Obtaining an Unscoped Token (IdP Initiated)
Function
This API is used to obtain an unscoped token through IdP-initiated federated identity authentication.
Unscoped tokens cannot be used for authentication. A federated user can be authenticated only using a scoped token. For details, see Obtaining a Scoped Token.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
- This API can be called using the CLI. The client can call this API to obtain a SAML response in IdP-initiated authentication mode and obtain an unscoped token through a browser.
Debugging
You can debug this API in API Explorer.
URI
POST /v3.0/OS-FEDERATION/tokens
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Content-Type |
Yes |
String |
The client must use a browser to transfer SAML response parameters to the server. Set this parameter to application/x-www-form-urlencoded. |
X-Idp-Id |
Yes |
String |
Identity provider ID. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
SAMLResponse |
Yes |
String |
Response body to be returned if IdP authentication is successful. |
Perform the following procedure to obtain a SAML response:
- Visit https://idp.example.org/idp/profile/SAML2/Unsolicited/SSO?providerId=iam.example.com using a browser.
idp.example.org: Entity ID in the IdP metadata
iam.example.com: Entity ID in the SP metadata
- On the displayed identity provider login page, enter a username and then click Login (password-free login is supported). On the new page that is displayed, press F12 and click Accept. Obtain the SAML response from POST as shown in the following figure.
Figure 1 Obtaining a SAML response
Response Parameters
Parameter |
Type |
Description |
---|---|---|
X-Subject-Token |
String |
Signed unscoped token. |
Parameter |
Type |
Description |
---|---|---|
Object |
Details of the unscoped token. |
Parameter |
Type |
Description |
---|---|---|
issued_at |
String |
Time when the token was issued.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
expires_at |
String |
Time when the token will expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
methods |
Array of strings |
Method for obtaining the token. |
Object |
Information about the IAM user who requests for the token. |
Parameter |
Type |
Description |
---|---|---|
Object |
Information about the account used to create the IAM user. |
|
id |
String |
User ID. |
name |
String |
Username. |
Object |
Federated identity authentication information. |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Account name. |
id |
String |
Account ID. |
Parameter |
Type |
Description |
---|---|---|
Array of objects |
User group information. |
|
Object |
Identity provider information. |
|
Object |
Protocol information. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
User group ID. |
name |
String |
User group name. |
Example Request
Request for obtaining an unscoped token (IdP initiated)
POST https://iam.myhuaweicloud.com/v3.0/OS-FEDERATION/tokens
SAMLResponse=PD94b...
Example Response
Status code: 201
The request is successful.
Parameters in the response header X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "token": { "expires_at": "2020-02-13T14:21:34.042000Z", "methods": [ "mapped" ], "issued_at": "2020-02-12T14:21:34.042000Z", "user": { "OS-FEDERATION": { "identity_provider": { "id": "ACME" }, "protocol": { "id": "saml" }, "groups": [ { "id": "06aa22601502cec4a23ac0084a74038f", "name": "admin" } ] }, "domain": { "name": "IAMDomain", "id": "06ba0970a097acc0f36c0086bb6cfe0" }, "name": "FederationUser", "id": "LdUTYSC7zmJVIic3yaCbLBXDxPAdDxLg" } } }
Status Codes
Status Code |
Description |
---|---|
201 |
The request is successful. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
405 |
The method specified in the request is not allowed for the requested resource. |
413 |
The request entity is too large. |
500 |
Internal server error. |
503 |
Service unavailable. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot