Estos contenidos se han traducido de forma automática para su comodidad, pero Huawei Cloud no garantiza la exactitud de estos. Para consultar los contenidos originales, acceda a la versión en inglés.
Centro de ayuda/ Identity and Access Management/ Referencia de la API/ API/ Gestión de autenticación de identidades federadas/ Credenciales/ Generación de un AK/SK a través de la autenticación de identidad federada
Actualización más reciente 2024-08-01 GMT+08:00
Ver PDF
Compartir

Generación de un AK/SK a través de la autenticación de identidad federada

Function

This API is used to generate an AK/SK through federated identity authentication. This API has been deprecated.

This API has been deprecated and is replaced by the /v3.0/OS-CREDENTIAL/securitytokens API.

Before obtaining a temporary AK/SK in federated identity authentication mode, you need to establish a relationship of trust between the enterprise IdP and IAM. For details about how to query the metadata file, see Consulta del archivo de metadatos de Keystone.

URI

  • URI format

    GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/credential

  • URI parameter description

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    Identity provider name.

    protocol _id

    Yes

    String

    ID of a protocol.

    duration_seconds

    No

    String

    Validity period of an AK/SK, in seconds. The value is an integer ranging from 900 to 86400. The default value is 900.

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    Identity provider name.

    protocol_id

    Yes

    String

    ID of a protocol.

    Accept

    No

    String
    • This parameter is not required when you obtain a token in web SSO mode.
    • When you obtain a token using the ECP, the value of this parameter is as follows:

      application/vnd.paos+xml

    PAOS

    No

    String
    • This parameter is not required when you obtain a token in web SSO mode.
    • When you obtain a token using the ECP, the value of this parameter is as follows:

      urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp

    This interface can be used to obtain a token using the Web Single Sign-On (WebSSO) or ECP. The two mechanisms are differentiated based on request headers. For details, see the request header parameter description.

  • Sample request 
    GET /v3-ext/OS-FEDERATION/identity_providers/idptest/protocols/saml/credential

Response

  • Response body parameter description

    Response Item

    Parameter

    Type

    Description

    credential

    body

    Object

    Credential obtained in federation authentication mode, including the AK/SK and securityToken.

    The default validity period of the AK/SK and securityToken is 900 ms.
  • Sample response 
    {
    "credential": {
        "access": "9KDZ9C4FZWDT4R...", 
        "secret": "An7Qo7j7jmKduupYaJDZd1s2oxFkfujkD23...", 
        "expires_at": "2017-09-14T09:35:22.002000Z", 
        "securitytoken": "gAAAAABZuPvamyED44aYAZgdSvxxareklLGR9V4TwrsGNacjbs_8Z7CUtYdoI39-RzebqX55VkMZ46HpbaETlrSXqP1Wcdq-scxRt7WfCCV0CH987zruTPeb8Hd0Hb0fYZzi-OZO9lfIluQuHp8OUF2KwYliQFGIZMdwrgrHQCOg-49CbzhgGj4H2SCaMKT9VkpF9dquNgvoDG5a_j-_q1pMsoRJMrQyAZwt1vAYEadZ4gEklNprre0KS4D5wefTxsF_BQJfF-wCgeSTc9ggV0zld1t2G0qR5g=="
    }
}

Status Codes

Status Code

Description

200

The request is successful. You need to further obtain user information.

201

The request is successful, and an AK/SK is returned.

302

The system switches to the identity provider authentication page if the request does not carry user information of the identity provider.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

405

You are not allowed to use the method specified in the request.

413

The request entity is too large.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.
Tema principal: Credenciales