- SecureAuth IdP 9.2
- API Documents
- Admin API Guide
- Post Authentication Realm Settings Endpoint
Post Authentication Realm Settings Endpoint
Introduction
Use the /postauth PATCH endpoint to configure SAML and WS-Federation assertions.
Choose from SAML 2.0 IdP-initiated, SP-initiated, and SP-initiated by Post; and WS-Federation assertions.
Prerequisites
1. Complete the Enablement and Header Steps in the Admin API Guide
2. Have access to the application code that calls to the API endpoint(s)
3. Integrate a membership and profile directory(s) with SecureAuth IdP (Data Realm Settings Endpoint)
4. Gather required information from the Service Provider for the SAML or WS-Federation integration
/postauth Endpoint
Note
The following endpoints are prepended with the URL, https://<SecureAuth IdP Domain>/api/v2/realms/<realm ID>
Post Authentication Settings /postauth PATCH Endpoint
Notice
Use this endpoint to configure the realm's post authentication settings for a SAML assertion or WS-Federation assertion.
HTTP Method | Endpoint | Example | SecureAuth IdP version |
|---|---|---|---|
PATCH | /postauth | https://secureauth.company.com/api/v2/realms/26/postauth | v9.2 or later |
Tip
Defaulted values in bold
Field | Description | Accepted Values | Note |
|---|---|---|---|
redirectType | Post-auth action |
| |
redirect | Settings for redirection | N / A | |
userIdMapping | Settings for user ID assertion | N / A | |
mapping | User ID asserted to SP |
| |
nameIdFormat | Format of user ID, expected by SP |
| |
encodeToBase64 | Encode user ID to Base64 |
| |
assertion | Settings for assertion | N / A | |
wsFedReplyTo_SamlTargetUrl | Absolute URL of target resource | any | |
samlConsumerUrl | URL provided by SP to accept assertion | any | |
issuer | Unique name shared by IdP and SP to enable communication | any | |
samlRecipient | Identifiable information of SAML recipient, typically same as samlConsumerUrl | any | |
samlAudience | Base domain of application | any | |
spStartUrl | SP URL at which end-users log in | any | For Saml2SpInitiated or Saml2SpInitiatedByPost assertions |
wsFedVersion | Version of WS-Federation |
| |
wsFedSigningAlgorithm | Algorithm used to sign WS-Federation assertion |
| For WsFederation assertions |
samlSigningAlgorithm | Algorithm used to sign SAML assertion |
| For Saml assertions |
samlOffsetMinutes | Number of minutes IdP subtracts from NotBefore SAML attribute to account for time differences between IdP and SP | number | |
samlValidHours | Number of hours during which assertion is valid | number | |
appendHttpsToTargetUrl | Append HTTPS to wsFedReplyTo_SamlTargetUrl if not included in field |
| |
generateUniqueAssertionId | Generate GUID to pass to SP |
| |
signSamlAssertion | Sign SAML assertion |
| |
signSamlMessage | Sign SAML message |
| |
encryptSamlAssertion | Encrypt SAML assertion |
| |
samlDataEncryptionMethod | Algorithm used to encrypt SAML assertion |
| If "encryptSamlAssertion": true |
encryptionCertificate | Algorithm used to encrypt SAML key |
| |
acsSamlRequestCertificate | Public key of Assertion Consumer Service (ACS) / SAML Request Certificate in Base64 format, enabling SecureAuth IdP to accept SAML assertion | any | |
authenticationMethod | Method used to authenticate subject |
| |
confirmationMethod | Method used to confirm subject |
| |
authenticationContextClass | Additional authentication proof requested by SP |
| |
includeSamlConditions | Include SAML conditions in assertion |
| |
samlResponseInResponseTo | Include SAML Response InResponseTo in assertion |
| |
subjectConfirmationDataNotBefore | Include SAML SubjectConfirmationDataNotBefore in assertion |
| |
signingCertSerialNumber | Certificate for assertion | any | |
attributes | Settings for attributes sent in assertion | N / A | |
attributeNumber | Number of attribute in list | 1 - 10 | |
name | Specific name of attribute, provided by SP | any | |
namespace | URL that communicates what is being asserted, provided by SP | any | |
format | Format in which attribute is asserted |
| |
value | SecureAuth IdP Profile Property mapped to directory attribute that contains attribute data to assert |
| |
groupFilterExpression | Further filter attribute by including groups that start a certain way to send over only necessary group information | any | |
extendedSamlAttributes | Settings for extended SAML attributes | N / A | For Saml assertions |
endpointConfiguration | Settings for WS-Trust endpoints | N / A | For WSFederation assertions |
host | Base DNS address of public SecureAuth IdP URL | any | |
endpoints | Settings for endpoints | N / A | |
id | WS-Trust endpoint name | N / A | |
enabled | Enable endpoint |
| |
endpointPath | WS-Trust endpoint path | N / A | |
authenticationType | Type of authentication supported | N / A | |
securityMode | Type of security mode | N / A | |
type | WS-Trust type | N / A | |
requestBlocking | Settings for WS-Trust request blocking | N / A | |
useAdaptiveAuthforIpBlocking | Use Adaptive Authentication IP settings for WS-Trust assertions |
| |
enableRequestBlocking | Block WS-Trust requests via blocking engine in WS-Trust STS |
| |
conditionLogic | Condition login for blocking rules |
| |
ipAddressBlockingRule | Create list of allowed or denied IP addresses |
| |
ipAddresses | List of IP addresses allowed or denied based on ipAddressBlockingRule | any | |
applicationBlockingRule | Create list of allowed or denied applications |
| |
applications | List of applications allowed or denied based on applicationBlockingRule | any | |
userAgentBlockingRules | Create list of allowed or denied user agents |
| |
userAgents | List of user agents allowed or denied based on userAgentBlockingRules | any | |
redirectPage | SecureAuth IdP assertion redirect | N / A | |
formsAuthentication | Settings for forms authentication | N / A | |
name | Name of forms authentication token | any, defaulted to .ASPXFORMSAUTH | |
loginUrl | URL to which end-user is direct upon token expiration to create a new one | URL path, /<SecureAuth IdP Realm Name> defaulted to SecureAuth.aspx | |
domain | Domain name for forms authentication | any | Blank defaults to IdP appliance domain |
requireSsl | Require SSL to view token |
| |
cookieMode | How to deliver cookie |
| |
isSlidingExpiration | Token is valid as long as end-user interacts with page |
| |
timeout | Number of minutes cookie is valid | number, defaulted to 10 | |
machineKey | Settings for machine key | N / A | |
validation | Algorithm used to encrypt cookie |
| |
decryption | Algorithm used to decrypt cookie |
| |
validationKey | Key to validate and enable SSO | any | Must generate in Web Admin UI |
decryptionKey | Key to decrypt and enable SSO | any | Must generate in Web Admin UI |
authenticationCookies | Settings for authentication cookies | N / A | |
preAuthenticationCookie | Name of cookie generated from begin site | any, defaulted to PreAuthToken1 | |
postAuthenticationCookie | Name of cookie that communicates to IdP that user is authenticated | any, defaulted to PostAuthToken1 | |
isPersistent | Enable persistent cookie |
| |
cleanUpAuthCookie | Remove preAuthenticationCookie after authentication |
|
Parameters | Success Response |
|---|---|
{
"redirectType": "Saml2IdpInitiated",
"redirect": {
"userIdMapping": {
"mapping": "AuthenticatedUserId",
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"encodeToBase64": false
},
"assertion": {
"wsFedReplyTo_SamlTargetUrl": "https://application.com/login",
"samlConsumerUrl": "https://application.com/saml",
"issuer": "uniquename",
"samlRecipient": "https://application.com/saml",
"samlAudience": "www.application.com",
"spStartUrl": "",
"wsFedVersion": "1.2",
"wsFedSigningAlgorithm": "SHA2",
"samlSigningAlgorithm": "SHA2",
"samlOffsetMinutes": 5,
"samlValidHours": 1,
"appendHttpsToSamlTargetUrl": true,
"generateUniqueAssertionId": true,
"signSamlAssertion": false,
"signSamlMessage": true,
"encryptSamlAssertion": false,
"samlDataEncryptionMethod": "Empty",
"samlKeyEncryptionMethod": "Empty",
"encryptionCertificate": "",
"acsSamlRequestCertificate": "",
"authenticationMethod": "Empty",
"confirmationMethod": "Empty",
"authenticationContextClass": "Unspecified",
"includeSamlConditions": true,
"samlResponseInResponseTo": true,
"subjectConfirmationDataNotBefore": false,
"signingCertSerialNumber": ""
},
"attributes": [
{
"attributeNumber": 1,
"name": "emailAddress",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "Email1",
"groupFilterExpression": ""
},
{
"attributeNumber": 2,
"name": "lastName",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "LastName",
"groupFilterExpression": ""
},
{
"attributeNumber": 3,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 4,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 5,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 6,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 7,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 8,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 9,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
{
"attributeNumber": 10,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
}
],
"extendedSamlAttributes": null,
"redirectPage": "Authorized/SAML20IdPInit.aspx"
},
"formsAuthentication": {
"name": ".ASPXFORMSAUTH",
"loginUrl": "SecureAuth.aspx",
"domain": "",
"requireSsl": true,
"cookieMode": "UseDeviceProfile",
"isSlidingExpiration": true,
"timeout": 10
},
"machineKey": {
"validation": "SHA1",
"decryption": "Auto",
"validationKey": "AutoGenerate,IsolateApps",
"decryptionKey": "AutoGenerate,IsolateApps"
},
"authenticationCookie": {
"preAuthenticationCookie": "PreAuthToken1",
"postAuthenticationCookie": "PostAuthToken1",
"isPersistent": false,
"cleanUpAuthCookie": true
}
} | {
"status": "Success",
"message": []
} |
{
"redirectType": "WsFederation",
"redirect": {
"userIdMapping": {
"mapping": "AuthenticatedUserId",
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"encodeToBase64": false
},
"assertion": {
"wsFedReplyTo_SamlTargetUrl": "https://portal.office.com",
"samlConsumerUrl": "",
"issuer": "uniquename",
"samlRecipient": "",
"samlAudience": "",
"spStartUrl": "https://portal.office.com/login",
"wsFedVersion": "1.2",
"wsFedSigningAlgorithm": "SHA2",
"samlSigningAlgorithm": "SHA2",
"samlOffsetMinutes": 0,
"samlValidHours": 1,
"appendHttpsToSamlTargetUrl": true,
"generateUniqueAssertionId": true,
"signSamlAssertion": false,
"signSamlMessage": true,
"encryptSamlAssertion": false,
"samlDataEncryptionMethod": "Empty",
"samlKeyEncryptionMethod": "Empty",
"encryptionCertificate": "",
"acsSamlRequestCertificate": "",
"authenticationMethod": "Empty",
"confirmationMethod": "Empty",
"authenticationContextClass": "Unspecified",
"includeSamlConditions": true,
"samlResponseInResponseTo": true,
"subjectConfirmationDataNotBefore": false,
"signingCertSerialNumber": ""
},
"attributes": [
{
"attributeNumber": 1,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 2,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 3,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 4,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 5,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 6,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 7,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 8,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
},
{
"attributeNumber": 9,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
{
"attributeNumber": 10,
"name": "",
"nameSpace": "",
"format": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"value": "AuthenticatedUserId",
"groupFilterExpression": ""
}
],
"endpointConfiguration": {
"host": "",
"endpoints": [
{
"id": "UsernameMixed05",
"enabled": false,
"endpointPath": "/2005/usernamemixed",
"authenticationType": "Password",
"securityMode": "Mixed",
"type": "WS-Trust 2005"
},
{
"id": "WindowsTransport05",
"enabled": false,
"endpointPath": "/2005/windowstransport",
"authenticationType": "Windows",
"securityMode": "Transport",
"type": "WS-Trust 2005"
},
{
"id": "IssuedTokenMixedAsymmetricBasic25605",
"enabled": false,
"endpointPath": "/2005/issuedtokenmixedasymmetricbasic256",
"authenticationType": "SAML Token (Asymmetric)",
"securityMode": "Mixed",
"type": "WS-Trust 2005"
},
{
"id": "UsernameMixed13",
"enabled": false,
"endpointPath": "/13/usernamemixed",
"authenticationType": "Password",
"securityMode": "Mixed",
"type": "WS-Trust 1.3"
},
{
"id": "WindowsTransport13",
"enabled": false,
"endpointPath": "/13/windowstransport",
"authenticationType": "Windows",
"securityMode": "Transport",
"type": "WS-Trust 1.3"
},
{
"id": "IssuedTokenMixedAsymmetricBasic25613",
"enabled": false,
"endpointPath": "/13/issuedtokenmixedasymmetricbasic256",
"authenticationType": "SAML Token (Asymmetric)",
"securityMode": "Mixed",
"type": "WS-Trust 1.3"
}
]
},
"requestBlocking": {
"useAdaptiveAuthForIpBlocking": true,
"enableRequestBlocking": false,
"conditionLogic": "OR",
"ipAddressBlockingRule": null,
"ipAddresses": null,
"applicationBlockingRule": null,
"applications": null,
"userAgentBlockingRules": null,
"userAgents": null
},
"redirectPage": "Authorized/WSFedProvider.aspx"
},
"formsAuthentication": {
"name": ".ASPXFORMSAUTH",
"loginUrl": "SecureAuth.aspx",
"domain": "",
"requireSsl": true,
"cookieMode": "UseDeviceProfile",
"isSlidingExpiration": true,
"timeout": 10
},
"machineKey": {
"validation": "SHA1",
"decryption": "Auto",
"validationKey": "AutoGenerate,IsolateApps",
"decryptionKey": "AutoGenerate,IsolateApps"
},
"authenticationCookie": {
"preAuthenticationCookie": "PreAuthToken1",
"postAuthenticationCookie": "PostAuthToken1",
"isPersistent": false,
"cleanUpAuthCookie": true
}
} |