Skip to main content

Exporting, Importing and Patching SecureAuth Tenant/Workspace Configuration

Export, import, and patch SecureAuth tenant/workspace configurations with the Configuration Promotion APIs.

By reading this article, you will gain insights into the SecureAuth export, import, and patch configuration APIs, and discover how these powerful tools can enhance your ability to effectively manage the configuration of your tenants and workspaces.

Alpha Feature

Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.

About SecureAuth Configuration APIs

SecureAuth provides APIs to export, import, and patch the configuration of individual workspaces or entire tenants.

The export/import/patch APIs are available for SecureAuth SaaS Platform as well as for customer deployed SecureAuth platform and can be used for purposes such as automating configuration management.

Manage Workspace Configuration APIs

The new SecureAuth configuration APIs provide four endpoints for managing workspace configuration.

  • Export workspace configuration to export a specific workspace from a specific tenant.

  • Import workspace configuration to import an entire workspace into a specific tenant.

  • Patch workspace configuration (rfc6902) to patch specific changes to a workspace in a specific tenant, using the standard described in RFC 6902.

    The Patch JSON API is intended for easy configuration changes when there are a small number of known workspace modifications and the user applying the patch is familiar with them.

  • Patch workspace configuration (rfc7396) to patch a specific changes to a workspace in a specific tenant, using the standard described in RFC 7396.

    The JSON Merge Patch API facilitates the automated promotion of larger configuration changes. It provides a straightforward and efficient way to apply extensive modifications, such as through scripts or automated methods. This API streamlines the process of implementing significant configuration updates, improving efficiency and accuracy.

Manage Tenant Configuration APIs

The new SecureAuth configuration APIs provide four new endpoints, mirroring the workspace configuration APIs, for tenants.

The Tenant Management APIs can be used by organizations that need to manage many workspaces in their tenants or have a lot of tenant-level configuration such as: SecureAuth Identity Pools, Custom MFA Settings, Custom Themes, etc.

Manage Customer Deployed Tenant Configuration Root APIs

The new SecureAuth configuration APIs provide four new endpoints, mirroring the Tenant Configuration APIs for the Root System Workspace.

These new Root System configuration APIs could be used in lieu of the functionality previously referred to as Global operations.

These endpoints are only available for customer deployed SecureAuth, as the Root System Workspace is not directly available to SaaS Customers. The additional functionality provided by these endpoints is not relevant for SaaS customers.

The Customer Deployed Tenant Configuration APIs can be used to manage configuration of any tenant within SecureAuth deployment.

Prerequisites

  1. Familiarization with SecureAuth REST APIs and what is required to properly access them.

  2. M2M Client Applications added in the System workspace of both tenants -- the one where the configuration is exported from, and the one where the import/patch takes place.

    Learn more about System-Level API Access.

  3. For promoting configuration changes, you need a tool that can compare two exported configurations and create a JSON Merge Patch document from them.

Note

If you wish to test the Configuration Promotion APIs, contact the SecureAuth Sales Team to enable the tree_dump_tenant feature-flag for your tenants. If you are using a customer deployed SecureAuth platform, you can enable the feature flag in your platform configuration files.

Export Configuration APIs

The export endpoints are essential for managing the configuration of your tenant/workspace(s). These endpoints allow you to export the current configuration, and are integral in every configuration management scenario such as the initial configuration import, configuration patching, and configuration backup.

The most up-to-date example calls and output for the Export Endpoints can be found in the documentation for SecureAuth configuration API endpoints.

Tip

When exporting configuration with curl, you can add the -o /full/path/to/export.json parameter to output the results directly to a file.

Export Response Options

You can adjust the content received with the response upon calling the export endpoint, with the boolean parameter with_credentials.

  • When with_credentials is set to true:

    • The exported data will include all credentials present in the workspace. For example, things considered as credentials include: JSON Web Key Sets (JWKS), secrets, certificates, etc.

  • When with_credentials is set to false:

    • Credentials are exported as null or empty objects

      Note

      This does not apply to public keys, such as public JWKS exposed in DCR settings.

By default, with_credentials = false.

Limitations of Configuration Export APIs

Please consider the following limitations related to the new Export APIs:

  • It is entirely possible to export broken tenant/workspace Configuration, but you cannot import/patch broken configurations.

  • It is possible that some specific configuration related to the tenant/workspace will be exported. Typically, this data includes things like the redirect_uris in Client Applications.

    • We strongly recommend replacing or removing those values before performing an import or patch operation. Even when utilizing the tenant configuration APIs, there should be very few (if any) instances of your exported tenant's name, but it is advisable to eliminate/replace them in the configuration to ensure smooth processing.

  • SecureAuth Identity Pools are not part of the Export workspace configuration.

    • If you have any SecureAuth Authentication Providers attached to your workspace you have to either use the tenant configuration APIs or use the Identity Pool APIs first, to export/import the necessary Identity Pool Configurations.

Import Configuration APIs

The configuration import endpoints make wholesale changes to the configuration of your tenant/workspace(s). If there are any conflicts during the import, the target's configuration is overridden with the values provided. The import endpoints are likely to be the least frequently used, as they are intended for one-time and niche operations, such as the initial configuration import and configuration restore.

The most up-to-date example calls and output for the Import Endpoints can be found in the documentation for SecureAuth Configuration Promotion API endpoints.

Insert Mode

The import endpoints support the mode query parameter. This parameter is optional; it defines what happens in the case of import conflicts. For example, when importing a configuration between two tenants, and both have client applications with identical IDs.

SecureAuth can handle this conflict as follows:

  • mode=ignore: Ignore the incoming configuration from the source. Applies to the conflicting changes.

  • mode=fail: Stop import processing and return an error.

  • mode=update: Overwrite the target with the incoming configuration from the source. Applies to the conflicting changes.

By default, mode = ignore.

Limitations of Configuration Import APIs

Please consider the following limitations related to the Import APIs:

  • The configuration of the import target is overridden with the data provided to the import API. The import APIs serve the purpose of addressing potential gaps in the patch APIs, when there is a need to (re)set the configuration of an entire tenant/workspace. If you only require incremental changes, it is recommended to utilize the patch APIs instead.

    Warning

    Only use the import APIs when you want the target's entire configuration overridden. We highly suggest that you use the associated export API to create a backup of the import target before performing the import.

  • If the JSON provided for import is generated using the export APIs with with_credentials set to false, the necessary credentials such as JWKS and client_secrets are regenerated during the import process. It's important to note that if you didn't create a backup export of the tenant/configuration, all those credentials are lost.

Patch Configuration APIs

The configuration patch endpoints are used to make iterative changes to the configuration of your tenant/workspace(s). These endpoints are a key component in enabling configuration promotion and automated configuration management.

The most up-to-date example calls and output for the Patch Endpoints can be found in the documentation for SecureAuth configuration API endpoints.

Tip

When patching configuration with curl, you can use the -d @/full/path/to/patch.json supply the JSON Merge Patch contents directly from a file.

Insert Mode

The patch endpoints support the mode query parameter. This parameter is optional; it defines what happens in the case of import conflicts. For example, when patching a configuration between two tenants, and both have client applications with identical IDs.

SecureAuth can handle this conflict as follows:

  • mode=ignore: Ignore the incoming configuration from the source. Applies to the conflicting changes.

  • mode=fail: Stop import processing and return an error.

  • mode=update: Overwrite the target with the incoming configuration from the source. Applies to the conflicting changes.

By default, mode = update.

Limitations of Configuration Patch APIs

Please consider the following limitations related to the new Patch APIs:

  • It is entirely possible to export broken tenant/workspace Configuration. Patching a tenant/workspace from that configuration will have mixed results.

    • For example: when attempting to add a SecureAuth Authentication Provider to a workspace in a tenant where the associated Identity Pool does not exist, the patch will return a 204 even though the IDP doesn't get created.

    • Not all the error cases and associated message details have been fully defined. They are still a work-in-progress.

  • Manual updates to the target tenant/workspace may cause conflicts, resulting in unexpected results from the Patch APIs.

  • Certain configurations do not cause the Patch APIs to return an Error, but they do require additional consideration, to ensure the results are expected/desired:

    • If you have any SecureAuth Authentication Providers attached to your workspace you have to either use the tenant configuration APIs or use the Identity Pool APIs first, to export/import the necessary Identity Pool Configurations prior to your workspace patch.

    • If you have any Custom Themes bound to your exported workspace, you have to either use the tenant configuration APIs or ensure that the Custom Theme exists in your target tenant, before calling the workspace patch API.

  • The JSON Patch supplied to the Patch APIs must conform to (preferably) RFC 7396 or RFC 6902.

    For easier and more smooth patching capabilities, SecureAuth recommends the RFC 7396 specification.

    • This JSON Patch should be generated by a JSON Patch Tool. Refer to the JSON Patch Tool information and example provided by SecureAuth.

RFC6902 or RFC7396 -- What to Choose

SecureAuth provides organizations with freedom to choose what APIs are the most suitable for their needs:

For easier and more smooth patching capabilities, SecureAuth recommends the RFC 7396 JSON Merge Patch API.

JSON Patch - RFC6902

The Patch JSON API is intended for easy configuration changes when there are a small number of known workspace/tenant modifications and the user applying the patch is familiar with them.

The Patch JSON API accepts a JSON Array which objects represent a single operation applied to the target JSON (workspace configuration). Evaluation continues until all operations are successfully applied or until an error condition is encountered.

Example target configuration:

{
 "clients":{
    "sample-client-id":{
       "client_name":"sample-application",
       "response_types": [
            "code",
            "token"
       ]
    }
  }
}

Example operation:

[
{ "op": "replace", "path": "/clients/sample-client-id/client_name", "value": "demo-application" },
{ "op": "add", "path": "/clients/sample-client-id/response_types", "value": "id_token" }
]

Example result:

{
 "clients":{
    "sample-client-id":{
       "client_name":"demo-application",
       "response_types": [
            "code",
            "token",
            "id_token"
       ]
    }
  }
}

The above operation results in replacing the current value of the client name parameter within the configuration of the client with the sample-client-id identifier. It also adds the id_token as the client application's response type.

JSON Merge Patch API - RFC7396

The JSON Merge Patch API facilitates the automated promotion of larger configuration changes. It provides a straightforward and efficient way to apply extensive modifications, such as through scripts or automated methods. This API streamlines the process of implementing significant configuration updates, improving efficiency and accuracy.

The JSON Merge Patch API accepts a JSON that describes changes to be made to a target workspace/tenant configuration using a syntax that closely mimics the configuration being modified.

Example original configuration:

{
 "clients":{
    "sample-client-id":{
       "client_name":"sample-application",
       "response_types": [
            "token"
       ],
       "scopes": [
            "email",
            "profile",
            "openid",
            "offline_access"
       ]
    },
    "demo-client-id":{
     "client_name":"demo-application"
    }
  }
}

Example JSON Merge Patch:

{
 "clients":{
    "sample-client-id":{
       "response_types": [
            "code",
            "token",
            "id_token"
       ],
       "scopes": [
            "email",
            "profile",
       ]
    },
    "demo-client-id": null
  }
}

Example result:

{
 "clients":{
    "sample-client-id":{
       "client_name":"sample-application",
       "response_types": [
            "code",
            "token",
            "id_token"
       ],
       "scopes": [
            "email",
            "profile",
       ]
    }
  }
}

You can see that the JSON Merge Patch API leaves the client name untouched, adds additional response types, and removes some of the scopes assigned to the client application. The demo application from the original configuration is removed completely from the ulting configuration.

In this section: