Help Center> Identity and Access Management> API Reference> API> Federated Identity Authentication Management> Token> Obtaining an Unscoped Token (SP Initiated)

Obtaining an Unscoped Token (SP Initiated)

Function

This API is used to obtain an unscoped token through SP-initiated federated identity authentication.

Unscoped tokens cannot be used for authentication. A federated user can be authenticated only using a scoped token. For details, see Obtaining a Scoped Token.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

This API can be used to obtain a token through web SSO or ECP. Set the request header parameters accordingly.
Instead of calling this API, you are advised to use OpenStackClient to obtain a token.
This API requires a browser for redirection.

URI

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth

**Table 1** URI parameters
Parameter	Mandatory	Type	Description
idp_id	Yes	String	Identity provider name.
protocol_id	Yes	String	Protocol ID.

Request Parameters

**Table 2** Parameters in the request header
Parameter	Mandatory	Type	Description
Accept	No	String	This parameter is not required when you obtain a token in web SSO mode. Set this parameter to application/vnd.paos+xml when you obtain a token using ECP.
PAOS	No	String	This parameter is not required when you obtain a token in web SSO mode. Set this parameter to urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp when you obtain a token using ECP.

Response Parameters

**Table 3** Parameters in the response header
Parameter	Type	Description
X-Subject-Token	String	Signed unscoped token.

**Table 4** Parameters in the response body
Parameter	Type	Description
token	Object	Details of the unscoped token.

**Table 5** token
Parameter	Type	Description
methods	Array of strings	Method for obtaining the token.
expires_at	String	Time when the token will expire.
catalog	Array of objects	Catalog information.
roles	Array of objects	Permissions information of the token.
user	Object	Information about the IAM user who requests for the token.
issued_at	String	Time when the token was issued.

**Table 6** token.user
Parameter	Type	Description
domain	Object	Information about the account used to create the IAM user.
OS-FEDERATION	Object	Federated identity authentication information.
id	String	User ID.
name	String	Username.

**Table 7** token.user.domain
Parameter	Type	Description
name	String	Account name.
id	String	Account ID.

**Table 8** token.user.OS-FEDERATION
Parameter	Type	Description
groups	Array of objects	User group information.
identity_provider	Object	Identity provider information.
protocol	Object	Protocol information.

**Table 9** token.user.OS-FEDERATION.groups
Parameter	Type	Description
id	String	User group ID.
name	String	User group name.

**Table 10** token.user.OS-FEDERATION.identity_provider
Parameter	Type	Description
id	String	Identity provider ID.

**Table 11** token.user.OS-FEDERATION.protocol
Parameter	Type	Description
id	String	Protocol ID.

Request Process

Visit https://iam.myhuaweicloud.com/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth using a browser.
On the displayed identity provider login page, enter a username and then click Login (password-free login is supported). On the new page that is displayed, press F12 and click Accept.
Obtain the signed unscoped token from the X-Subject-Token parameter in the response header.

Figure 1 Obtaining a token

Example Response

Status code: 201

The request is successful, and a token is returned.

Parameters in the response header
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "expires_at": "2020-02-13T15:13:52.166000Z",
        "methods": [
            "mapped"
        ],
        "catalog": [],
        "roles": [],
        "issued_at": "2020-02-12T15:13:52.166000Z",
        "user": {
            "OS-FEDERATION": {
                "groups": [],
                "identity_provider": {
                    "id": "ACME"
                },
                "protocol": {
                    "id": "saml"
                }
            },
            "domain": {
                "id": "06aa2260a480cecc0f36c0086bb6cfe0",
                "name": "IAMDomain"
            },
            "id": "LdQTDSC7zmJVIic3yaCbLBXDxPAdDxLg",
            "name": "FederationUser"
        }
    }
}

Status Codes

Status Code	Description
200	The request is successful. You need to obtain user information.
201	The request is successful, and a token is returned.
302	A temporary redirect occurs. The identity provider authentication page is displayed because the request does not carry any user information.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
405	The method specified in the request is not allowed for the requested resource.
413	The request entity is too large.
500	Internal server error.
503	Service unavailable.

Error Codes

None

Parent topic: Token

Last Article: Token

Next Article: Obtaining an Unscoped Token (IdP Initiated)

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English