weihongmin1
46d24ba358
Reviewed-by: Belejkanic, Lukas <lukas.belejkanic@t-systems.com> Co-authored-by: weihongmin1 <weihongmin1@huawei.com> Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
54 KiB
Creating a Mapping
Function
This API is used to create a mapping.
URI
- URI parameters
Parameter
Mandatory
Type
Description
id
Yes
String
Mapping ID.
Request Parameters
- Parameters in the request header
Parameter
Mandatory
Type
Description
Content-Type
Yes
String
Fill application/json;charset=utf8 in this field.
X-Auth-Token
Yes
String
Authenticated token with the Security Administrator permission.
- Parameters in the request body
Parameter
Mandatory
Type
Description
Yes
Object
Mapping information.
- mapping
Parameter
Mandatory
Type
Description
Yes
Array
Rule used to map federated users to local users.
Example rule for SAML:
"rules": [ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "0cd5e9" } } ], "remote": [ { "type": "UserName" }, { "type": "orgPersonType", "not_any_of": [ "Contractor", "Guest" ] } ] } ]local: indicates the information about a federated user in the cloud system.
- user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
- group: indicates the user group to which a federated user belongs in the cloud system.
remote: indicates the information about a federated user in the IdP. This expression is a combination of assertion attributes and operators. The value of remote is determined based on the assertion.
- "type": "UserName" indicates an attribute in an IdP assertion.
- "type": "orgPersonType" indicates an attribute in an IdP assertion.
- not_any_of: The rule is not matched if any of the specified strings appear in the attribute type. The condition result is Boolean, not the argument that is passed as input.
- mapping.rules
Parameter
Mandatory
Type
Description
Yes
Array of RulesLocal objects
Federated user information on the cloud platform. user indicates the name of a federated user, and group indicates the group which the federated user belongs to.
Yes
Array of objects
Federated user information in the IdP system. If SAML is used, this parameter is an expression consisting of assertion attributes and operators, and the value of this parameter is determined by the assertion. If OIDC protocol is used, the value of this parameter is determined by the ID token.
- mapping.rules.local
- mapping.rules.local.user
Parameter
Mandatory
Type
Description
name
Yes
String
Name of a federated user on the cloud platform.
- mapping.rules.local.group
Parameter
Mandatory
Type
Description
name
Yes
String
User group to which a federated user belongs on the cloud platform.
- mapping.rules.remote
Parameter
Mandatory
Type
Description
type
Yes
String
IdP assertion (SAML) or ID token (OIDC)
any_one_of
No
Array of strings
The rule is matched only if the specified strings appear in the attribute type. A Boolean value will be returned and cannot be used as a placeholder in the local block. In a remote array, any_one_of and not_any_of are mutually exclusive and cannot be used at the same time.
not_any_of
No
Array of strings
The rule is matched only if the specified strings do not appear in the attribute type. A Boolean value will be returned and cannot be used as a placeholder in the local block. any_one_of and not_any_of are mutually exclusive and cannot be used at the same time.
- Example request
curl -i -k -H 'Accept:application/json' -H 'Content-Type:application/json;charset=utf8' -H "X-Auth-Token:$token" -X PUT -d'{"mapping":{"rules":[{"local":[{"user":{"name":"{0}"}},{"group":{"name":"0cd5e9"}}],"remote":[{"type":"UserName"},{"type":"orgPersonType","not_any_of":["Contractor","Guest"]}]}]}}' https://sample.domain.com/v3/OS-FEDERATION/mappings/ACME
Response Parameters
- Parameters in the response body
Parameter
Mandatory
Type
Description
Yes
Object
Mapping information.
- mapping
Parameter
Mandatory
Type
Description
id
Yes
String
Mapping ID.
Yes
Array of MappingRules objects
Rule used to map federated users to local users.
Example rule for SAML:
"rules": [ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "0cd5e9" } } ], "remote": [ { "type": "UserName" }, { "type": "orgPersonType", "not_any_of": [ "Contractor", "Guest" ] } ] } ]local: indicates the information about a federated user in the cloud system.
- user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
- group: indicates the user group to which a federated user belongs in the cloud system.
remote: indicates the information about a federated user in the IdP. This expression is a combination of assertion attributes and operators. The value of remote is determined based on the assertion.
- "type": "UserName" indicates an attribute in an IdP assertion.
- "type": "orgPersonType" indicates an attribute in an IdP assertion.
- not_any_of: The rule is not matched if any of the specified strings appear in the attribute type. The condition result is Boolean, not the argument that is passed as input.
Yes
Object
Mapping resource link.
- mapping.rules
Parameter
Type
Description
Array of objects
Federated user information on the cloud platform. user indicates the name of a federated user, and group indicates the user group to which a federated user belongs in the cloud system.
Array of objects
Federated user information in the IdP system. If SAML is used, this parameter is an expression consisting of assertion attributes and operators, and the value of this parameter is determined by the assertion. If OIDC protocol is used, the value of this parameter is determined by the ID token.
- mapping.rules.local
- mapping.rules.local.user
Parameter
Type
Description
name
String
Name of a federated user on the cloud platform.
- mapping.rules.local.group
Parameter
Type
Description
name
String
User group to which a federated user belongs on the cloud platform.
- mapping.rules.remote
Parameter
Type
Description
type
String
IdP assertion (SAML) or ID token (OIDC)
any_one_of
Array of strings
The rule is matched only if the specified strings appear in the attribute type. A Boolean value will be returned and cannot be used as a placeholder in the local block. In a remote array, any_one_of and not_any_of are mutually exclusive and cannot be used at the same time.
not_any_of
Array of strings
The rule is matched only if the specified strings do not appear in the attribute type. A Boolean value will be returned and cannot be used as a placeholder in the local block. any_one_of and not_any_of are mutually exclusive and cannot be set at the same time.
- Example response
{ "mapping": { "id": "ACME", "links": { "self": "https://example.com/v3/OS-FEDERATION/mappings/ACME" }, "rules": [ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "0cd5e9" } } ], "remote": [ { "type": "UserName" }, { "type": "orgPersonType", "not_any_of": [ "Contractor", "Guest" ] } ] } ] } }
Status Codes
Status Code |
Description |
|---|---|
201 |
The request is successful. |
400 |
The server failed to process the request. |
401 |
Authentication failed. |
403 |
Access denied. |
404 |
The requested resource cannot be found. |
405 |
The method specified in the request is not allowed for the requested resource. |
409 |
A resource conflict occurs. |
413 |
The request entity is too large. |
500 |
Internal server error. |
503 |
Service unavailable. |