The following sections provide information about how the REST driver supports the standard driver features:
The REST driver performs the following operations on the Publisher and Subscriber channels:
Publisher Channel: Add, Modify, Delete, and Query operations on User and Group objects, and password synchronization.
Subscriber Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects, Password Set/Reset operations only on User objects.
A local installation is an installation of the driver on the Identity Manager server. The REST driver can be installed on the operating systems supported for the Identity Manager server.
For information about the operating systems supported for the Identity Manager server, see the NetIQ Identity Manager Technical Information website.
The REST driver can use the Remote Loader service to run on a server other than the Identity Manager server. The REST driver can be installed on the operating systems supported for the Remote Loader.
For information about the supported operating systems, see the NetIQ Identity Manager Technical Information website.
The REST driver allows you to configure the following authentication methods. By default the REST driver supports Basic authentication method. However, you can change the authentication method using the Driver configuration.
Anonymous: The driver uses anonymous authentication method for authenticating to a RESTful service. On the Subscriber channel, this method allows valid connectivity between the REST driver and any RESTful service that supports anonymous authentication method. On the Publisher channel, the driver allows anonymous access to the Identity Vault for any RESTful service.
Basic: The driver uses the ID and password that you specify during driver configuration for authenticating to the RESTful service. The driver considers the Publisher user credentials as the basic authentication method credentials. In this authentication method, the driver uses these credentials to connect to the endpoints exposed on the Publisher channel.
OAuth2.0: The OAuth 2.0 is an open authentication protocol that enables any third-party application to access data from an HTTP service to share data among various applications. The driver supports OAuth2.0 authentication only on the Subscriber channel.
Secured communication between client-server applications is established using authorization tokens such as, JSON Web Tokens, Access Tokens and Refresh Tokens.
JSON Web Token (JWT): JWT defines a compact and self-contained way for securely transmitting information between parties. JWTs can be encrypted to provide secrecy between client-server applications. For more information on JWT see, RFC7519.
Access Token: Access tokens carry the necessary information to access a resource directly.
Refresh Token: Refresh tokens carry the necessary information to get a new access token. If an access token is expired, refresh token allows the application to obtain a new access token without user's intervention. Refresh tokens have the potential for a longer lifetime, whereas access tokens have a comparatively shorter lifetime.
IMPORTANT:For any operation performed on the connected application using OAuth 2.0, an access token is sent for authorization of the user from the connected application. The access token expires post the session idle time set for the connected application, or in case of a system restart. The session idle time is configurable as per requirement. The connected application displays Unauthozied Access error or an Invalid Session error for any request initiated with an expired access token.The presence of a refresh token helps to re-establish the failed session internally, by generating a new access token without the user having to log in again.
The resource owner grants authorization to a client application in cooperation with the authorization server associated with the resource server. The resource owner grants authorization to a client application using a in cooperation with the authorization server associated with the resource server. When requesting for authorization, the client receives an authorization grant from the resource owner. An authorization grant is an authorization credential representing the resource owner authorization in the form of a JSON Web Token (JWT). The two authorization grants supported by the REST driver are resource owner password credentials and client credentials.
Client Credentials - Uses the client ID and secret received while registering with the identity provider.
Resource Owner Password - Shares the resource owner credentials with the client application. Uses the user name and password of the resource owner as authorization grant to obtain an access token. For example, you can use your Twitter user name and password to log in to a client application.
NOTE:Ensure that you set the appropriate query options while configuring the authorization query in the driver parameters. For more information, see Subscriber Settings.
The Identity Manager driver for REST supports Publish as Publisher option.
If Publish is selected, the driver exposes the REST endpoints to receive the events from the connected RESTful service and then pushes the events to the Identity Vault.
The REST driver exposes REST endpoints to the Identity Manager engine. This facilitates easy communication between external applications and services with eDirectory and Identity Manager engine via the REST API.
NOTE:The authentication header and content type are mandatory for REST methods.
Table 1-2 lists an example of POST REST method that the driver supports for a User class:
Table 1-2 POST Method
|
METHOD: POST |
|
|
User URI |
http://ipaddress:port/User |
|
Payload |
{"association":”User2","Postal Code":["324324324"],"Surname":["User2"],"CN":["User2"]} |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
201 Created |
Table 1-3 lists an example of DELETE REST method that the driver supports:
Table 1-3 DELETE Method
|
METHOD: DELETE |
|
|
User URI |
http://ipaddress:port/User/User2 |
|
Payload |
Not required |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
200 OK |
Table 1-4 lists an example of PUT REST method that the driver supports:
Table 1-4 PUT Method
|
METHOD: PUT |
|
|
User URI |
http://ipaddress:portUser/User2 |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Payload |
{"Title":[{"add":["Manager"]}]} |
|
Response |
204 No Content |
Table 1-5 lists an example of GET REST method that the driver supports:
Table 1-5 GET Method
|
METHOD: GET |
|
|
User URI |
http://ipaddress:port/User?search-attr=given name eq ‘test*user’ and cn eq ‘test*’&read-attr=title |
|
Payload |
Not Applicable |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
{ "totalResults": 1, "results": [ { "src-dn": "\\GEN-REST1\\system\\servers\\TestUser", "class-name": "User", "Title": [ "SE" ] } ]} |
Unlike most other drivers, the REST driver synchronizes protocols instead of objects. The driver includes the following features:
HTTP transport of data between the Identity Vault and a Web service
SSL connections using the HTTPS protocol
Subscriber HTTP and HTTPS proxy servers
Potential to act as an HTTP or HTTPS listener for incoming connections on the Publisher channel
Potential extensibility through customized Java code
For more information, see Section B.0, Using Java Extensions.