Amster

UmaProvider

Realm Operations

Resource path:

/realm-config/services/uma

Resource version: 1.0

create

Usage

am> create UmaProvider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "generalSettings" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 0,
      "properties" : {
        "usernameAttribute" : {
          "title" : "Username attribute",
          "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.",
          "propertyOrder" : 1000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "emailRequestingPartyOnPendingRequestApproval" : {
          "title" : "Email Requesting Party on Pending Request approval",
          "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantResourceOwnerImplicitConsent" : {
          "title" : "Grant Resource Owner Implicit Consent",
          "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.",
          "propertyOrder" : 650,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantRptConditions" : {
          "title" : "Grant RPTs...",
          "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "resharingMode" : {
          "title" : "Re-Sharing Mode",
          "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userProfileLocaleAttribute" : {
          "title" : "User profile preferred Locale attribute",
          "description" : "User profile attribute storing the user's preferred locale.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "deletePoliciesOnDeleteRS" : {
          "title" : "Delete user policies when Resource Server is removed",
          "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "deleteResourceSetsOnDeleteRS" : {
          "title" : "Delete resources when Resource Server is removed",
          "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "emailResourceOwnerOnPendingRequestCreation" : {
          "title" : "Email Resource Owner on Pending Request creation",
          "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "permissionTicketLifetime" : {
          "title" : "Permission Ticket Lifetime (seconds)",
          "description" : "The maximum life of a permission ticket before it expires, in seconds.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "pendingRequestsEnabled" : {
          "title" : "Pending Requests Enabled",
          "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
          "propertyOrder" : 450,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "claimsGathering" : {
      "type" : "object",
      "title" : "Claims Gathering",
      "propertyOrder" : 1,
      "properties" : {
        "pctLifetime" : {
          "title" : "Persisted Claims Token Lifetime (seconds)",
          "description" : "The time in seconds a persisted claims token is valid for.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "interactiveClaimsGatheringEnabled" : {
          "title" : "Interactive Claims Gathering Enabled",
          "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "claimsGatheringService" : {
          "title" : "Claims Gathering Authentication Tree",
          "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

delete

Usage

am> delete UmaProvider --realm Realm

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action UmaProvider --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action UmaProvider --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action UmaProvider --realm Realm --actionName nextdescendents

read

Usage

am> read UmaProvider --realm Realm

update

Usage

am> update UmaProvider --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "generalSettings" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 0,
      "properties" : {
        "usernameAttribute" : {
          "title" : "Username attribute",
          "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.",
          "propertyOrder" : 1000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "emailRequestingPartyOnPendingRequestApproval" : {
          "title" : "Email Requesting Party on Pending Request approval",
          "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantResourceOwnerImplicitConsent" : {
          "title" : "Grant Resource Owner Implicit Consent",
          "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.",
          "propertyOrder" : 650,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "grantRptConditions" : {
          "title" : "Grant RPTs...",
          "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
          "propertyOrder" : 900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "resharingMode" : {
          "title" : "Re-Sharing Mode",
          "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userProfileLocaleAttribute" : {
          "title" : "User profile preferred Locale attribute",
          "description" : "User profile attribute storing the user's preferred locale.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "deletePoliciesOnDeleteRS" : {
          "title" : "Delete user policies when Resource Server is removed",
          "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "deleteResourceSetsOnDeleteRS" : {
          "title" : "Delete resources when Resource Server is removed",
          "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "emailResourceOwnerOnPendingRequestCreation" : {
          "title" : "Email Resource Owner on Pending Request creation",
          "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "permissionTicketLifetime" : {
          "title" : "Permission Ticket Lifetime (seconds)",
          "description" : "The maximum life of a permission ticket before it expires, in seconds.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "pendingRequestsEnabled" : {
          "title" : "Pending Requests Enabled",
          "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
          "propertyOrder" : 450,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "claimsGathering" : {
      "type" : "object",
      "title" : "Claims Gathering",
      "propertyOrder" : 1,
      "properties" : {
        "pctLifetime" : {
          "title" : "Persisted Claims Token Lifetime (seconds)",
          "description" : "The time in seconds a persisted claims token is valid for.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "interactiveClaimsGatheringEnabled" : {
          "title" : "Interactive Claims Gathering Enabled",
          "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "claimsGatheringService" : {
          "title" : "Claims Gathering Authentication Tree",
          "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

Global Operations

Resource path:

/global-config/services/uma

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action UmaProvider --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action UmaProvider --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action UmaProvider --global --actionName nextdescendents

read

Usage

am> read UmaProvider --global

update

Usage

am> update UmaProvider --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "umaPolicyUpgradeCompatibilityMode" : {
      "title" : "UMA Policy Upgrade Compatibility Mode",
      "description" : "When upgrade compatibility mode is enabled, AM will create backwards-compatible UMA policies. <br><br>Use this setting when you are upgrading multiple AM instances in a deployment at different times. Enable this option for upgrades from servers prior to 7.2.0.Disable this option once all AM instances have been upgraded.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "claimsGathering" : {
          "type" : "object",
          "title" : "Claims Gathering",
          "propertyOrder" : 1,
          "properties" : {
            "interactiveClaimsGatheringEnabled" : {
              "title" : "Interactive Claims Gathering Enabled",
              "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "pctLifetime" : {
              "title" : "Persisted Claims Token Lifetime (seconds)",
              "description" : "The time in seconds a persisted claims token is valid for.",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "claimsGatheringService" : {
              "title" : "Claims Gathering Authentication Tree",
              "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "generalSettings" : {
          "type" : "object",
          "title" : "General",
          "propertyOrder" : 0,
          "properties" : {
            "deletePoliciesOnDeleteRS" : {
              "title" : "Delete user policies when Resource Server is removed",
              "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
              "propertyOrder" : 300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "userProfileLocaleAttribute" : {
              "title" : "User profile preferred Locale attribute",
              "description" : "User profile attribute storing the user's preferred locale.",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "deleteResourceSetsOnDeleteRS" : {
              "title" : "Delete resources when Resource Server is removed",
              "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "grantRptConditions" : {
              "title" : "Grant RPTs...",
              "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.",
              "propertyOrder" : 900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "grantResourceOwnerImplicitConsent" : {
              "title" : "Grant Resource Owner Implicit Consent",
              "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.",
              "propertyOrder" : 650,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "emailResourceOwnerOnPendingRequestCreation" : {
              "title" : "Email Resource Owner on Pending Request creation",
              "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.",
              "propertyOrder" : 500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "resharingMode" : {
              "title" : "Re-Sharing Mode",
              "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "usernameAttribute" : {
              "title" : "Username attribute",
              "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.",
              "propertyOrder" : 1000,
              "required" : false,
              "type" : "string",
              "exampleValue" : ""
            },
            "emailRequestingPartyOnPendingRequestApproval" : {
              "title" : "Email Requesting Party on Pending Request approval",
              "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "permissionTicketLifetime" : {
              "title" : "Permission Ticket Lifetime (seconds)",
              "description" : "The maximum life of a permission ticket before it expires, in seconds.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "pendingRequestsEnabled" : {
              "title" : "Pending Requests Enabled",
              "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.",
              "propertyOrder" : 450,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}
Copyright © 2010-2022 ForgeRock, all rights reserved.