Federations

The Federations module can be used to configure standards based integrations using Federated technologies, such as OIDC and SAML. This module is also used to configure how identity attributes are mapped between token types as well as providing additional sources of information for federated identities.

class pyivia.core.federationsettings.Federation

Object is used to manage the Federations endpoints of a Verify Access deployment.

Variables:

• federations – Create and manage Federations and Partners.

• attribute_sources – Manage attributes added to identities in federation flows.

• alias_service – Manage user aliases for federated identity sources.

• sts – Create and manage Security Token Service chains.

• poc – Create and manage Point of Contact profiles.

• access_policy – Create and manage Access Policy rules.

Federations configuration

class pyivia.core.federation.federations.Federations(base_url, username, password)

create_oidc_federation(name=None, role=None, redirect_uri_prefix=None, response_types_supported=None, attribute_mappings=[], identity_delegate_id=None, identity_rule_type='JAVASCRIPT', identity_mapping_rule=None, identity_applies_to=None, identity_auth_type=None, identity_ba_user=None, identity_ba_password=None, identity_client_keystore=None, identity_client_key_alias=None, identity_issuer_uri=None, identity_message_format=None, identity_ssl_keystore=None, identity_uri=None, adv_delegate_id=None, adv_rule_type='JAVASCRIPT', adv_mapping_rule=None)

Create an OIDC Federation.

Parameters:

• name (str) – A meaningful name to identify this federation.

• role (str) – The role of a federation, valid values are “ip”, “sp”, “op” and “rp”.

• redirect_uri_prefix (str) – The reverse proxy address to prepend to the redirect URI sent to the provider to communicate with this instance.

• response_types_supported (str) – List of response types which determine the flow to be executed. Valid values to be included are “code”, “token”, “id_token”. This selects the default flow to run when a metadata URL is specified in the partner configuration.

• attribute_mappings (list of dict) –

  The attribute mapping data. format is:

  [
      {"name":"email",
       "source":"ldap_email"
      },
      {"name":"mobile",
       "source":"ldap_phone"
      }
  ]
  

• identity_delegate_id (str) – The active mapping module instance.

• identity_rule_type (str) – The type of the mapping rule. The only supported type currently is “JAVASCRIPT”.

• identity_mapping_rule (str) – A reference to an ID of an identity mapping rule.

• identity_applies_to (str) – Refers to the STS chain that consumes callout responses. Required if WSTRUST messageFormat is specified, ignored otherwise.

• identity_auth_type (str) – Authentication method used when contacting external service. Supported values are NONE, BASIC or CERTIFICATE.

• identity_ba_user (str) – Username for authentication to external service. Required if BASIC authType is specified, ignored otherwise.

• identity_ba_password (str) – Password for authentication to external service. Required if BASIC authType is specified, ignored otherwise.

• identity_client_keystore (str) – Contains key for HTTPS client authentication. Required if CERTIFICATE authType is specified, ignored otherwise.

• identity_client_key_alias (str) – Alias of the key for HTTPS client authentication. Required if CERTIFICATE authType is specified, ignored otherwise.

• identity_issuer_uri (str) – Refers to STS chain that provides input for callout request. Required if WSTRUST messageFormat is specified, ignored otherwise.

• identity_message_format (str) – Message format of callout request. Supported values are XML or WSTRUST.

• identity_ssl_keystore (str) – SSL certificate trust store to use when validating SSL certificate of external service.

• identity_uri (str) – Address of destination server to call out to.

• adv_delegate_id (str) – The active module instance. Valid values are “skip-advance-map” and “default-map”.

• adv_rule_type (str) – The type of the mapping rule. The only supported type currently is JAVASCRIPT.

• adv_mapping_rule (str) – A reference to an ID of an advance configuration mapping rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be access from the response.id_from_location attribute.

Return type:

Response

create_oidc_partner(federation_id, name=None, role='rp', redirect_uri_prefix=None, response_types=[], attribute_mappings=[], identity_delegate_id=None, identity_mapping_rule=None, identity_auth_type=None, identity_ba_user=None, identity_ba_password=None, identity_client_keystore=None, identity_client_key_alias=None, identity_issuer_uri=None, identity_msg_fmt=None, identity_ssl_keystore=None, identity_uri=None, adv_config_delegate_id=None, adv_config_rule_type='JAVASCRIPT', adv_config_mapping_rule=None)

DEPRECIATED Add a partner configuration to an ODIC RP.

Parameters:

• federation_id (str) – The id of the ODIC federation to create a partner for.

• name (str) – The name o the partner to be created.

• role (str, optional) – The role this partner plays in its federation. Default is “rp”

• response_types (str, optional) – List of response type which determines which flow to be executed.

• attribute_mappings (list of dict, optional) –

  List of configured attribute sources. Format of dictionary is:

  [
      {"name":"email",
       "source": "ldap"
      },
      {"name":"preferred_name",
       "source":"credential"
      }
  ]
  

• identity_delegate_id (str) – The active mapping module instance. Valid values are “skip-identity-map”, “default-map” and “default-http-custom-map”.

• identity_mapping_rule (str) – A reference to an ID of encrypt_key_transport_algy for HTTPS client authentication.

• identity_client_key_alias (str, optional) – Alias of the key for HTTPS client authentication.

• identity_issuer_uri (str, optional) – Refers to STS chain that provides input for callout request.

• identity_msg_fmt (str, optional) – Message format of callout request.

• identity_ssl_keystore (str, optional) – SSL certificate trust store to use when validating SSL certificate of external service.

• identity_uri (str) – Address of destination server to call out to.

• adv_config_delegate_id (str) – The active module instance. Valid values are “skip-advance-map” and “default-map”.

• adv_config_rule_type (str, optional) – The type of the mapping rule. The only supported type currently is “JAVASCRIPT”.

• adv_config_mapping_rule (str, optional) – A reference to an ID of an advance configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be access from the response.id_from_location attribute.

Return type:

Response

create_oidc_rp_partner(federation_id, name=None, role='rp', template_name=None, client_id=None, client_secret=None, basic_delegate_id=None, metadata_endpoint=None, issuer_uri=None, response_types=[], auth_endpoint=None, token_endpoint=None, user_info_endpoint=None, signature_alg=None, verification_keystore=None, verification_key_alias=None, jwks_url=None, key_mgmt_alg=None, content_encrypt_alg=None, decryption_keystore=None, decryption_key_alias=None, scope=[], perform_user_info=None, token_endpoint_auth=None, attribute_mappings=[], identity_delegate_id=None, identity_mapping_rule=None, identity_auth_type=None, identity_ba_user=None, identity_ba_password=None, identity_client_keystore=None, identity_client_key_alias=None, identity_issuer_uri=None, identity_msg_fmt=None, identity_ssl_keystore=None, identity_uri=None, adv_config_delegate_id=None, adv_config_rule_type='JAVASCRIPT', adv_config_mapping_rule=None)

Add a partner configuration to an ODIC SP Federation.

Parameters:

• federation_id (str) – The id of the ODIC federation to create a partner for.

• name (str) – The name o the partner to be created.

• enabled (bool) – Whether to enable the partner.

• role (str, optional) – The role this partner plays in its federation. Default is “rp”

• template_name (str) – An identifier for the template on which to base this partner.

• client_id (str) – The ID that identifies this client to the provider.

• client_secret (str, optional) – The secret associated with the client ID. Set as “” if using a public client.

• basic_delegate_id (str) – The active module instance. Valid values are “noMetadata” and “metadataEndpointUrl”.

• metadata_endpoint (str, optional) – The /metadata endpoint URL of the provider.

• issuer_uri (str, optional) – The issuer (“iss”) value of the provider.

• response_types (str, optional) – List of response type which determines which flow to be executed. Valid values to be included are “code”, “token”, “id_token”.

• auth_endpoint (str, optional) – The /authorize endpoint URL of the provider.

• token_endpoint (str, optional) – The /token endpoint URL of the provider. Required if “code” response type is selected.

• user_info_endpoint (str, optional) – The /userinfo endpoint URL of the provider.

• signature_alg (str, optional) – The signing algorithm to use. Supported values are “none”, “HS256”, “HS384”, “HS512”, “RS256”, “RS384”, “RS512”, “ES256”, “ES384”, “ES512”, “PS256”, “PS384”, “PS512”.

• verification_keystore (str, optional) – When signature algorithm requires a certificate, the keystore which contains the selected certificate to perform the signing. When signature algorithm does not require a certificate, this property is invalid. Cannot be specified if using a JWK URL.

• verification_key_alias (str, optional) – When signature algorithm requires a certificate, the alias of the public key in the selected keystore to use in signature verification. Cannot be specified if using a JWK URL.

• jwks_url (str, optional) – When signature algorithm requires a certificate, the JWK endpoint of the provider. If a metadata endpoint is specified in BasicConfigurationData, the JWK URL will be read from metadata information. Cannot be specified if using a signingKeyLabel.

• key_mgmt_alg (str, optional) – The key management algorithm to use. Supported values are “none”, “dir”, “A128KW”, “A192KW”, “A256KW”, “A128GCMKW”, “A192GCMKW”, “A256GCMKW”, “ECDH-ES”, “ECDH-ES+A128KW”, “ECDH-ES+A192KW”, “ECDH-ES+A256KW”, “RSA-OAEP”, “RSA-OAEP-256”.

• content_encrypt_alg (str, optional) – The content encryption algorithm to use. Supported values are “none”, “A128CBC-HS256”, “A192CBC-HS384”, “A256CBC-HS512”, “A128GCM”, “A192GCM”, “A256GCM”.

• decryption_keystore (str, optional) – When key management algorithm requires a certificate, the keystore which contains the selected certificate to perform JWT decryption. When key management algorithm does not require a certificate, this property is invalid.

• decryption_key_alias (str, optional) – When key management algorithm requires a certificate, the alias of the private key in the selected keystore to perform JWT decryption.

• scope (list of str, optional) – An array of strings that identify the scopes to request from the provider. Defaults to [“openid”].

• perform_user_info (bool, optional) – A setting that specifies whether to perform user info request automatically whenever possible.

• token_endpoint_auth (str) – The token endpoint authentication method. Valid values are “client_secret_basic” and “client_secret_post”.

• attribute_mappings (list of dict, optional) –

  List of configured attribute sources. Format of dictionary is:

  [
      {"name":"email",
      "source": "ldap"
      },
      {"name":"preferred_name",
      "source":"credential"
      }
  ]
  

• identity_delegate_id (str) – The active mapping module instance. Valid values are “skip-identity-map”, “default-map” and “default-http-custom-map”.

• identity_mapping_rule (str) – A reference to an ID of an identity mapping rule.

• identity_auth_type (str, optional) – Authentication method used when contacting external service. Supported values are NONE, BASIC or CERTIFICATE.

• identity_ba_user (str, optional) – Username for authentication to external service.

• identity_ba_password (str, optional) – Password for authentication to external service.

• identity_client_keystore (str, optional) – Contains key for HTTPS client authentication.

• identity_client_key_alias (str, optional) – Alias of the key for HTTPS client authentication.

• identity_issuer_uri (str, optional) – Refers to STS chain that provides input for callout request.

• identity_msg_fmt (str, optional) – Message format of callout request.

• identity_ssl_keystore (str, optional) – SSL certificate trust store to use when validating SSL certificate of external service.

• identity_uri (str) – Address of destination server to call out to.

• adv_config_delegate_id (str) – The active module instance. Valid values are “skip-advance-map” and “default-map”.

• adv_config_rule_type (str, optional) – The type of the mapping rule. The only supported type currently is “JAVASCRIPT”.

• adv_config_mapping_rule (str, optional) – A reference to an ID of an advance configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be access from the response.id_from_location attribute.

Return type:

Response

create_saml_federation(name=None, role=None, template_name=None, access_policy=None, artifact_lifetime=None, assertion_attr_types=[], assertion_session_not_after=None, assertion_multi_attr_stmt=None, assertion_valid_before=None, assertion_valid_after=None, artifact_resolution_services=[], attribute_mappings=[], company_name=None, encrypt_block_alg=None, encrypt_key_transport_alg=None, encrypt_key_alias=None, encrypt_key_store=None, encrypt_name_id=None, encrypt_assertions=None, encrypt_assertion_attrs=None, decrypt_key_alias=None, decrypt_key_store=None, identity_delegate_id=None, identity_rule_type='JAVASCRIPT', identity_rule_id=None, identity_applies_to=None, identity_auth_type=None, identity_ba_user=None, identity_ba_password=None, identity_client_keystore=None, identity_client_key_alias=None, identity_issuer_uri=None, identity_msg_fmt=None, identity_ssl_keystore=None, identity_uri=None, ext_delegate_id=None, ext_mapping_rule=None, manage_name_id_services=[], msg_valid_time=None, msg_issuer_fmt=None, msg_issuer_name_qualifier=None, name_id_default=None, name_id_supported=[], consent_to_federate=True, exclude_session_index_logout_request=False, poc_url=None, provider_id=None, session_timeout=None, sign_alg=None, sign_digest_alg=None, sign_valid_key_store=None, sign_valid_key_alias=None, sign_assertion=None, sign_authn_rsp=None, sign_arti_req=None, sign_arti_rsp=None, sign_logout_req=None, sign_logout_rsp=None, sign_name_id_req=None, sign_name_id_rsp=None, validate_auth_req=None, validate_assert=None, validate_arti_req=None, validate_arti_rsp=None, validate_logout_req=None, validate_logout_rsp=None, validate_name_id_req=None, validate_name_id_rsp=None, transform_include_namespace=None, sign_include_pubkey=None, sign_include_cert=None, sign_include_issuer=None, sign_include_ski=None, sign_include_subject=None, sign_keystore=None, sign_key_alias=None, sso_svc_data=[], slo_svc_data=[], alias_svc_db_type=None, alias_svc_ldap_con=None, alias_svc_ldap_base_dn=None, assertion_consume_svc=[], authn_req_delegate_id=None, authn_req_mr=None)

Create a SAML 2.0 IDP or SP federation.

Parameters:

• name (str) – The name of the federation

• role (str) – The role of a federation: “ip” for a SAML 2.0 identity provider federation, and “sp” for a SAML 2.0 service provider federation.

• template_name (str) – An identifier for the template on which to base this federation.

• access_policy (str, optional) – The access policy that should be applied during single sign-on.

• artifact_lifetime (int, optional) – The number of seconds that an artifact is valid. The default value is 120.

• assertion_attr_types (list of str, optional) – A setting that specifies the types of attributes to include in the assertion.

• assertion_session_not_after (int, optional) – The number of seconds that the security context established for the principal should be discarded by the service provider.The default value is 3600.

• assertion_mult_attr_stmt (bool, optional) – A setting that specifies whether to keep multiple attribute statements in the groups in which they were received.

• assertion_valid_before (int, optional) – The number of seconds before the issue date that an assertion is considered valid.

• assertion_valid_after (int, optional) – The number of seconds the assertion is valid after being issued.

• artifact_resolution_services (list of dict, optional) –

  Endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled. Format of artifact resolution service data is:

  [
      {"binding":"soap",
       "default":false,
       "index":0,
       "url":"https://demo.com/endpoint"
      },
      {"binding":"soap",
       "default":true,
       "index":1,
       "url":"https://domain.com/endpoint"
      }
  ]
  

• attribute_mappings (list of dict, optional) –

  The attribute mapping data. format is:

  [
      {"name":"email",
       "source":"ldap_email"
      },
      {"name":"mobile",
       "source":"ldap_phone"
      }
  ]
  

• company_name (str, optional) – The name of the company that creates the identity provider or service provider.

• encrypt_block_alg (str, optional) – Block encryption algorithm used to encrypt and decrypt SAML message.

• encrypt_key_transport_alg (str) – Key transport algorithm used to encrypt and decrypt keys.

• encrypt_key_alias (str, optional) – The certificate for encryption of outgoing SAML messages.

• encrypt_key_store (str, optioanl) – The certificate database name.

• encrypt_name_id (bool, optional) – A setting that specifies whether the name identifiers should be encrypted.

• encrypt_assertions (bool, optional) – A setting that specifies whether to encrypt assertions.

• encrypt_assertion_attrs (bool, optional) – A setting that specifies whether to encrypt assertion attributes

• decrypt_key_alias (str, optional) – A public/private key pair that the federation partners can use to encrypt certain message content.

• decrypt_key_store (str, optional) – The certificate database name.

• identity_delegate_id (str) – The active identity mapping module instance.

• identity_rule_type (str) – The type of the mapping rule. The only supported type currently is JAVASCRIPT.

• identity_rule_id (str) – A reference to an ID of an identity mapping rule.

• identity_applies_to (str) – Refers to STS chain that consumes callout response.

• identity_auth_type (str) – Authentication method used when contacting external service.

• identity_ba_user (str, optional) – Username for authentication to external service.

• identity_ba_password (str, optional) – Password for authentication to external service.

• identity_client_keystore (str, optional) – Contains key for HTTPS client authentication.

• identity_client_key_alias (str, optional) – Alias of the key for HTTPS client authentication.

• identity_issuer_uri (str) – Refers to STS chain that provides input for callout request.

• identity_msg_fmt (str) – Message format of callout request. Supported values are XML or WSTRUST.

• identity_ssl_keystore (str) – SSL certificate trust store to use when validating SSL certificate of external service.

• identity_uri (str) – Address of destination server to call out to.

• ext_delegate_id (str) – The active extension mapping module instance.

• ext_mapping_rule (str) – A reference to an ID of an extension mapping rule.

• manage_name_id_services (list of dict) – Endpoints that accept SAML name ID management requests or responses.

• msg_valid_time (int, optional) – The number of seconds that a message is valid. The default value is 300.

• msg_issuer_fmt (str, optional) – The format of the issuer of SAML message.

• msg_issuer_name_qualifier (str) – The name qualifier of the issuer of SAML messaged.

• name_id_default (str) – The name identifier format to use when the format attribute is not set, or is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

• name_id_supported (list of str) – The list of supported name identifier formats.

• consent_to_federate (bool, optional) – A setting that specifies whether to ask user’s consent before linking the account.

• exclude_session_index_logout_request (bool, optional) – A setting that specifies whether the LogoutRequest messages sent out from this entity will exclude SessionIndex during IP init SLO flow. The default value is false.

• poc_url (str) – The endpoint URL of the point of contact server.

• provider_id (str, optional) – A unique identifier that identifies the provider to its partner provider.

• session_timeout (int, optional) – The number of seconds that the SAML session remains valid. The default value is 7200.

• sign_alg (str) – The signature algorithm to sign and validate SAML messages and assertions.

• sign_digest_alg (str) – The hash algorithm to apply to the transformed resources and validate its integrity.

• sign_valid_key_store (str, optional) – The certificate validation database name.

• sign_valid_key_alias (str, optional) – The signer certificate label used to validate the signatures on the incoming SAML assertions and messages.

• sign_assertion (bool, optional) – A setting that specifies whether to sign the assertion. The default value is false.

• sign_authn_rsp (bool, optional) – A setting that specifies whether to sign the authentication responses. The default value is false.

• sign_arti_req (bool, optional) – A setting that specifies whether to sign the artifact request. The default value is false.

• sign_arti_rsp (bool, optional) – A setting that specifies whether to sign the artifact response. The default value is false.

• sign_logout_req (bool, optional) – A setting that specifies whether to sign the logout request. The default value is false.

• sign_logout_rsp (bool, optional) – A setting that specifies whether to sign the logout response. The default value is false.

• sign_name_id_req (bool, optional) – A setting that specifies whether to sign the name ID management request. The default value is false.

• sign_name_id_rsp (bool, optional) – A setting that specifies whether to sign the name ID management response. The default value is false.

• validate_auth_req (bool, optional) – A setting that specifies whether to validate the digital signature of an authentication request. The default value is false.

• validate_assert (bool, optional) – A setting that specifies whether to validate the digital signature of an assertion. The default value is false.

• validate_arti_req (bool) – A setting that specifies whether to validate the digital signature of an artifact request.

• validate_arti_rsp (bool) – A setting that specifies whether to validate the digital signature of an artifact response.

• validate_logout_req (bool) – A setting that specifies whether to validate the digital signature of a logout request.

• validate_logout_rsp (bool) – A setting that specifies whether to validate the digital signature of a logout response.

• validate_name_id_req (bool) – A setting that specifies whether to validate the digital signature of a name ID management request.

• validate_name_id_rsp (bool) – A setting that specifies whether to validate the digital signature of a name ID management response.

• transform_include_namespace (bool, optional) – A setting that specifies whether to include the InclusiveNamespaces element in the digital signature.

• ( (sign_include_pubkey) – bool, optional): A setting that specifies whether to include the public key in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

• sign_include_cert (bool, optional) – A setting that specifies whether to include the base 64 encoded certificate data to be included in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is true.

• sign_include_issuer (bool, optional) – A setting that specifies whether to include the issuer name and the certificate serial number in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

• sign_include_ski (bool, optional) – A setting that specifies whether to include the X.509 subject key identifier in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

• sign_include_subject (bool, optional) – A setting that specifies whether to include the subject name in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

• sign_keystore (str, optional) – The certificate database which contains the private key used to sign messages.

• sign_key_alias (str, optional) – The personal public/private key pair for signing the SAML messages and the assertion. If not provided, the default value is null.

• sso_svc_data (list of dict) – Endpoints at an Identity Provider that accept SAML authentication requests. Format of dictionary is {“binding”:”post”,”url”:”https://my.idp.com”}.

• slo_svc_data (list of dict) – Endpoints that accept SAML logout requests or responses. Format of dictionary is {“binding”:”post”,”url”:”https://my.idp.com”}.

• alias_svc_db_type (str) – A setting that specifies whether the user’s alias is store in jdbc or ldap.

• alias_svc_ldap_con (str) – A setting that specifies the LDAP Connection to store the alias.

• alias_svc_ldap_base_dn (str) – A setting that specifies the LDAP BaseDN to search for the user.

• assertion_consume_svc (list of dict) – Endpoints at a Service Provider that receive SAML assertions. Format of dictionary is {“binding”:”artifact”,”default”:False,”index”:1, “url”:”https:/my.sp.com”}

• authn_req_delegate_id (str) – The active mapping module instance. Valid values are “skip-authn-request-map” and “default-map”.

• authn_req_mr (str) – A reference to an ID of an authentication request rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be access from the response.id_from_location attribute.

Return type:

Response

create_saml_partner(federation_id, name=None, enabled=False, role=None, template_name=None, access_policy=None, artifact_resolution_services=[], assertion_consume_svc=[], assertion_valid_before=None, assertion_valid_after=None, assertion_attr_types=[], assertion_session_not_after=None, assertion_multi_attr_stmt=None, attribute_mappings=[], decrypt_key_store=None, decrypt_key_alias=None, encrypt_block_alg=None, encrypt_key_transport_alg=None, encrypt_key_store=None, encrypt_key_alias=None, encrypt_name_id=None, encrypt_assertions=None, encrypt_assertion_attrs=None, identity_delegate_id=None, identity_rule_type='JAVASCRIPT', identity_mr=None, identity_applies_to=None, identity_auth_type=None, identity_ba_user=None, identity_ba_password=None, identity_client_key_store=None, identity_client_key_alias=None, identity_issuer_uri=None, identity_mgs_fmt=None, identity_ssl_key_store=None, identity_uri=None, ext_delegate_id=None, ext_mr=None, include_fed_id_in_partner_id=None, logout_req_lifetime=None, manage_name_id_services=[], name_id_default=None, name_id_supported=[], provider_id=None, session_timeout=None, sign_include_pub_key=None, sign_include_cert=None, sign_include_issuer=None, sign_include_ski=None, sign_include_subject=None, sign_key_store=None, sign_key_alias=None, sign_arti_request=None, sign_arti_rsp=None, sign_assertion=None, sign_authn_rsp=None, sign_logout_req=None, sign_logout_rsp=None, sign_name_id_req=None, sign_name_id_rsp=None, key_selection_criteria=None, transform_include_namespace=None, validate_assertion=None, validate_authn_req=None, validate_arti_req=None, validate_arti_rsp=None, validate_logout_req=None, validate_logout_rsp=None, validate_name_id_req=None, validate_name_id_rsp=None, sign_alg=None, sign_digest_alg=None, validation_key_store=None, validation_key_alias=None, slo_svc=[], soap_key_store=None, soap_key_alias=None, soap_client_auth_method=None, soap_client_auth_ba_user=None, soap_client_auth_ba_password=None, soap_client_auth_key_store=None, soap_client_auth_key_alias=None, anon_user_name=None, force_authn_to_federate=None, authn_req_delegate_id=None, authn_req_mr=None, map_unknown_alias=None, sso_svc=[], default_target_url=None)

Create a SAML 2.0 IDP or SP Partner

Parameters:

• federation_id (str) – The system-assigned federation identifier.

• name (str) – A meaningful name to identify this partner.

• enabled (str) – Whether to enable the partner.

• role (str) – The role this partner plays in its federation: “ip” for a SAML 2.0 identity provider partner, and “sp” for a SAML 2.0 service provider partner.

• template_name (str) – An identifier for the template on which to base this partner.

• access_policy (str) – The access policy that should be applied during single sign-on.

• artifact_resolution_services (list of dict) – Partner’s endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled. Format of dictionary is {“binding”:”post”,”default”:True,”index”:1,”url”:”https://my.idp.com”}

• assertion_consume_svc (list of dict) – Endpoints at a Service Provider that receive SAML assertions. Format of dictionary is {“binding”:”post”,”default”:True,”index”:1,”url”:”https://my.idp.com”}

• assertion_valid_before (int, optional) – The number of seconds before the issue date that an assertion is considered valid.

• assertion_valid_after (int, optional) – The number of seconds the assertion is valid after being issued.

• assertion_attr_types (list of str) – A setting that specifies the types of attributes to include in the assertion.

• assertion_session_not_after (int, optional) – The number of seconds that the security context established for the principal should be discarded by the service provider.

• assertion_multi_attr_stmt (bool, optional) – A setting that specifies whether to keep multiple attribute statements in the groups in which they were received.

• attribute_mappings (list of dict, optional) – The attribute mapping data. Format of the dictionary is {“name”:”email_address”,”source”:”LDAP”}.

• decrypt_key_store (str, optional) – The certificate database name which contains the key to decrypt messages.

• decrypt_key_alias (str, optional) – A public/private key pair that the federation partners can use to encrypt certain message content.

• encrypt_block_alg (str) – Block encryption algorithm used to encrypt and decrypt SAML message.

• encrypt_key_transport_alg (str) – Key transport algorithm used to encrypt and decrypt keys.

• encrypt_key_store (str, optional) – The certificate database name which contains the key to encrypt SAML messages..

• encrypt_key_alias (str, optional) – The certificate for encryption of outgoing SAML messages.

• encrypt_name_id (bool) – A setting that specifies whether the name identifiers should be encrypted.

• encrypt_assertions (bool) – A setting that specifies whether to encrypt assertions.

• encrypt_assertion_attrs (bool) – A setting that specifies whether to encrypt assertion attributes.

• identity_delegate_id (str) – The active mapping module instance. Valid values are “skip-identity-map”, “default-map” and “default-http-custom-map”.

• identity_rule_type (str, optional) – The type of the mapping rule. The only supported type currently is JAVASCRIPT.

• identity_mr (str, optional) – A reference to an ID of an identity mapping rule.

• identity_applies_to (str, optional) – Refers to STS chain that consumes callout response.

• identity_auth_type (str, optional) – Authentication method used when contacting external service. Supported values are NONE, BASIC or CERTIFICATE.

• identity_ba_user (str, optional) – Username for authentication to external service.

• identity_ba_password (str, optional) – Password for authentication to external service.

• identity_ssl_key_store (str) – Contains key for HTTPS client authentication.

• identity_client_key_alias (str, optional) – Alias of the key for HTTPS client authentication.

• identity_issuer_uri (str, optional) – Refers to STS chain that provides input for callout request.

• identity_mgs_fmt (str, optional) – Message format of callout request.

• identity_ssl_key_store – SSL certificate trust store to use when validating SSL certificate of external service.assertionValidAfter: A setting that specifies whether to append federation ID

• aliases. (to partner ID when mapping user)

• logout_req_lifetime (int, optional) – A setting that specifies Logout request lifetime in number of seconds.

• manage_name_id_services (list of dict) – Partner’s endpoints that accept SAML name ID management requests or responses. Format of dictionary is {“binding”:”soap”,”url”:”https://my.sp.com”}

• name_id_default (str, optional) – The name identifier format to use when the format attribute is not set, or is set to “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.

• name_id_supported (list of str), optional) – The list of supported name identifier formats.

• (;obj (provider_id) – str): A unique identifier that identifies the partner.

• session_timeout (1int1, optional) – The number of seconds that the SAML session remains valid. The default value is 7200.

• sign_include_pub_key (bool, optional) – A setting that specifies whether to include the public key in the KeyInfo element in the digital signature when signing a SAML message or assertion.

• sign_include_cert (bool, optional) – A setting that specifies whether to include the base 64 encoded certificate data to be included in the KeyInfo element in the digital signature when signing a SAML message or assertion.

• sign_include_issuer (bool, optional) – A setting that specifies whether to include the issuer name and the certificate serial number in the KeyInfo element in the digital signature when signing a SAML message or assertion.

• sign_include_ski (bool, optional) – A setting that specifies whether to include the X.509 subject key identifier in the KeyInfo element in the digital signature when signing a SAML message or assertion.

• sign_include_subject (bool, optional) – A setting that specifies whether to include the subject name in the KeyInfo element in the digital signature when signing a SAML message or assertion.

• sign_key_store (str) – The certificate database name which contains the private key to sign SAML messages.

• sign_key_alias (str) – A public/private key pair for signing the SAML messages and the assertion.

• sign_arti_request (bool, optional) – A setting that specifies whether to sign the artifact request.

• sign_arti_rsp (bool, optional) – A setting that specifies whether to sign the artifact response.

• sign_assertion (bool, optional) – A setting that specifies whether to sign the assertion.

• sign_authn_rsp (bool, optional) – A setting that specifies whether to sign the authentication responses.

• sign_logout_req (bool, optional) – A setting that specifies whether to sign the logout request.

• sign_logout_rsp (bool, optional) – A setting that specifies whether to sign the logout response.

• sign_name_id_req (bool, optional) – A setting that specifies whether to sign the name ID management request.

• sign_name_id_rsp (bool, optional) – A setting that specifies whether to sign the name ID management response.

• key_selection_criteria (str, optional) – This property applies to the SAML2 Federation only. The possible value are default, only.alias, shortest.lifetime and longest.lifetime. If defaulted, it will fallback to Advanced Configuration

• transform_include_namespace (bool, optional) – A setting that specifies whether to include the InclusiveNamespaces element in the digital signature.

• validate_assertion (bool, optional) – A setting that specifies whether to validate the digital signature of an assertion.

• validate_authn_req (bool, optional) – A setting that specifies whether to validate the digital signature of an authentication request.

• validate_arti_req (bool, optional) – A setting that specifies whether to validate the digital signature of an artifact request.

• validate_arti_rsp (bool, optional) – A setting that specifies whether to validate the digital signature of an artifact response.

• validate_logout_req (bool, optional) – A setting that specifies whether to validate the digital signature of a logout request.

• validate_logout_rsp (bool, optional) – A setting that specifies whether to validate the digital signature of a logout response.

• validate_name_id_req (bool, optional) – A setting that specifies whether to validate the digital signature of a name ID management request.

• validate_name_id_rsp (bool, optional) – A setting that specifies whether to validate the digital signature of a name ID management response.

• sign_alg (str) – The signature algorithm to sign and validate SAML messages and assertions.

• sign_digest_alg (str) – The hash algorithm to apply to the transformed resources and validate its integrity.

• validation_key_store (str, optional) – The certificate database which contains the validation public key.

• validation_key_alias (str, optional) – The certificate to use to validate the signatures on the incoming SAML assertions and messages.

• slo_svc (list of dict) – Partner’s endpoints that accept SAML logout requests or responses. Format of dictionary is {“binding”:”post”,”url”:”https://my.idp.com”}.

• soap_key_store (str, optional) – The certificate database name to verify TLS connections.

• soap_key_alias (str, optional) – The server certificate validation certificate.

• soap_client_auth_method (str, optional) – The authentication method.

• soap_client_auth_ba_user (str, optional) – The basic authentication username.

• soap_client_auth_ba_password (str) – The basic authentication password.

• soap_client_auth_key_store (str, optional) – The certificate database name which contains the client private key.

• soap_client_auth_key_alias (str, optional) – The private key to use for the client.

• anon_user_name (str, optional) – This is a one-time name identifier that allows a user to access a service through an anonymous identity.

• force_authn_to_federate (bool, optional) – A setting that specifies whether to force user to authenticate before linking the account.

• authn_req_delegate_id (str) – The active mapping module instance. Valid values are “skip-authn-request-map”, “federation-config” and “default-map”.

• authn_req_mr (str) – A reference to an ID of an authentication request rule.

• map_unknown_alias (bool, optional) – A setting that specifies whether to map non-linked persistent name ID to one-time username.

• sso_svc (list of dict) – Partner’s endpoints that accept SAML authentication requests. Format of dictionary is {“binding”:”post”,”url”:”https://my.idp.com”}.

• default_target_url (str, optional) – Default URL where end-user will be redirected after the completion of single sign-on.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute

Return type:

Response

delete_federation(federation_id)

Delete a federation configuration.

Parameters:

federation_id (str) – The id of the federation to modify.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_partner(federation_id, partner_id)

Delete a partner configuration from a federation

Parameters:

• federation_id (str) – The id of the federation to modify.

• partner_id (str) – The id of the partner to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

export_federation_metadata(fed_id=None, metadata_file=None)

Export a federation’s metadata XML file.

Parameters:

• fed_id (str) – The system-assigned federation identifier.

• metadata_file (str) – File name to export metadata to.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_federation(federation_id=None)

Get a federation configuration.

Parameters:

federation_id (str) – The unique id of the federation

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the federation configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_partner(federation_id, partner_id=None)

Get a partner configuration from a federation

Parameters:

• federation_id (str) – The id of the federation.

• partner_id (str) – The id of the partner to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the federation partner configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_federation_partner(fed_id=None, name=None, metadata=None)

Import an XML metadata document as a Federation partner.

Parameters:

• fed_id (str) – The system-assigned federation identifier.

• name – (str): Name of the partner to create.

• metadata (str) – Path to file to import as a federation partner.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

list_federations()

List the configured federations.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the federation configuration list is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_partners(federation_id)

List the partners configured for a given federation.

Parameters:

federation_id (str) – Unique ID of the federation to get partner configuration for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the federation partner configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Access Policies

class pyivia.core.federation.accesspolicy.AccessPolicy(base_url, username, password)

create_policy(policy_name=None, category=None, policy_type='JavaScript', content=None)

Create an access policy for single sign-on federations

Parameters:

• policy_name (str) – A unique name for the access policy.

• category (str) – A grouping of related access policies. Valid values are: “InfoMap”, “AuthSVC”, “OAUTH”,”OTP”, “OIDC” and “SAML2_0”.

• policy_type (str, optional) – System default type for each access policy.

• content (str) – Contents of the access policy rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the create access policy can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_policy(policy_id=None)

Delete a specific access policy.

Parameters:

policy_id (str) – The id of the policy to fetch.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_policy(policy_id=None)

Get a specific access policy.

Parameters:

policy_id (str) – The id of the policy to fetch.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the access policy is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_policies(_filter=None)

Get the configured access policies.

:param _filter (str: :param optional:

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the access policies are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_policy(policy_id=None, content=None)

Update asn existing access policy

Parameters:

• policy_id (str) – The name of the access policy to be updated.

• content (str) – The serialized content of the new JavaScript access policy.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Alias Service

class pyivia.core.federation.aliasservice.AliasService(base_url, username, password)

create_alias_association(username=None, federation_id=None, type=None, aliases=[])

Create a new SAML alias service association.

Parameters:

• username (str) – The user to associate aliases with.

• federation_id (str) – The federation. To specify a partner as well as a federation, include the partner ID after the federation ID, separated by a pipe: federation_id|partner_id

• type (str, optional) – The type of the aliases. Valid values are “self”, “partner”, or “old”. Defaults to “self”.

• aliases (list of str) – An array of aliases to associate with the user.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created alias association can be accessed from the response.id_from_location attribute

Return type:

Response

delete_alias_association(id)

Delete an existing SAML alias service association.

Parameters:

id (str) – The Verify Identity Access assigned id of the alias.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the aliases is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_alias_settings()

Get the current alias service settings

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the alias service settings are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_alias_associations()

Get a list of existing SAML alias service associations.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the aliases is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_alias_association(id, username=None, federation_id=None, type=None, aliases=[])

Update an existing SAML alias service association.

Parameters:

• id (str) – The Verify Identity Access assigned id of the alias.

• username (str) – The user to associate aliases with.

• federation_id (str) – The federation. To specify a partner as well as a federation, include the partner ID after the federation ID, separated by a pipe: federation_id|partner_id

• type (str, optional) – The type of the aliases. Valid values are “self”, “partner”, or “old”. Defaults to “self”.

• aliases (list of str) – An array of aliases to associate with the user.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_alias_settings(db_type=None, ldap_connection=None, ldap_base_dn=None)

Update the current alias service settings.

Parameters:

• db_type – (str): The alias database type, JDBC or LDAP.

• ldap_connection (str) – The LDAP server connection name.

• ldap_base_dn (str) – The baseDN to search for the user entry.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Attribute Sources

class pyivia.core.federation.attributesources.AttributeSources(base_url, username, password)

create_attribute_source(attribute_name=None, attribute_type=None, attribute_value=True, properties=None)

Create a new attribute source

Parameters:

• attribute_name (str) – The name of the attribute.

• attribute_type (str) – The type of the attribute source. Valid types are: credential, value, ldap.

• attribute_value (str) – The value of the source attribute.

• properties (list of dict) – The properties associated with an attribute source.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created attribute source can be accessed from the response.id_from_location attribute

Return type:

Response

delete_attribute_source(attribute_name=None)

Delete a configured attribute source

Parameters:

attribute_name (str) – The name of the attribute to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_attribute_source(attribute_name=None)

Get a configured attribute source

Parameters:

attribute_name (str) – THe name of the attribute to get config for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the attribute source is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_attribute_sources()

Get a list of the configured attribute sources

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the attribute sources are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_attribute_source(attribute_name=None, attribute_new_name=None, attribute_type=None, attribute_value=True, properties=None)

Update an existing attribute source

Parameters:

• attribute_name (str) – The name of the attribute.

• attribute_new_name (str, optional) – The new name of the attribute.

• attribute_type (str) – The type of the attribute source. Valid types are: credential, value, ldap.

• attribute_value (str) – The value of the source attribute.

• properties (list of str) – The properties associated with an attribute source.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created attribute source can be accessed from the response.id_from_location attribute

Return type:

Response

Point of Contact (POC) Profile

class pyivia.core.federation.pointofcontact.PointOfContact(base_url, username, password)

create_profile(name, description=None, authenticate_callbacks=[], sign_in_callbacks=[], local_id_callbacks=[], sign_out_callbacks=[], authn_policy_callbacks=[])

Create a new Point of Contact profile.

Parameters:

• name (str) – A meaningful name to identify this point of contact profile.

• description (str, optional) – A description of the point of contact profile.

• authenticate_callbacks (list of dict) –

  An array of callbacks for authentication. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocAuthenticateCallback",
      "parameters": [
                      {"name":"authentication.level",
                       "value":"1"}
                  ]
  }
  

• sign_in_callbacks (list of str) –

  An array of callbacks for sign in. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocSignInCallback",
      "parameters": [
                      {"name":"fim.user.response.header.name",
                       "value":"am-fim-eai-user-id"}
                  ]
  }
  

• local_id_callbacks (list of dict) –

  An array of callbacks for local identity. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocLocalIdentityCallback",
      "parameters":[
                    {"name":"fim.cred.request.header.name",
                     "value":"iv-creds"}
                  ]
  }
  

• sign_out_callbacks (list of dict) –

  An array of callbacks for sign out. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocSignOutCallback",
      "parameters":[
                    {"name":"fim.user.session.id.request.header.name",
                     "value":"user_session_id"}
                  ]
  }
  

• authn_policy_callbacks (list of dict) –

  An array of callbacks for authentication policy. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"genericPocAuthnPolicyCallback",
      "parameters":[
                    {"name":"authentication.level",
                     "value":"1"}
                  ]
  }
  

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created PoC profile can be acess from the response.id_from_location attribute

Return type:

Response

get_current_profile()

Get the active Point of Contact profile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the POC profile is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_profile(poc_id)

Get a configured Point of Contact profiles.

Parameters:

poc_id (str) – The system-assigned point of contact profile identifier.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the POC profile is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_profiles()

Get the list of configured Point of Contact profiles.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the POC profiles are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

set_current_profile(profile_id)

Update the Point of Contact profile

Parameters:

profile_id (str) – The ID of an existing point of contact profile to set as the current profile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_profile(poc_id, name=None, description=None, authenticate_callbacks=[], sign_in_callbacks=[], local_id_callbacks=[], sign_out_callbacks=[], authn_policy_callbacks=[])

Update an existing Point of Contact profile.

Parameters:

• poc_id (str) – The unique generated identifier of the Point of Contact profile.

• name (str) – A meaningful name to identify this point of contact profile.

• description (str, optional) – A description of the point of contact profile.

• authenticate_callbacks (list of dict) –

  An array of callbacks for authentication. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocAuthenticateCallback",
      "parameters": [
                      {"name":"authentication.level",
                       "value":"1"}
                  ]
  }
  

• sign_in_callbacks (list of str) –

  An array of callbacks for sign in. The format of the dictionary is:

  {
      "index":0,"moduleReferenceId":
      "websealPocSignInCallback",
      "parameters": [
                      {"name":"fim.user.response.header.name",
                       "value":"am-fim-eai-user-id"}
                  ]
  }
  

• local_id_callbacks (list of dict) –

  An array of callbacks for local identity. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocLocalIdentityCallback",
      "parameters": [
                      {"name":"fim.cred.request.header.name",
                       "value":"iv-creds"}
                  ]
  }
  

• sign_out_callbacks (list of dict) –

  An array of callbacks for sign out. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"websealPocSignOutCallback",
      "parameters": [
                      {"name":"fim.user.session.id.request.header.name",
                       "value":"user_session_id"}
                  ]
  }
  

• authn_policy_callbacks (list of dict) –

  An array of callbacks for authentication policy. The format of the dictionary is:

  {
      "index":0,
      "moduleReferenceId":"genericPocAuthnPolicyCallback",
      "parameters": [
                      {"name":"authentication.level",
                       "value":"1"}
                  ]
  }
  

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Security Token Service (STS)

class pyivia.core.federation.securitytokenservice.SecurityTokenService(base_url, username, password)

create_chain(name, description=None, template_id=None, request_type=None, token_type=None, xpath=None, sign_responses=None, sign_key_store=None, sign_key_alias=None, sign_include_cert=None, sign_include_pubkey=None, sign_include_ski=None, sign_include_issuer=None, sign_include_subject=None, validate_requests=None, validation_key_store=None, validation_key_alias=None, validation_include_cert=None, validation_include_pubkey=None, validation_include_ski=None, validation_include_issuer=None, validation_include_subject=None, send_validation_confirmation=None, issuer_address=None, issuer_port_type_namespace=None, issuer_port_type_name=None, issuer_service_namespace=None, issuer_service_name=None, applies_to_address=None, applies_to_port_type_namespace=None, applies_to_port_type_name=None, applies_to_service_namespace=None, applies_to_service_name=None, self_properties=[], partner_properties=[])

Create a STS chain.

Parameters:

• name (str) – A friendly name for the STS Chain

• description (str, optional) – A description of the STS Chain

• template_id (str) – The Id of the STS Chain Template that is referenced by this STS Chain

• request_type (str) – The type of request to associate with this chain. The request is one of the types that are supported by the WS-Trust specification.

• token_type (str, optional) – The STS module type to map a request message to an STS Chain Template

• xpath (str, optional) – The custom lookup rule in XML Path Language to map a request message to an STS Chain Template

• sign_responses (bool, optional) – Whether to sign the Trust Server SOAP response messages.

• sign_key_store (str, optional) – SSL database which contains private key to sign messages.

• sign_key_alias (str, optional) – private key to sign messages.

• sign_include_cert (bool, optional) – Whether to include the BASE64 encoded certificate data with your signature.

• sign_include_pubkey (bool, optional) – Whether to include the public key with the signature.

• sign_include_ski (bool, optional) – Whether to include the X.509 subject key identifier with the signature

• sign_include_issuer (bool, optional) – Whether to include the issuer name and the certificate serial number with the signature

• sign_include_subject (bool, optional) – Whether to include the subject name with the signature.

• validate_requests (bool, optional) – Whether requires a signature on the received SOAP request message that contains the RequestSecurityToken message.

• validation_key_store (str, optional) – The SSL database which contains the private key to validate messages.

• validation_key_alias (str, optional) – The key to validate the received SOAP request message

• validation_include_cert (bool, optional) – Whether the BASE64 encoded certificate data is included with the signature.

• validation_include_pubkey (bool, optional) – Whether to include the public key with the signature.

• validation_include_ski (bool, optional) – Whether to include the X.509 subject key identifier with the signature.

• validation_include_issuer (bool, optional) – Whether to include the issuer name and the certificate serial number with the signature.

• validation_include_subject (bool, optional) – Whether to include the subject name with the signature.

• send_validation_confirmation (bool, optional) – Whether to send signature validation confirmation.

• issuer_address (str) – The URI of the issuer company or enterprise

• issuer_port_type_namespace (str, optional) – The namespace URI part of a qualified name for the issuer Web service port type.

• issuer_port_type_name (str, optional) – The local part of a qualified name for the issuer Web service port type.

• issuer_service_namespace (str, optional) – The namespace URI part of a qualified name for the issuer Web service.

• issuer_service_name (str, optional) – The local part of a qualified name for the issuer Web service.

• applies_to_address (str) – The URI of the scope company or enterprise

• applies_to_port_type_namespace (str, optional) – The namespace URI part of a qualified name for the scope Web service port

• applies_to_port_type_name (str, optional) – The local part of a qualified name for the scope Web service port type.

• applies_to_service_namespace (str, optional) – The namespace URI part of a qualified name for the scope Web service

• applies_to_service_name (str, optional) – The local part of a qualified name for the scope Web service.

• self_properties (list of dict) – The self properties for all modules within the STS Chain Template referenced in the STS Chain. A property has the format {“name”:”STS Property”,”value”:[“demo”,”values”]}

• partner_properties (list of dict) – The partner properties for all modules within the STS Chain Template referenced in the STS Chain. A property has the format {“name”:”STS Property”,”value”:[“demo”,”values”]}

create_template(name, description=None, modules=[])

Create a STS chain template.

Parameters:

• name (str) – A friendly name for the STS Chain Template

• description (str) – A description of the STS Chain Template

• modules (list of str) –

  An array of the modules that make up the STS Chain Template. Each module contains

  • id: The token id of an STS module

  • mode: The mode the STS module is used in in the chain. Must be one of the supported modes of the STS module

  • prefix (optional): The prefix for the chain item.

  example:

  {
      "id":"default-map",
      "mode":"map",
      "prefix":"uuid3dbf4c6a-013d-15d5-bb8b-c2665e02a402"
  }
  

Returns:

the response from verify identity access.

success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created STS template can be accessed from the response.id_from_location attribute.

Return type:

response

delete_chain(chain_id)

Delete a STS chain

Parameters:

chain_id (str) – The system-assigned STS chain ID value.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_template(template_id)

Remove a STS chian template.

Parameters:

template_id (str) – The system-assigned STS chain ID value.

Returns:

the response from verify identity access.

success can be checked by examining the response.success boolean attribute.

Return type:

response

get_chain(chain_id)

Get a configured STS chain.

Parameters:

chain_id (str) – The system-assigned STS chain template ID value.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS chain is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_module(module_id)

Get the configuration of A Security Token Service module.

Parameters:

module_id (str) – The system-assigned STS module ID value.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS module configuration is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_template(template_id)

Get a STS cain template.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS chain template is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_chains()

Get a list of the configured STS chains.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS chains are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_module_types()

Get the list of Security Token Service module types.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS module types are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_modules()

Get a list of the configured Security Token Service modules.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS modules are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_templates()

Get a list of STS chain templates.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the STS chain templates are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_chain(chain_id, name=None, description=None, template_id=None, request_type=None, token_type=None, xpath=None, sign_responses=None, sign_key_store=None, sign_key_alias=None, sign_include_cert=None, sign_include_pubkey=None, sign_include_ski=None, sign_include_issuer=None, sign_include_subject=None, validate_requests=None, validation_key_store=None, validation_key_alias=None, validation_include_cert=None, validation_include_pubkey=None, validation_include_ski=None, validation_include_issuer=None, validation_include_subject=None, send_validation_confirmation=None, issuer_address=None, issuer_port_type_namespace=None, issuer_port_type_name=None, issuer_service_namespace=None, issuer_service_name=None, applies_to_address=None, applies_to_port_type_namespace=None, applies_to_port_type_name=None, applies_to_service_namespace=None, applies_to_service_name=None, self_properties=[], partner_properties=[])

Update an existing STS chain

Parameters:

• chain_id (str) – The Verify Identity Access assigned identifier of the STS chain.

• name (str) – A friendly name for the STS Chain

• description (str, optional) – A description of the STS Chain

• template_id (str) – The Id of the STS Chain Template that is referenced by this STS Chain

• request_type (str) – The type of request to associate with this chain. The request is one of the types that are supported by the WS-Trust specification.

• token_type (str, optional) – The STS module type to map a request message to an STS Chain Template

• xpath (str, optional) – The custom lookup rule in XML Path Language to map a request message to an STS Chain Template

• sign_responses (bool, optional) – Whether to sign the Trust Server SOAP response messages.

• sign_key_store (str, optional) – SSL database which contains private key to sign messages.

• sign_key_alias (str, optional) – private key to sign messages.

• sign_include_cert (bool, optional) – Whether to include the BASE64 encoded certificate data with your signature.

• sign_include_pubkey (bool, optional) – Whether to include the public key with the signature.

• sign_include_ski (bool, optional) – Whether to include the X.509 subject key identifier with the signature

• sign_include_issuer (bool, optional) – Whether to include the issuer name and the certificate serial number with the signature

• sign_include_subject (bool, optional) – Whether to include the subject name with the signature.

• validate_requests (bool, optional) – Whether requires a signature on the received SOAP request message that contains the RequestSecurityToken message.

• validation_key_store (str, optional) – The SSL database which contains the private key to validate messages.

• validation_key_alias (str, optional) – The key to validate the received SOAP request message

• validation_include_cert (bool, optional) – Whether the BASE64 encoded certificate data is included with the signature.

• validation_include_pubkey (bool, optional) – Whether to include the public key with the signature.

• validation_include_ski (bool, optional) – Whether to include the X.509 subject key identifier with the signature.

• validation_include_issuer (bool, optional) – Whether to include the issuer name and the certificate serial number with the signature.

• validation_include_subject (bool, optional) – Whether to include the subject name with the signature.

• send_validation_confirmation (bool, optional) – Whether to send signature validation confirmation.

• issuer_address (str) – The URI of the issuer company or enterprise

• issuer_port_type_namespace (str, optional) – The namespace URI part of a qualified name for the issuer Web service port type.

• issuer_port_type_name (str, optional) – The local part of a qualified name for the issuer Web service port type.

• issuer_service_namespace (str, optional) – The namespace URI part of a qualified name for the issuer Web service.

• issuer_service_name (str, optional) – The local part of a qualified name for the issuer Web service.

• applies_to_address (str) – The URI of the scope company or enterprise

• applies_to_port_type_namespace (str, optional) – The namespace URI part of a qualified name for the scope Web service port

• applies_to_port_type_name (str, optional) – The local part of a qualified name for the scope Web service port type.

• applies_to_service_namespace (str, optional) – The namespace URI part of a qualified name for the scope Web service

• applies_to_service_name (str, optional) – The local part of a qualified name for the scope Web service.

• self_properties (list of dict) – The self properties for all modules within the STS Chain Template referenced in the STS Chain. A property has the format {“name”:”STS Property”,”value”:[“demo”,”values”]}

• partner_properties (list of dict) – The partner properties for all modules within the STS Chain Template referenced in the STS Chain. A property has the format {“name”:”STS Property”,”value”:[“demo”,”values”]}