UmaProvider
Realm Operations
Resource path:
/realm-config/services/uma
Resource version: 1.0
create
Usage
am> create UmaProvider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "generalSettings" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "grantRptConditions" : { "title" : "Grant RPTs...", "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "grantResourceOwnerImplicitConsent" : { "title" : "Grant Resource Owner Implicit Consent", "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "permissionTicketLifetime" : { "title" : "Permission Ticket Lifetime (seconds)", "description" : "The maximum life of a permission ticket before it expires, in seconds.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "pendingRequestsEnabled" : { "title" : "Pending Requests Enabled", "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.", "propertyOrder" : 450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deleteResourceSetsOnDeleteRS" : { "title" : "Delete resources when Resource Server is removed", "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deletePoliciesOnDeleteRS" : { "title" : "Delete user policies when Resource Server is removed", "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userProfileLocaleAttribute" : { "title" : "User profile preferred Locale attribute", "description" : "User profile attribute storing the user's preferred locale.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "emailResourceOwnerOnPendingRequestCreation" : { "title" : "Email Resource Owner on Pending Request creation", "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "resharingMode" : { "title" : "Re-Sharing Mode", "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "usernameAttribute" : { "title" : "Username attribute", "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "emailRequestingPartyOnPendingRequestApproval" : { "title" : "Email Requesting Party on Pending Request approval", "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "claimsGathering" : { "type" : "object", "title" : "Claims Gathering", "propertyOrder" : 1, "properties" : { "interactiveClaimsGatheringEnabled" : { "title" : "Interactive Claims Gathering Enabled", "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.", "propertyOrder" : 1100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claimsGatheringService" : { "title" : "Claims Gathering Authentication Tree", "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "pctLifetime" : { "title" : "Persisted Claims Token Lifetime (seconds)", "description" : "The time in seconds a persisted claims token is valid for.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action UmaProvider --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action UmaProvider --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action UmaProvider --realm Realm --actionName nextdescendents
update
Usage
am> update UmaProvider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "generalSettings" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "grantRptConditions" : { "title" : "Grant RPTs...", "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "grantResourceOwnerImplicitConsent" : { "title" : "Grant Resource Owner Implicit Consent", "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" }, "permissionTicketLifetime" : { "title" : "Permission Ticket Lifetime (seconds)", "description" : "The maximum life of a permission ticket before it expires, in seconds.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "pendingRequestsEnabled" : { "title" : "Pending Requests Enabled", "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.", "propertyOrder" : 450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deleteResourceSetsOnDeleteRS" : { "title" : "Delete resources when Resource Server is removed", "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deletePoliciesOnDeleteRS" : { "title" : "Delete user policies when Resource Server is removed", "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userProfileLocaleAttribute" : { "title" : "User profile preferred Locale attribute", "description" : "User profile attribute storing the user's preferred locale.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "emailResourceOwnerOnPendingRequestCreation" : { "title" : "Email Resource Owner on Pending Request creation", "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "resharingMode" : { "title" : "Re-Sharing Mode", "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "usernameAttribute" : { "title" : "Username attribute", "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "emailRequestingPartyOnPendingRequestApproval" : { "title" : "Email Requesting Party on Pending Request approval", "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "claimsGathering" : { "type" : "object", "title" : "Claims Gathering", "propertyOrder" : 1, "properties" : { "interactiveClaimsGatheringEnabled" : { "title" : "Interactive Claims Gathering Enabled", "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.", "propertyOrder" : 1100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claimsGatheringService" : { "title" : "Claims Gathering Authentication Tree", "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "pctLifetime" : { "title" : "Persisted Claims Token Lifetime (seconds)", "description" : "The time in seconds a persisted claims token is valid for.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/services/uma
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action UmaProvider --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action UmaProvider --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action UmaProvider --global --actionName nextdescendents
update
Usage
am> update UmaProvider --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "umaPolicyUpgradeCompatibilityMode" : { "title" : "UMA Policy Upgrade Compatibility Mode", "description" : "When upgrade compatibility mode is enabled, AM will create backwards-compatible UMA policies. <br><br>Use this setting when you are upgrading multiple AM instances in a deployment at different times. Enable this option for upgrades from servers prior to 7.2.0.Disable this option once all AM instances have been upgraded.", "propertyOrder" : 100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "defaults" : { "properties" : { "generalSettings" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "emailResourceOwnerOnPendingRequestCreation" : { "title" : "Email Resource Owner on Pending Request creation", "description" : "Specifies whether to send an email to the Resource Owner when a Pending Request is created when a Requesting Party requests authorization to a resource.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "permissionTicketLifetime" : { "title" : "Permission Ticket Lifetime (seconds)", "description" : "The maximum life of a permission ticket before it expires, in seconds.", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "emailRequestingPartyOnPendingRequestApproval" : { "title" : "Email Requesting Party on Pending Request approval", "description" : "Specifies whether to send an email to the Requesting Party when a Pending Request is approved by the Resource Owner.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "usernameAttribute" : { "title" : "Username attribute", "description" : "Specify the name of the attribute whose value needs to be specified by end-users when sharing resources. For example when Alice wants to share a resource with Bob, and the username Bob is only stored under the <pre>uid</pre> attribute in the data store, set this setting to <pre>uid</pre>. When left unspecified, AM will fall back to using the data store's search attribute instead. Changing this setting may invalidate existing UMA authorizations.", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "userProfileLocaleAttribute" : { "title" : "User profile preferred Locale attribute", "description" : "User profile attribute storing the user's preferred locale.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "resharingMode" : { "title" : "Re-Sharing Mode", "description" : "Specifies whether re-sharing is off or on implicitly for all users, allowing all users to re-share resources that have been shared with them.", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "pendingRequestsEnabled" : { "title" : "Pending Requests Enabled", "description" : "Specifies whether to use the Pending Requests subsystem that notifies the resource owner that an attempt to access a resource was made.", "propertyOrder" : 450, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deletePoliciesOnDeleteRS" : { "title" : "Delete user policies when Resource Server is removed", "description" : "Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "grantRptConditions" : { "title" : "Grant RPTs...", "description" : "In UMA, scope comes from both the permission ticket and from the token request. An RPT is always granted when all scope matches, and is never granted when no scope matches. You can configure when RPTs are granted for partial match conditions here. For more information, see the UMA Grant Type specification section onAuthorization Assessment and Results Determination.", "propertyOrder" : 900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "deleteResourceSetsOnDeleteRS" : { "title" : "Delete resources when Resource Server is removed", "description" : "Delete all resources that relate to a Resource Server when removing the OAuth2 agent entry or removing the <code>uma_protection</code> scope from the OAuth2 agent.", "propertyOrder" : 400, "required" : true, "type" : "boolean", "exampleValue" : "" }, "grantResourceOwnerImplicitConsent" : { "title" : "Grant Resource Owner Implicit Consent", "description" : "Specifies whether the resource owner is implicitly granted access to the resource, regardless of policy conditions.", "propertyOrder" : 650, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "claimsGathering" : { "type" : "object", "title" : "Claims Gathering", "propertyOrder" : 1, "properties" : { "pctLifetime" : { "title" : "Persisted Claims Token Lifetime (seconds)", "description" : "The time in seconds a persisted claims token is valid for.", "propertyOrder" : 1300, "required" : true, "type" : "integer", "exampleValue" : "" }, "interactiveClaimsGatheringEnabled" : { "title" : "Interactive Claims Gathering Enabled", "description" : "When enabled, in the absence of a Persisted Claims Token (PCT) on the request, the UMA provider will return a redirect_user hint to the client where the requesting party can authenticate themselves. Interactive Claims Gathering also enables the issuance of Persisted Claims Tokens (PCT), which clients can use later on during RPT flows, so that users don't have to go through the interactive claims gathering process too frequently.", "propertyOrder" : 1100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "claimsGatheringService" : { "title" : "Claims Gathering Authentication Tree", "description" : "Select the authentication tree to be used for interactive claims gathering. Ideally the authentication tree should collect all claims necessary for the UMA authorization to be successful.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }