Use Case

 
Many Access Manager customers have trusted providers that update the metadata frequently. Hence the administrator has to log into the administration console and refresh the metadata all the time. The following set of REST APIs help to automate this process. This cool solution explains how to deploy and use these new APIs.

Prerequisites

• Access Manager version must be 4.1 or higher.

• SAML2 Trusted providers must have been added manually using the Administration Console.

• Cool solution JAR must have been deployed (see below for details).

Steps for Refreshing Metadata

1. Get the list of SAML2 trusted providers using a REST call.

• Parse the JSON response from step 1 to obtain the metadata refresh URL for the trusted provider you are interested in.

• Invoke the metadata refresh URL with the updated metadata.

The attachment includes the detailed step by step instructions for using these APIs.

Get SAML2 Trusted Providers List API

 

REST URL:

https://<AdminConsole hostname>:port/nps/rest/trustedproviders/saml2 Example: https://164.99.86.9:2443/nps/rest/trustedproviders/saml2

Method:

GET

Authentication

Basic Authentication using AdminConsole credentials.

API Input:

None

API Output:

Response code 200 OK with JSON response.

Sample JSON Response:

{
  "saml2ServiceProviders":[
  {
    "providerName":"86_7_sp",
    "entityID":"https://stagesb.blr.novell.com/nidp/saml2/metadata",
    "refreshURL":"https://164.99.86.9:2443/nps/rest/trustedprovider/
                 SCC4bzodd/SMIPymottg/STSPw9br2t/metadata",
    "clusterName":"IDPCluster"
  }],
  "saml2IdentityProviders":[
  {
    "providerName":"87_45_idp",
    "entityID":"https://namsb.blr.novell.com/nidp/saml2/metadata",
    "refreshURL":"https://164.99.86.9:2443/nps/rest/trustedprovider/
                  SCC4bzodd/SMSPlgf6i7/STIDPvtu4pp/metadata",
    "clusterName":"IDPCluster"
   }]
}

 

Response Parameter

Description

saml2ServiceProviders

The list of trusted SAML2 service providers defined in all the Identity Server clusters.

saml2IdentityProviders

The list of trusted SAML2 Identity providers defined in all the Identity Server clusters.

For each TrustedProvider

providerName

Display name of the trusted provider as configured in the UI.

entityID

Metadata entity ID. The provider name or the entity ID may be used as the key to identify the trusted provider to be refreshed.

RefreshURL

This is the main piece of this REST API. This is the URL to be used to refresh the metadata for that specific trusted provider.

ClusterName

Identity server cluster where the specific provider is configured.

 

Refresh Metadata API

 

REST URL:

Use the “refreshURL” of the required trusted provider from the above API response. Example from above: https://164.99.86.9:2443/nps/rest/trustedprovider/SCC4bzodd/SMSPlgf6i7/STIDPvtu4pp/metadata

Method

POST

Authentication:

Basic Authentication using Administration Console's credentials.

API Input:

It takes single JSON input parameter "metadata" containing the metadata URL or text. Note: If providing metadata text, it must be URL encoded.

API Output:

200 OK

Sample JSON input:

{
"metadata" : "
3D"UTF-8" ?>
Amd="urn:oasis:names:tc:SAML:2.0:metadata%
22 ID="idXMuLnBrALGXkMAMUXd9WXvS0aEI" entityID%
3D"https://priyankasb.blr.novell.com/nidp/saml
2/metadata">

...............
"
}

Deployment

• Download the cool solution.

• SSH into the Administration Console system

• Copy the downloaded restapi.jar file to /opt/novell/nam/adminconsole/webapps/nps/WEB-INF/lib

• Restart Admin console - /etc/init.d/novell-ac restart

• Follow the step by step instructions included in the attachment.

Note: This cool solution should work on all supported OS. Appropriate deployment steps need to be followed based on the OS, using the above as guidelines.


Attachment: Download the cool solution