Refreshing Metadata using REST API

Refreshing Metadata using REST API

Use Case


 
Many Access Manager customers have trusted providers that update the metadata frequently. Hence the administrator has to log into the administration console and refresh the metadata all the time. The following set of REST APIs help to automate this process. This cool solution explains how to deploy and use these new APIs.

Prerequisites



  • Access Manager version must be 4.1 or higher.

  • SAML2 Trusted providers must have been added manually using the Administration Console.

  • Cool solution JAR must have been deployed (see below for details).



Steps for Refreshing Metadata




  1. Get the list of SAML2 trusted providers using a REST call.

  2. Parse the JSON response from step 1 to obtain the metadata refresh URL for the trusted provider you are interested in.

  3. Invoke the metadata refresh URL with the updated metadata.



The attachment includes the detailed step by step instructions for using these APIs.

Get SAML2 Trusted Providers List API


 























REST URL:https://<AdminConsole hostname>:port/nps/rest/trustedproviders/saml2
Example: https://164.99.86.9:2443/nps/rest/trustedproviders/saml2
Method:GET
AuthenticationBasic Authentication using AdminConsole credentials.
API Input:None
API Output:Response code 200 OK with JSON response.


Sample JSON Response:

{
"saml2ServiceProviders":[
{
"providerName":"86_7_sp",
"entityID":"https://stagesb.blr.novell.com/nidp/saml2/metadata",
"refreshURL":"https://164.99.86.9:2443/nps/rest/trustedprovider/
SCC4bzodd/SMIPymottg/STSPw9br2t/metadata",
"clusterName":"IDPCluster"
}],
"saml2IdentityProviders":[
{
"providerName":"87_45_idp",
"entityID":"https://namsb.blr.novell.com/nidp/saml2/metadata",
"refreshURL":"https://164.99.86.9:2443/nps/rest/trustedprovider/
SCC4bzodd/SMSPlgf6i7/STIDPvtu4pp/metadata",
"clusterName":"IDPCluster"
}]
}

 

































Response ParameterDescription
saml2ServiceProvidersThe list of trusted SAML2 service providers defined in all the Identity Server clusters.
saml2IdentityProvidersThe list of trusted SAML2 Identity providers defined in all the Identity Server clusters.
For each TrustedProviderproviderNameDisplay name of the trusted provider as configured in the UI.
entityIDMetadata entity ID. The provider name or the entity ID may be used as the key to identify the trusted provider to be refreshed.
RefreshURLThis is the main piece of this REST API. This is the URL to be used to refresh the metadata for that specific trusted provider.
ClusterNameIdentity server cluster where the specific provider is configured.


 

Refresh Metadata API


 























REST URL:Use the “refreshURL” of the required trusted provider from the above API response. Example from above: https://164.99.86.9:2443/nps/rest/trustedprovider/SCC4bzodd/SMSPlgf6i7/STIDPvtu4pp/metadata
MethodPOST
Authentication:Basic Authentication using Administration Console's credentials.
API Input:It takes single JSON input parameter "metadata" containing the metadata URL or text.
Note: If providing metadata text, it must be URL encoded.
API Output:200 OK


Sample JSON input:

{
"metadata" : "%3C%3Fxml%20version%3D%221.0%22%20encoding%
3D%22UTF-8%22%20%3F%3E%3Cmd%3AEntityDescriptor%20xmlns%3
Amd%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Ametadata%
22%20ID%3D%22idXMuLnBrALGXkMAMUXd9WXvS0aEI%22%20entityID%
3D%22https%3A%2F%2Fpriyankasb.blr.novell.com%2Fnidp%2Fsaml
2%2Fmetadata%22%3E%3Cds%3ASignature%20xmlns%3Ads%3D%22http
%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%0A%3Cds
...............
%3C%2Fmd%3AEntityDescriptor%3E"
}


Deployment




  • Download the cool solution.

  • SSH into the Administration Console system

  • Copy the downloaded restapi.jar file to /opt/novell/nam/adminconsole/webapps/nps/WEB-INF/lib

  • Restart Admin console - /etc/init.d/novell-ac restart

  • Follow the step by step instructions included in the attachment.

  • Note: This cool solution should work on all supported OS. Appropriate deployment steps need to be followed based on the OS, using the above as guidelines.


Attachment: Download the cool solution
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
I have a question about above solution. Here in the Netherlands we have an SP that has a very short expiration date of only 24 hours. I need to refresh the metadata every day.

I have the script working, but after the script has run I need to go into the Admin Console to press Update on every Idensity Server in order to apply the new MetaData.

Would it be possible to automate that last step as well?
Apologies for the delay in response. We have an API to do the Update as well.

Send PUT request to the cluster URL
https://:/amsvc/v1/idpclusters/
with input
{
“update” : “all”
}
Please check for more details about other APIs as well:
https://www.netiq.com/documentation/access-manager-developer-documentation/pdfdoc/accessmanager_rest_api_guide/accessmanager_rest_api_guide.pdf
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-04-15 21:38
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.