This document summarizes all changes made to Identify REST API for version 5.13.
Audit log endpoint
The AuditUserCreated and AuditUserUpdated models have a new author attribute which contains name of the user who caused those events to happen.
|
1 2 3 4 5 6 |
{ ... "eventType": "InsertUser", "author": "" ... } |
|
1 2 3 4 5 6 |
{ ... "eventType": "UpdateUser", "author": "" ... } |
- Affected operations:
GET /auditlogs/auditusercreated,GET /auditlogs/audituserupdated. - Behavior: the returned object has the new
authorattribute.
There are also new endpoints to get audit data:
- AuditCorrelationError:
GET /auditlogs/auditcorrelationerror - AuditAuthenticationContextMethodClass:
GET /auditlogs/auditauthenticationcontextmethodclass - AuditAttributeServiceConnection:
GET /auditlogs/auditattributeserviceconnection - AuditPersistentPseudonym:
GET /auditlogs/auditpersistentpseudonym - AuditApprovedConsent:
GET /auditlogs/auditapprovedconsent
Claim definition endpoint
The ClaimDefinition model has a new newClaimType attribute:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "claimType": "string", "accessOrganizationName": "string", "description": "string", "userEditable": true, "friendlyName": "string", "sensitive": true, "showAsColumnOnUserList": true, "countSpecification": "string", "variableName": "string", "restrictedSubOrganizationView": true, "avoidIssue": true, "publishToSPMetadata": true, "publishToIdPMetadata": true, "claimValueSpace": "string", "newClaimtype": "string", (*) "name": "string" } |
- Affected operations:
PUT /claimsdefinitions. Other operations do not use the new attribute. - Behavior: when the
newClaimTypeattribute has a value, it will replace the value ofclaimTypeattribute after thePUToperation is executed successfully.
Connections endpoint
The Connection model has a new newName attribute:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
{ "doNotRegisterUsers": true, "allowUserAutoRegistration": true, "secondFactorAuthenticationConnectionName": "string", "twoFactorIdentitiesCondition": "string", "bearingClaimType": "string", "disallowDisabledUsersFromAuthentication": true, "organizationNameOfAutoCreatedUsers": "string", "userTemplateClaims": [ { "claimType": "string", "value": "string" } ], "issuesRoles": true, "allowedIpAddresses": "string", "enabled": true, "accessOrganizationName": "string", "dependencyConnectionNames": [ "string" ], "claimSets": [ "string" ], "claimTransformations": [ "string" ], "configurations": [], "pluginType": "Saml20", "connectionName": "string", "organizationName": "string", "connectionType": "Authentication", "metadataReference": { "acceptUntrustedCertificate": true, "isImportToStore": true, "isUploadMetadataFromUri": true, "metadataFileUri": "string", "metadataXml": "string", "skipVerifySignature": true, "storeLocation": "string", "storeName": "string" }, "autoSetAllDependencyConnections": true, "name": "string", "newName": "string", (*) "description": "string" } |
- Affected operations:
PUT /connections. Other operations do not use the new attribute. - Behavior: when the
newNameattribute has a value, it will replace the value ofnameattribute after thePUToperation is executed successfully.
The OAuth protocol connection configuration section model has a new updateAccessTokenClaimsOnRefresh attribute:
|
1 2 3 4 5 6 7 8 9 10 11 |
{ ... "configurations": [ { ... "updateAccessTokenClaimsOnRefresh": false, ... } ], ... } |
- Affected operations:
POST /connections,PUT /connections. - Behavior: When the value of
updateAccessTokenClaimsOnRefreshattribute is not specify then its default value isfalse. Afalsevalue causes no changes in access token's claims when a client uses a refresh token to exchange for an access token which ensures backward compatibility. You can refer to the Release note 5.13 for more information about the new Update user claims on access token when calling the token endpoint with a refresh token feature.
The OTP authentication connection configuration section model has a new enableRegisterWebAuthnFromMyProfile attribute. Its useAsSecondFactorOnly attribute now can be set to false in some circumstances:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ ... "configurations": [ { ... "orderOfFactors": "WebAuthn", "useAsSecondFactorOnly": false, "enableRegisterWebAuthnFromMyProfile": true ... } ], ... } |
- Affected operations:
POST /connections,PUT /connections. -
Behavior (apply to the OTP connection only):
Name Description useAsSecondFactorOnly For OTP connections, the default value is true and this attribute can only be set to falsewhen the value of theorderOfFactorsattribute isWebAuthnonly. For other types of authentication connections, the default value isfalseenableRegisterWebAuthnFromMyProfile When the value of the orderOfFactorsattribute contains theWebAuthnmethod, you can set this attribute to eithertrueorfalse. Otherwise, REST API will always reset the attribute tofalseno matter what value you set it in your REST API's request.
Organization endpoint
-
The organization model has a new
newNameattribute:123456789101112{"displayName": "string","name": "string","accessOrganizationName": "string","passwordExpiryDays": 0,"expiryDisallowLoginDays": 0,"minimumPasswordAge": 0,"forceResetPasswordDefaultValue": true,"id": "string","description": "string","newName": "string" (*)} -
Affected operations:
PUT /organizations. Other operations do not use the new attribute. -
Behavior: when the
newNameattribute has a value, it will replace the value ofnameattribute after thePUToperation is executed successfully.
Group endpoint
-
The Group model has a new
newNameattribute:123456789101112{"accessOrganizationName": "","claimValues": [{"claimType": "","value": ""}],"name": "","newName": "", (*)"description": "",} -
Affected operations:
PUT /groups. Other operations do not use the new attribute. -
Behavior: when the
newNameattribute has a value, it will replace the value ofnameattribute after thePUToperation is executed successfully.
Claim transformation endpoint
The ClaimTransformation model has a new newName attribute:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
{ "discreteClaims": [ { "claimType": "string", "value": "string" } ], "freeClaims": [ { "claimType": "string", "value": "string" } ], "conditionNotApplyToRegisteredUsers": true, "conditionNotApplyToUnregisteredUsers": true, "transformationType": "AddClaimValuesTransformation", "accessOrganizationName": "string", "conditionExpression": "string", "cultureCode": "string", "executeBeforeLoadingClaimsFromLocalStore": true, "notApplyAuthenticationConnectionNames": [ "string" ], "notApplyProtocolConnectionNames": [ "string" ], "name": "string", "newName": "string", (*) "description": "string" } |
- Affected operations:
PUT /transformations. Other operations do not use the new attribute. - Behavior: when the
newNameattribute has a value, it will replace the value ofnameattribute after thePUToperation is executed successfully.
UserStatus endpoint
The user status model has a new userId attribute:
|
1 2 3 4 5 6 7 8 |
{ "enabled": true, "identityClaim": { "type": "", "value": "" }, "userId": "" (*) } |
- Affected operations:
PUT /users/.batchStatus. - Behavior: when the
userIdattribute has a value, REST API will use the id (instead of theidentityClaim) to find a user and update its status.
Certificate endpoint
The certificate model has a new isExpired and willExpireInTheNext90Days attributes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "isInUse": false, "store": "", "version": 0, "friendlyName": "", "serialNumber": "", "signaturAlgorithm": "", "signatureAlgorithmValue": "", "validFrom": "", "validTo": "", "subject": "", "publicKeySignatureAlgorithm": "", "keyAlgorithm": "", "thumbprint": "", "isValid": false, "isExpired": false, (*) "willExpiredInTheNext90Days": false, (*) "extensions": [ { "key": "", "value": "" } ], "rawData": "" } |
- Affected operations:
GET /certificate,GET /certificate/{thumbprint}. -
Behavior:
Name Description isExpired Specify whether a certificate is expired. willExpireInTheNext90Days Specify whether a certificate will expire in the next 90 days.
Users endpoint
Remove the obsolete API: GET /users/webauthns
The Authenticator model has a new secondFactorConnectionDescription attribute:
|
1 2 3 4 5 6 7 8 9 |
{ "enabledAuthenticator": false, "mfaMethod": 0, "deviceRegistrations": null, "userId": "", "firstFactorConnectionName": "", "secondFactorConnectionName": "", "secondFactorConnectionDescription": "" (*) } |
- Affected operations:
GET /users/authenticators. -
Behavior: return the description text of a second factor connection. If the description is configured in multiple languages, normal browser-language and fallback rules apply.
System Setup endpoint
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
{ ..., "secondarySigningCertificate": { "isSelfSigned": false, "revocationCheck": "None", "storeReference": { "storeName": "My", "storeLocation": "LocalMachine" }, "findCriterion": { "findType": "FindByThumbprint", "value": "" } }, "promoteSecondaryCertificateToPrimaryAt": null, "secondaryCertificateRetentionDays": 5, "signingCertificateRolloverCron": "0 * * * *", "secondaryAzureKeyVault": { "azureKeyVaultEnable": false, "useManagedIdentity": false, "azureTenantId": "", "azureClientId": "", "azureClientSecret": "", "azureKeyVaultUrl": "", "azureKeyVaultKeyName": "", "base64Certificate": "", "keyVaultMode": "Certificate" }, "userSelfServiceSettings": { "canResetPassword": false, "canEditDisplayName": false, "canEditUserCertificate": false, "canManageWebAuthn": false, "canManageTOTPAuthenticator": false, "canEditUserProfile": false } } |
| Name | Description |
|---|---|
| secondarySigningCertificate | The secondary Signing certificate is used to rollover the current signing certificate at a specific time in future. |
| promoteSecondaryCertificateToPrimaryAt | Specifies the specific time stamp (UTC) when Identify will promote the secondary certificate to be the primary one. |
| secondaryCertificateRetentionDays | Specifies the number of days that Identify needs to retain the demoted secondary certificate. |
| signingCertificateRolloverCron | The cron expression to schedule the background job to promote the secondary certificate. The quick and simple editor for cron schedule expressions can be found at https://crontab.guru/examples.html. |
| secondaryAzureKeyVault | The Azure key vault details data to connect to Azure Key Vault service for the secondary signing certificate.. |
| userSelfServiceSettings.canResetPassword | Specifies that user can change the password on IdentifyMe application. |
| userSelfServiceSettings.canEditDisplayName | Users can edit their display names on the IdentifyMe application. |
| userSelfServiceSettings.canEditUserCertificate | Users can edit their certificates on the IdentifyMe application. |
| userSelfServiceSettings.canManageWebAuthn | Users can reset or register their WebAuthn authenticators on the IdentifyMe application. |
| userSelfServiceSettings.canManageTOTPAuthenticator | Users can reset or register their TOTP authenticators on the IdentifyMe application. |
| userSelfServiceSettings.canEditUserProfile | Users can access their profile pages on the IdentifyMe application. Whether they can edit display names and claims on the profile page depends on other settings. |
New UniqueFreeUserClaimValue endpoints
Those endpoints allows you to manage constraints that ensures uniqueness of values of a free claim definition at the database layer.
POST /uniquefreeuserclaimvalues: create a new free claim definition constraint by claimType.GET /uniquefreeuserclaimvalues: retrieve all free claim definition constraints.DELETE /uniquefreeuserclaimvalues: delete all free claim definition constraints.DELETE /uniquefreeuserclaimvalues/{claimType}: delete a free claim definition constraint by claimType.