This document summarizes all changes made to Identify REST API for version 5.13.
Audit log endpoint
The AuditUserCreated and AuditUserUpdated models have a new author
attribute which contains name of the user who caused those events to happen.
1 2 3 4 5 6 |
{ ... "eventType": "InsertUser", "author": "" ... } |
1 2 3 4 5 6 |
{ ... "eventType": "UpdateUser", "author": "" ... } |
- Affected operations:
GET /auditlogs/auditusercreated
,GET /auditlogs/audituserupdated
. - Behavior: the returned object has the new
author
attribute.
There are also new endpoints to get audit data:
- AuditCorrelationError:
GET /auditlogs/auditcorrelationerror
- AuditAuthenticationContextMethodClass:
GET /auditlogs/auditauthenticationcontextmethodclass
- AuditAttributeServiceConnection:
GET /auditlogs/auditattributeserviceconnection
- AuditPersistentPseudonym:
GET /auditlogs/auditpersistentpseudonym
- AuditApprovedConsent:
GET /auditlogs/auditapprovedconsent
Claim definition endpoint
The ClaimDefinition model has a new newClaimType
attribute:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "claimType": "string", "accessOrganizationName": "string", "description": "string", "userEditable": true, "friendlyName": "string", "sensitive": true, "showAsColumnOnUserList": true, "countSpecification": "string", "variableName": "string", "restrictedSubOrganizationView": true, "avoidIssue": true, "publishToSPMetadata": true, "publishToIdPMetadata": true, "claimValueSpace": "string", "newClaimtype": "string", (*) "name": "string" } |
- Affected operations:
PUT /claimsdefinitions
. Other operations do not use the new attribute. - Behavior: when the
newClaimType
attribute has a value, it will replace the value ofclaimType
attribute after thePUT
operation is executed successfully.
Connections endpoint
The Connection model has a new newName
attribute:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
{ "doNotRegisterUsers": true, "allowUserAutoRegistration": true, "secondFactorAuthenticationConnectionName": "string", "twoFactorIdentitiesCondition": "string", "bearingClaimType": "string", "disallowDisabledUsersFromAuthentication": true, "organizationNameOfAutoCreatedUsers": "string", "userTemplateClaims": [ { "claimType": "string", "value": "string" } ], "issuesRoles": true, "allowedIpAddresses": "string", "enabled": true, "accessOrganizationName": "string", "dependencyConnectionNames": [ "string" ], "claimSets": [ "string" ], "claimTransformations": [ "string" ], "configurations": [], "pluginType": "Saml20", "connectionName": "string", "organizationName": "string", "connectionType": "Authentication", "metadataReference": { "acceptUntrustedCertificate": true, "isImportToStore": true, "isUploadMetadataFromUri": true, "metadataFileUri": "string", "metadataXml": "string", "skipVerifySignature": true, "storeLocation": "string", "storeName": "string" }, "autoSetAllDependencyConnections": true, "name": "string", "newName": "string", (*) "description": "string" } |
- Affected operations:
PUT /connections
. Other operations do not use the new attribute. - Behavior: when the
newName
attribute has a value, it will replace the value ofname
attribute after thePUT
operation is executed successfully.
The OAuth protocol connection configuration section model has a new updateAccessTokenClaimsOnRefresh
attribute:
1 2 3 4 5 6 7 8 9 10 11 |
{ ... "configurations": [ { ... "updateAccessTokenClaimsOnRefresh": false, ... } ], ... } |
- Affected operations:
POST /connections
,PUT /connections
. - Behavior: When the value of
updateAccessTokenClaimsOnRefresh
attribute is not specify then its default value isfalse
. Afalse
value causes no changes in access token's claims when a client uses a refresh token to exchange for an access token which ensures backward compatibility. You can refer to the Release note 5.13 for more information about the new Update user claims on access token when calling the token endpoint with a refresh token feature.
The OTP authentication connection configuration section model has a new enableRegisterWebAuthnFromMyProfile
attribute. Its useAsSecondFactorOnly
attribute now can be set to false
in some circumstances:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ ... "configurations": [ { ... "orderOfFactors": "WebAuthn", "useAsSecondFactorOnly": false, "enableRegisterWebAuthnFromMyProfile": true ... } ], ... } |
- Affected operations:
POST /connections
,PUT /connections
. -
Behavior (apply to the OTP connection only):
Name Description useAsSecondFactorOnly For OTP connections, the default value is true and this attribute can only be set to false
when the value of theorderOfFactors
attribute isWebAuthn
only. For other types of authentication connections, the default value isfalse
enableRegisterWebAuthnFromMyProfile When the value of the orderOfFactors
attribute contains theWebAuthn
method, you can set this attribute to eithertrue
orfalse
. Otherwise, REST API will always reset the attribute tofalse
no matter what value you set it in your REST API's request.
Organization endpoint
-
The organization model has a new
newName
attribute:123456789101112{"displayName": "string","name": "string","accessOrganizationName": "string","passwordExpiryDays": 0,"expiryDisallowLoginDays": 0,"minimumPasswordAge": 0,"forceResetPasswordDefaultValue": true,"id": "string","description": "string","newName": "string" (*)} -
Affected operations:
PUT /organizations
. Other operations do not use the new attribute. -
Behavior: when the
newName
attribute has a value, it will replace the value ofname
attribute after thePUT
operation is executed successfully.
Group endpoint
-
The Group model has a new
newName
attribute:123456789101112{"accessOrganizationName": "","claimValues": [{"claimType": "","value": ""}],"name": "","newName": "", (*)"description": "",} -
Affected operations:
PUT /groups
. Other operations do not use the new attribute. -
Behavior: when the
newName
attribute has a value, it will replace the value ofname
attribute after thePUT
operation is executed successfully.
Claim transformation endpoint
The ClaimTransformation model has a new newName
attribute:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
{ "discreteClaims": [ { "claimType": "string", "value": "string" } ], "freeClaims": [ { "claimType": "string", "value": "string" } ], "conditionNotApplyToRegisteredUsers": true, "conditionNotApplyToUnregisteredUsers": true, "transformationType": "AddClaimValuesTransformation", "accessOrganizationName": "string", "conditionExpression": "string", "cultureCode": "string", "executeBeforeLoadingClaimsFromLocalStore": true, "notApplyAuthenticationConnectionNames": [ "string" ], "notApplyProtocolConnectionNames": [ "string" ], "name": "string", "newName": "string", (*) "description": "string" } |
- Affected operations:
PUT /transformations
. Other operations do not use the new attribute. - Behavior: when the
newName
attribute has a value, it will replace the value ofname
attribute after thePUT
operation is executed successfully.
UserStatus endpoint
The user status model has a new userId
attribute:
1 2 3 4 5 6 7 8 |
{ "enabled": true, "identityClaim": { "type": "", "value": "" }, "userId": "" (*) } |
- Affected operations:
PUT /users/.batchStatus
. - Behavior: when the
userId
attribute has a value, REST API will use the id (instead of theidentityClaim
) to find a user and update its status.
Certificate endpoint
The certificate model has a new isExpired
and willExpireInTheNext90Days
attributes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "isInUse": false, "store": "", "version": 0, "friendlyName": "", "serialNumber": "", "signaturAlgorithm": "", "signatureAlgorithmValue": "", "validFrom": "", "validTo": "", "subject": "", "publicKeySignatureAlgorithm": "", "keyAlgorithm": "", "thumbprint": "", "isValid": false, "isExpired": false, (*) "willExpiredInTheNext90Days": false, (*) "extensions": [ { "key": "", "value": "" } ], "rawData": "" } |
- Affected operations:
GET /certificate
,GET /certificate/{thumbprint}
. -
Behavior:
Name Description isExpired Specify whether a certificate is expired. willExpireInTheNext90Days Specify whether a certificate will expire in the next 90 days.
Users endpoint
Remove the obsolete API: GET /users/webauthns
The Authenticator model has a new secondFactorConnectionDescription
attribute:
1 2 3 4 5 6 7 8 9 |
{ "enabledAuthenticator": false, "mfaMethod": 0, "deviceRegistrations": null, "userId": "", "firstFactorConnectionName": "", "secondFactorConnectionName": "", "secondFactorConnectionDescription": "" (*) } |
- Affected operations:
GET /users/authenticators
. -
Behavior: return the description text of a second factor connection. If the description is configured in multiple languages, normal browser-language and fallback rules apply.
System Setup endpoint
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
{ ..., "secondarySigningCertificate": { "isSelfSigned": false, "revocationCheck": "None", "storeReference": { "storeName": "My", "storeLocation": "LocalMachine" }, "findCriterion": { "findType": "FindByThumbprint", "value": "" } }, "promoteSecondaryCertificateToPrimaryAt": null, "secondaryCertificateRetentionDays": 5, "signingCertificateRolloverCron": "0 * * * *", "secondaryAzureKeyVault": { "azureKeyVaultEnable": false, "useManagedIdentity": false, "azureTenantId": "", "azureClientId": "", "azureClientSecret": "", "azureKeyVaultUrl": "", "azureKeyVaultKeyName": "", "base64Certificate": "", "keyVaultMode": "Certificate" }, "userSelfServiceSettings": { "canResetPassword": false, "canEditDisplayName": false, "canEditUserCertificate": false, "canManageWebAuthn": false, "canManageTOTPAuthenticator": false, "canEditUserProfile": false } } |
Name | Description |
---|---|
secondarySigningCertificate | The secondary Signing certificate is used to rollover the current signing certificate at a specific time in future. |
promoteSecondaryCertificateToPrimaryAt | Specifies the specific time stamp (UTC) when Identify will promote the secondary certificate to be the primary one. |
secondaryCertificateRetentionDays | Specifies the number of days that Identify needs to retain the demoted secondary certificate. |
signingCertificateRolloverCron | The cron expression to schedule the background job to promote the secondary certificate. The quick and simple editor for cron schedule expressions can be found at https://crontab.guru/examples.html. |
secondaryAzureKeyVault | The Azure key vault details data to connect to Azure Key Vault service for the secondary signing certificate.. |
userSelfServiceSettings.canResetPassword | Specifies that user can change the password on IdentifyMe application. |
userSelfServiceSettings.canEditDisplayName | Users can edit their display names on the IdentifyMe application. |
userSelfServiceSettings.canEditUserCertificate | Users can edit their certificates on the IdentifyMe application. |
userSelfServiceSettings.canManageWebAuthn | Users can reset or register their WebAuthn authenticators on the IdentifyMe application. |
userSelfServiceSettings.canManageTOTPAuthenticator | Users can reset or register their TOTP authenticators on the IdentifyMe application. |
userSelfServiceSettings.canEditUserProfile | Users can access their profile pages on the IdentifyMe application. Whether they can edit display names and claims on the profile page depends on other settings. |
New UniqueFreeUserClaimValue endpoints
Those endpoints allows you to manage constraints that ensures uniqueness of values of a free claim definition at the database layer.
POST /uniquefreeuserclaimvalues
: create a new free claim definition constraint by claimType.GET /uniquefreeuserclaimvalues
: retrieve all free claim definition constraints.DELETE /uniquefreeuserclaimvalues
: delete all free claim definition constraints.DELETE /uniquefreeuserclaimvalues/{claimType}
: delete a free claim definition constraint by claimType.