBkZWYwZGVmMGRlZjBkZWYwZGVmMGRlZjBkZWYwIn0..3gUu7fbR7Qfl_BbyeQ71PQ.t_wFI-NWhiFTPB9IYVH5RXyIzhjtIRNwhBnyU1yhacppvuZcuCYYSnlVbPSU-ZQGlwz-ooZKFEkQZwJnYCPU54Vs7qTrsAXIt5zMdGV7XHzf0Arqev-Oa7O3Nq0yHP_1v84YUL_WkrAqLuQ1zleU5ySvQUHjB8MPt58r24zBhPBQChcza4XeZcOIiLTrRqDPnXCT-rucyp7Bs9XtGsROIqEv5HP8yGBrq_Z6mN_8CQQrBtEwrMl_RvowLorfioYzEqJkCrZe_yw50wItiAyM3iSpOJ_gRTtCtyL3aUbxSIp7TKQGYE4IGwBBCdI1nq0xYRFGFSMOPlaimokfAzlVsA.MO0ONkAqVS084E4mxjTLqg',
    'details': {
        'guid': '2ac6e4195cfb0ff83e55a0518e69d7d56e9ffcab',
        'created': '2021-11-04T14:01:21.278973',
        'revoked': None,
        'expired_after': '2022-11-05T14:01:21.276665',
        'scopes': []
    }
}

Renew an existing token:
POST/api/v1/accesstokenrefresh

The claims, scope, and ttl are preserved from the original token issuance. After renewing the token the old token is revoked.


Generated by aglio on 02 Jun 2022