How to generate an authentication token with IDM REST API?

Hi,

I need to execute 2 actions on a driver:

- Generate an authentication token using IDM REST API.

- Use the token to read all values of a given driver entitlement.

When I try to generate the token on Postman I get the following error:

<?xml version="1.0" encoding="UTF-8"?>
<Fault>
    <Code>
        <Value>Sender</Value>
        <Subcode>
            <Value>XDAS_OUT_POLICY_VIOLATION</Value>
        </Subcode>
    </Code>
    <Reason>
        <Text>Not allowed</Text>
    </Reason>
</Fault>
I understand that I have a misconfigured or not allowed parameter configured on Headers or Body, but I could not understand which one is wrong. On Headers I have configured: Authorization, Cookie, Postman-Token, Content-type, Content-Length, Host, User-Agent, Accept, Accept-Encoding and Connection. 
On the Body, I have configured grant_type, with password as the value, username with User Application administrator as the value and password with User Application administrator password as the value.
The URL is https://server_dns:8543/osp/a/idm/auth/oauth2/token
Does any of you has a sample of how to configure it?
And the second action is more of understanding which value I have to use in the request document for viewID and type on /entitlements/entitlementValues API. I could not find anywhere any explanation.
{
  "viewID": "...",
  "type": "..."
}

Thank you.

Gustavo
  • Your screenshot is not enough to see what's wrong.

    Have you accessed server:port/.../ for the documentation that explains the process?

    From that page:

    1. Determine where your authorization server is listening for logins. Usually it is the server base url + /osp/a/idm/auth/oauth2/token.
    2. Obtain OSP client userid and password. Out of the box, client id is rbpmrest and password as set by your system administrator during install.
    3. Obtain a userid and password of a user who has the required privilege for the API you wish to call.
    4. Create a REST POST request with the following characteristics:
      • content-type header: application/x-www-form-urlencoded
      • authorization header: Basic Auth format using client userid/password from step 2 above
      • body: \"grant_type=password&username=USERID&password=PASSWORD\", where USERID and PASSWORD are from step 3 above
    5. The JSON response comes back like this:{\n \"access_token\": \"eHwAIIo/s5YRJUlk7vudjO3DQSHcwsubZOe...\",\n \"token_type\": \"bearer\",\n \"expires_in\": 2592001,\n \"refresh_token\": \"eHwAIMImaydGbAamBgNA1CEGcFjCXNcaqM4OA...\"\n}\n
    6. When making a REST call to one of the APIs, for the Authorization header add the token_type, a space, then the access_token like so:Authorization Header: Bearer eHwAIIo/s5YRJUlk7vudjO3DQSHcwsubZOe...\n
  • Aleksandar,

    I engaged in some other projects and this one was put aside. I´m working on it again right now. The point I would like to mention is that the only way I could make it work, was to use the dn of the user of step 3 on the configuration of step 4. Just the cn did not work. Thanks for you help.

    Now I´m looking for a better documentation on the APIs. The API I mentioned does not explain what is a viewID or type for the entitlements. So, I have no idea of what I need to provide in the payload. If you know, tell me please.

    Thanks.  

  • Hi Gustavo,

    Try to send a GET request to <host>/IDMProv/rest/catalog/entitlements/entitlementInfo?entilementDN=<LDAP DN of entitlement>

    Yes it says entilementDN instead of entitlementDN....

    I get the following response that includes viewID and type:

    {
        "dn": "cn=Group,cn=AD,cn=DriverSet01,o=System",
        "displayName": "Group Membership Entitlement",
        "description": "The Group Entitlement grants or denies membership in a group in Active Directory. The group must be associated with a group in the Identity Vault. When revoked, the user is removed from the group. The group membership entitlement is not enforced on the publisher channel: If a user is added to a controlled group in Active Directory by some external tool, the user is not removed by the driver. Further, if the entitlement is removed from the user object instead of being simply revoked, the driver takes no action.",
        "isMultiValue": true,
        "views": [
            {
                "displayName": "Group",
                "viewID": "\\f0\\04\\2d\\95\\73\\eb\\ae\\4b\\07\\99\\f0\\04\\2d\\95\\73\\eb",
                "description": "The Group Entitlement grants or denies membership in a group in Active Directory. The group must be associated with a group in the Identity Vault. When revoked, the user is removed from the group. The group membership entitlement is not enforced on the publisher channel: If a user is added to a controlled group in Active Directory by some external tool, the user is not removed by the driver. Further, if the entitlement is removed from the user object instead of being simply revoked, the driver takes no action."
            }
        ],
        "type": "QUERY",
        "paramTypes": [
            null
        ],
        "isResourceMappingEnabled": true
    }

    What "type" does I don't know.

    If I send a POST request to <host>/IDMProv/rest/catalog/entitlements/entitlementValues with the following payload:

    {
      "viewID": "\\f0\\04\\2d\\95\\73\\eb\\ae\\4b\\07\\99\\f0\\04\\2d\\95\\73\\eb",
      "type": ""
    }

    I get the following response:

        "arraySize": 18,
        "entitlementValues": [
            {
                "name": "CN=WebAccessUsers,OU=Groups,DC=ad,DC=aaaa,DC=se",
                "description": "",
                "value": "{\"ID\":\"4911cbcddc34a94faaf0e1b6ea0cbe45\",\"ID2\":\"CN=WebAccessUsers,OU=Groups,DC=ad,DC=aaaa,DC=se\"}"
            },
            ..................

  • Thank you Aleksandar. It worked perfectly. The mispelled word observation was right on the spot.

  • Aleksandar,

    I´m still having some problems with the REST APIs. I was able to get an access token, but when I try to use it to get an entitlement information I get a 403 error. Below is part of the driver log with the document sent and the response. I´m not seeing anything wrong so far. Do you have any idea of what could be the error? Thanks.

    [06/17/24 17:05:26.409]:CriarResource ST: Submitting document to subscriber shim:
    [06/17/24 17:05:26.412]:CriarResource ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.8.5.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="EntitlementInfo" command="query" event-id="0">
    <request>
    <url-token EntitlementDN="?entilementDN=cn%3DGroup%2Ccn%3DActive%20Directory%20Driver%2Ccn%3DDriverSet%2Co%3Dsystem"/>
    <header Autorization="Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijl4ZzgtV0RQRHh3Y2FUeGdJUTViU0JNNHdCSSJ9.eyJpc3MiOiJodHRwczovL290dWExLmxhYjo4NTQzL29zcC9hL2lkbS9hdXRoL29hdXRoMiIsImV4cCI6MTcxODY1NDc4NCwibmJmIjoxNzE4NjU0NzI0LCJpYXQiOjE3MTg2NTQ3MjQsImF1ZCI6WyJyYnBtcmVzdCIsImlkbWVuZ2luZSIsInNzcHIiLCJ3b3JrZmxvdyIsImlkbWRhc2giLCJyYnBtIiwiaWRtYWRtaW4iLCJmb3JtcyJdLCJzdWIiOiJiaXNhZHVzLThhOTkzZWNkZjQyNTBmNDBhZDczOGE5OTNlY2RmNDI1IiwidHhuIjoiN3QtNll5emtFZS0zVGdBVlhRQ0pJZyIsInNjb3BlIjpbImlzbSJdLCJhdXRoX3RpbWUiOiIxNzE4NjU0NzI0IiwiZmlyc3RfbmFtZSI6IlVzZXJBcHBsaWNhdGlvbiIsImxhc3RfbmFtZSI6IkFkbWluaXN0cmF0b3IiLCJuYW1lIjoiY249dWFhZG1pbixvdT1zYSxvPWRhdGEiLCJhdXRoX3NyY19pZCI6ImJpc2FkdXMiLCJleGNsdWRlZCI6WyJyb2xlcyJdLCJfcHZ0IjoiQUprQVN3SVRBUEJCQUJjQUlBQUFBQUFBQUdOdVBYVmhZV1J0YVc0c2IzVTljMkVzYnoxa1lYUmhPR0U1T1RObFkyUm1OREkxTUdZME1HRmtOek00WVRrNU0yVmpaR1kwTWpWQkFLRUFGQSJ9.0Y3G4LlRtS47QOVR9CNNbv3hxanoBnXQP-iHIWWIX1Y5Po-UfZOh86zbV9jQADrnlOw7hSqJIiOML2jasd_Mn35ZqiIwdTLzhhQq-g-IOpVGXroeMcaf7etxsVO2e2CyUqTGyEpWoeXD7XrgNeiIYcyOnyD08wRW6esK_kr2j-Kl7xgrVpZp0LiELE0qAtRPq5bYD9FOptjRs4mWZdpDp4O7AqWdD_QfC48HQ5diTyzbR1gobhyaH59MUJEvrNxsI1saokKe1hf4PIk9v1k7mK2q4eEEsNzd_ARJAky0lUeBv1JKygX3Xw9fXiOxYd0o21-CjZRSWfq4zRO6Z81EJg" content-type="application/json"/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    [06/17/24 17:05:26.461]:CriarResource ST: Criar Resources: RESTSubscriptionShim.execute() :
    [06/17/24 17:05:26.463]:CriarResource ST: Criar Resources: queryHandler
    [06/17/24 17:05:26.465]:CriarResource ST: Criar Resources: queryHandler: class-name == 'EntitlementInfo'
    [06/17/24 17:05:26.469]:CriarResource ST: Criar Resources: Query: preparing GET to otua1.lab:8543/.../entitlementInfo
    [06/17/24 17:05:26.475]:CriarResource ST: Criar Resources: Resetting headers
    [06/17/24 17:05:26.477]:CriarResource ST: Criar Resources: Setting the following HTTP request properties:
    Authorization: <content suppressed>
    [06/17/24 17:05:26.482]:CriarResource ST: Criar Resources: content-type:application/json
    [06/17/24 17:05:26.485]:CriarResource ST: Criar Resources: Autorization:Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijl4ZzgtV0RQRHh3Y2FUeGdJUTViU0JNNHdCSSJ9.eyJpc3MiOiJodHRwczovL290dWExLmxhYjo4NTQzL29zcC9hL2lkbS9hdXRoL29hdXRoMiIsImV4cCI6MTcxODY1NDc4NCwibmJmIjoxNzE4NjU0NzI0LCJpYXQiOjE3MTg2NTQ3MjQsImF1ZCI6WyJyYnBtcmVzdCIsImlkbWVuZ2luZSIsInNzcHIiLCJ3b3JrZmxvdyIsImlkbWRhc2giLCJyYnBtIiwiaWRtYWRtaW4iLCJmb3JtcyJdLCJzdWIiOiJiaXNhZHVzLThhOTkzZWNkZjQyNTBmNDBhZDczOGE5OTNlY2RmNDI1IiwidHhuIjoiN3QtNll5emtFZS0zVGdBVlhRQ0pJZyIsInNjb3BlIjpbImlzbSJdLCJhdXRoX3RpbWUiOiIxNzE4NjU0NzI0IiwiZmlyc3RfbmFtZSI6IlVzZXJBcHBsaWNhdGlvbiIsImxhc3RfbmFtZSI6IkFkbWluaXN0cmF0b3IiLCJuYW1lIjoiY249dWFhZG1pbixvdT1zYSxvPWRhdGEiLCJhdXRoX3NyY19pZCI6ImJpc2FkdXMiLCJleGNsdWRlZCI6WyJyb2xlcyJdLCJfcHZ0IjoiQUprQVN3SVRBUEJCQUJjQUlBQUFBQUFBQUdOdVBYVmhZV1J0YVc0c2IzVTljMkVzYnoxa1lYUmhPR0U1T1RObFkyUm1OREkxTUdZME1HRmtOek00WVRrNU0yVmpaR1kwTWpWQkFLRUFGQSJ9.0Y3G4LlRtS47QOVR9CNNbv3hxanoBnXQP-iHIWWIX1Y5Po-UfZOh86zbV9jQADrnlOw7hSqJIiOML2jasd_Mn35ZqiIwdTLzhhQq-g-IOpVGXroeMcaf7etxsVO2e2CyUqTGyEpWoeXD7XrgNeiIYcyOnyD08wRW6esK_kr2j-Kl7xgrVpZp0LiELE0qAtRPq5bYD9FOptjRs4mWZdpDp4O7AqWdD_QfC48HQ5diTyzbR1gobhyaH59MUJEvrNxsI1saokKe1hf4PIk9v1k7mK2q4eEEsNzd_ARJAky0lUeBv1JKygX3Xw9fXiOxYd0o21-CjZRSWfq4zRO6Z81EJg
    [06/17/24 17:05:26.519]:CriarResource ST: Criar Resources: Did a HTTP GET with 0 bytes of data to otua1.lab:8543/.../entitlementInfo
    [06/17/24 17:05:26.524]:CriarResource ST: Criar Resources: *******************************************************
    [06/17/24 17:05:26.527]:CriarResource ST: Criar Resources: **********************LOGGING REQUEST******************
    [06/17/24 17:05:26.530]:CriarResource ST: Criar Resources: *******************************************************
    [06/17/24 17:05:26.533]:CriarResource ST: Criar Resources: Request URL :otua1.lab:8543/.../entitlementInfo
    [06/17/24 17:05:26.539]:CriarResource ST: Criar Resources: Http Method : GET
    [06/17/24 17:05:26.542]:CriarResource ST: Criar Resources: Sending http request with below headers :-
    [06/17/24 17:05:26.545]:CriarResource ST: Criar Resources: Authorization: <content suppressed>
    [06/17/24 17:05:26.549]:CriarResource ST: Criar Resources: content-type: application/json
    [06/17/24 17:05:26.552]:CriarResource ST: Criar Resources: Autorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijl4ZzgtV0RQRHh3Y2FUeGdJUTViU0JNNHdCSSJ9.eyJpc3MiOiJodHRwczovL290dWExLmxhYjo4NTQzL29zcC9hL2lkbS9hdXRoL29hdXRoMiIsImV4cCI6MTcxODY1NDc4NCwibmJmIjoxNzE4NjU0NzI0LCJpYXQiOjE3MTg2NTQ3MjQsImF1ZCI6WyJyYnBtcmVzdCIsImlkbWVuZ2luZSIsInNzcHIiLCJ3b3JrZmxvdyIsImlkbWRhc2giLCJyYnBtIiwiaWRtYWRtaW4iLCJmb3JtcyJdLCJzdWIiOiJiaXNhZHVzLThhOTkzZWNkZjQyNTBmNDBhZDczOGE5OTNlY2RmNDI1IiwidHhuIjoiN3QtNll5emtFZS0zVGdBVlhRQ0pJZyIsInNjb3BlIjpbImlzbSJdLCJhdXRoX3RpbWUiOiIxNzE4NjU0NzI0IiwiZmlyc3RfbmFtZSI6IlVzZXJBcHBsaWNhdGlvbiIsImxhc3RfbmFtZSI6IkFkbWluaXN0cmF0b3IiLCJuYW1lIjoiY249dWFhZG1pbixvdT1zYSxvPWRhdGEiLCJhdXRoX3NyY19pZCI6ImJpc2FkdXMiLCJleGNsdWRlZCI6WyJyb2xlcyJdLCJfcHZ0IjoiQUprQVN3SVRBUEJCQUJjQUlBQUFBQUFBQUdOdVBYVmhZV1J0YVc0c2IzVTljMkVzYnoxa1lYUmhPR0U1T1RObFkyUm1OREkxTUdZME1HRmtOek00WVRrNU0yVmpaR1kwTWpWQkFLRUFGQSJ9.0Y3G4LlRtS47QOVR9CNNbv3hxanoBnXQP-iHIWWIX1Y5Po-UfZOh86zbV9jQADrnlOw7hSqJIiOML2jasd_Mn35ZqiIwdTLzhhQq-g-IOpVGXroeMcaf7etxsVO2e2CyUqTGyEpWoeXD7XrgNeiIYcyOnyD08wRW6esK_kr2j-Kl7xgrVpZp0LiELE0qAtRPq5bYD9FOptjRs4mWZdpDp4O7AqWdD_QfC48HQ5diTyzbR1gobhyaH59MUJEvrNxsI1saokKe1hf4PIk9v1k7mK2q4eEEsNzd_ARJAky0lUeBv1JKygX3Xw9fXiOxYd0o21-CjZRSWfq4zRO6Z81EJg
    [06/17/24 17:05:26.587]:CriarResource ST: Criar Resources: ***************************END**************************
    [06/17/24 17:05:26.645]:CriarResource ST: Criar Resources: ********************************************************
    [06/17/24 17:05:26.646]:CriarResource ST: Criar Resources: ***********************LOGGING RESPONSE*****************
    [06/17/24 17:05:26.650]:CriarResource ST: Criar Resources: ********************************************************
    [06/17/24 17:05:26.654]:CriarResource ST: Criar Resources: Http response code : 403
    [06/17/24 17:05:26.656]:CriarResource ST: Criar Resources: Http response status : HTTP/1.1 403
    [06/17/24 17:05:26.660]:CriarResource ST: Criar Resources: Getting http response with below headers :-
    [06/17/24 17:05:26.664]:CriarResource ST: Criar Resources: X-XSS-Protection: 1; mode=block
    [06/17/24 17:05:26.667]:CriarResource ST: Criar Resources: X-Frame-Options:
    [06/17/24 17:05:26.669]:CriarResource ST: Criar Resources: X-Content-Type-Options: nosniff
    [06/17/24 17:05:26.672]:CriarResource ST: Criar Resources: Strict-Transport-Security: max-age=31536000;includeSubDomains
    [06/17/24 17:05:26.675]:CriarResource ST: Criar Resources: Cache-Control: no-store, no-cache
    [06/17/24 17:05:26.678]:CriarResource ST: Criar Resources: Cache-Control: post-check=0, pre-check=0
    [06/17/24 17:05:26.681]:CriarResource ST: Criar Resources: Pragma: no-cache
    [06/17/24 17:05:26.683]:CriarResource ST: Criar Resources: Expires: 0
    [06/17/24 17:05:26.683]:CriarResource ST: Criar Resources: Set-Cookie: JSESSIONID=C1C6A757D32F8997FDEB95DEF0EF89DD; Path=/IDMProv; Secure; HttpOnly
    [06/17/24 17:05:26.686]:CriarResource ST: Criar Resources: Content-Length: 0
    [06/17/24 17:05:26.689]:CriarResource ST: Criar Resources: Date: Mon, 17 Jun 2024 20:05:26 GMT
    [06/17/24 17:05:26.692]:CriarResource ST: Criar Resources: Sending http response with body :-
    [06/17/24 17:05:26.695]:CriarResource ST: Criar Resources: **********************END*****************************
    [06/17/24 17:05:26.699]:CriarResource ST: Criar Resources: Response code and message: 403
    [06/17/24 17:05:26.701]:CriarResource ST: SubscriptionShim.execute() returned:
    [06/17/24 17:05:26.703]:CriarResource ST:
    <nds dtdversion="3.0">
    <source>
    <product build="20220829_0332" version="1.1.2.0400">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status event-id="0" level="error" type="driver-general">
    <driver-operation-data class-name="EntitlementInfo" command="query" dest-dn="" event-id="0">
    <response>
    <url-token EntitlementDN="?entilementDN=cn%3DGroup%2Ccn%3DActive%20Directory%20Driver%2Ccn%3DDriverSet%2Co%3Dsystem"/>
    <header Autorization="Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijl4ZzgtV0RQRHh3Y2FUeGdJUTViU0JNNHdCSSJ9.eyJpc3MiOiJodHRwczovL290dWExLmxhYjo4NTQzL29zcC9hL2lkbS9hdXRoL29hdXRoMiIsImV4cCI6MTcxODY1NDc4NCwibmJmIjoxNzE4NjU0NzI0LCJpYXQiOjE3MTg2NTQ3MjQsImF1ZCI6WyJyYnBtcmVzdCIsImlkbWVuZ2luZSIsInNzcHIiLCJ3b3JrZmxvdyIsImlkbWRhc2giLCJyYnBtIiwiaWRtYWRtaW4iLCJmb3JtcyJdLCJzdWIiOiJiaXNhZHVzLThhOTkzZWNkZjQyNTBmNDBhZDczOGE5OTNlY2RmNDI1IiwidHhuIjoiN3QtNll5emtFZS0zVGdBVlhRQ0pJZyIsInNjb3BlIjpbImlzbSJdLCJhdXRoX3RpbWUiOiIxNzE4NjU0NzI0IiwiZmlyc3RfbmFtZSI6IlVzZXJBcHBsaWNhdGlvbiIsImxhc3RfbmFtZSI6IkFkbWluaXN0cmF0b3IiLCJuYW1lIjoiY249dWFhZG1pbixvdT1zYSxvPWRhdGEiLCJhdXRoX3NyY19pZCI6ImJpc2FkdXMiLCJleGNsdWRlZCI6WyJyb2xlcyJdLCJfcHZ0IjoiQUprQVN3SVRBUEJCQUJjQUlBQUFBQUFBQUdOdVBYVmhZV1J0YVc0c2IzVTljMkVzYnoxa1lYUmhPR0U1T1RObFkyUm1OREkxTUdZME1HRmtOek00WVRrNU0yVmpaR1kwTWpWQkFLRUFGQSJ9.0Y3G4LlRtS47QOVR9CNNbv3hxanoBnXQP-iHIWWIX1Y5Po-UfZOh86zbV9jQADrnlOw7hSqJIiOML2jasd_Mn35ZqiIwdTLzhhQq-g-IOpVGXroeMcaf7etxsVO2e2CyUqTGyEpWoeXD7XrgNeiIYcyOnyD08wRW6esK_kr2j-Kl7xgrVpZp0LiELE0qAtRPq5bYD9FOptjRs4mWZdpDp4O7AqWdD_QfC48HQ5diTyzbR1gobhyaH59MUJEvrNxsI1saokKe1hf4PIk9v1k7mK2q4eEEsNzd_ARJAky0lUeBv1JKygX3Xw9fXiOxYd0o21-CjZRSWfq4zRO6Z81EJg" content-type="application/json"/>
    <response-header Cache-Control="post-check=0, pre-check=0" Content-Length="0" Date="Mon, 17 Jun 2024 20:05:26 GMT" Expires="0" Pragma="no-cache" Set-Cookie="JSESSIONID=C1C6A757D32F8997FDEB95DEF0EF89DD; Path=/IDMProv; Secure; HttpOnly" Strict-Transport-Security="max-age=31536000;includeSubDomains" X-Content-Type-Options="nosniff" X-Frame-Options="" X-XSS-Protection="1; mode=block"/>
    <value message="" status="403"></value>
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>