The Unity REST API may be exposed (or disabled) as a regular Unity endpoint. See the main Unity documentation for endpoints configuration details.
All paths must be naturally prefixed with the server’s base URL, endpoint deployment’s path (as configured) and API version (currently there is only one). Example query path can be similar to:
https://unity.example.com/rest-admin/v1/entity/1
All operations which are operating on a single entity allow since version 1.9.4 to use
three different types of entity selectors. Entity can be specified as an integer number being the internal
database identifier of entity in Unity --- this is the only option available in older versions. Alternatively
entity’s persistentId can be used. Finally any other identity can be used to select identity, however then
a query parameter identityType must be used to provide the intended identity type.
|
1. API reference
1.1. Resolve identity
@Path("/resolve/{identityType}/{identityValue}")
@GET
Resolves a provided identity of a given type. The returned information is the same as in case of the /entity
operation.
Example output:
{ "entityInformation": { "state": "valid", "entityId": 1 }, "identities": [ { "value": "a", "confirmationInfo": { "confirmed": false, "confirmationDate": 0, "sentRequestAmount": 0 }, "comparableValue": "a", "creationTs": 1491257134658, "updateTs": 1491257134658, "typeId": "userName", "entityId": 1 }, { "value": "90bba4c5-adbe-4829-8215-e23960c52c33", "realm": "main", "confirmationInfo": { "confirmed": false, "confirmationDate": 0, "sentRequestAmount": 0 }, "comparableValue": "90bba4c5-adbe-4829-8215-e23960c52c33", "creationTs": 1491257533387, "updateTs": 1491257533387, "typeId": "persistent", "entityId": 1 } ], "credentialInfo": { "credentialRequirementId": "Password requirement", "credentialsState": { "Password credential": { "state": "correct", "extraInformation": "{\"lastChange\":1491257134733}" } } } }
1.2. Get entity information
@Path("/entity/{entityId}")
@QueryParam("identityType")
@GET
Returns information about a given entity, including its status and all identities.
Output is the same a in the resolve
identity case.
1.3. Get entity groups
@Path("/entity/{entityId}/groups")
@QueryParam("identityType")
@GET
Returns all groups the entity is member of.
Example output:
["/example/sub","/example","/"]
1.4. Get entity attributes
@Path("/entity/{entityId}/attributes")
@QueryParam("group")
@QueryParam("effective")
@QueryParam("identityType")
@GET
Returns attributes of a given entity in a selected group. Values are encoded in syntax type dependent way. The optional effective query parameter (by default true) can be used to control whether only directly defined or effective attributes are queried.
Example output:
[ { "values": [ "2017-04-03T22:18:34" ], "creationTs": 1491257914036, "updateTs": 1491257914036, "direct": true, "name": "sys:LastAuthentication", "groupPath": "/", "valueSyntax": "string" }, { "values": [ "Regular User" ], "creationTs": 1491257136049, "updateTs": 1491257136049, "direct": true, "name": "sys:AuthorizationRole", "groupPath": "/", "valueSyntax": "enumeration" }, { "values": [ "{\"value\":\"[email protected]\",\"confirmationData\":{\"confirmed\":true,\"confirmationDate\":1491257136061,\"sentRequestAmount\":0},\"tags\":[]}" ], "creationTs": 1491257136075, "updateTs": 1491257136075, "direct": true, "name": "email", "groupPath": "/", "valueSyntax": "verifiableEmail" }, { "values": [ "Example organization", "org2", "org3" ], "creationTs": 1491257136052, "updateTs": 1491257136052, "direct": true, "name": "o", "groupPath": "/", "valueSyntax": "string" } ]
1.5. Get group contents
@Path("/group/{groupPath}")
@GET
Returns all members and subgroups of a given group.
Example output:
{ "subGroups": [ "/A/B" ], "members": [ { "creationTs": 1491257136044, "group": "/A", "entityId": 2 }, { "creationTs": 1491257136613, "group": "/A", "entityId": 4 } ] }
1.6. Create group
@Path("/group/{groupPath}")
@POST
Creates a new group. The created group will be empty.
1.7. Delete groups
@Path("/group/{groupPath}")
@QueryParam("recursive")
@DELETE
Removes a given group. The optional recursive
query parameter can be used to
enforce recursive removal (off by default).
1.8. Get group attribute statements
@Path("/group/{groupPath}/statements")
@GET
Returns a JSON array with all attribute statements of a group. Example output:
[ { "resolution":"skip", "condition":"true", "extraGroupName":"/", "dynamicAttributeExpression":"eattr['name']", "dynamicAttributeName":"name" } ]
1.9. Update group attribute statements
@Path("/group/{groupPath}/statements")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Updates given group’s attribute statements. The body should contain statements list, same format as returned by the corresponding GET.
1.10. Create entity
@Path("/entity/identity/{type}/{value}")
@QueryParam("credentialRequirement")
@POST
Creates a new entity, with the given initial identity and credential requirement. The new entity is in valid state. New entity id is returned.
Example output:
{"entityId":3}
1.11. Create identity
@Path("/entity/{entityId}/identity/{type}/{value}")
@QueryParam("identityType")
@POST
Creates a new identity for the given entity. No content is returned. Note that for e-mail identities the regular Unity conventions can be used to control confirmation state and tags - see [email-encoding].
1.12. Remove entity
@Path("/entity/{entityId}")
@QueryParam("identityType")
@DELETE
Removes the given entity. No content is returned.
1.13. Schedule user removal
@Path("/entity/{entityId}/removal-schedule")
@QueryParam("when")
@QueryParam("identityType")
@PUT
Sets the entity in the state where it can only login and schedules its removal at given time unless the user logs in before this time. No content is returned. This operation is allowed to be called on self .
1.14. Schedule entity operations
@Path("/entity/{entityId}/admin-schedule")
@QueryParam("when")
@QueryParam("operation")
@QueryParam("identityType")
@PUT
Schedules an operation to be invoked at a given time on an entity. Must be called by privileged user. Allowed
operations are: REMOVE
and DISABLE
.
1.15. Remove identity
@Path("/entity/identity/{type}/{value}")
@DELETE
Removes the given identity. No content is returned.
1.16. Add to group
@Path("/group/{groupPath}/entity/{entityId}")
@QueryParam("identityType")
@POST
Adds the given entity as a member to a group. Note that group must be URL encoded, the /
character should be
given as %2F
. No content is returned.
1.17. Remove from group
@Path("/group/{groupPath}/entity/{entityId}")
@QueryParam("identityType")
@DELETE
Removes a given entity from a group. Note that group must be URL encoded, the /
character should be
given as %2F
. No content is returned.
1.18. Set attribute
@Path("/entity/{entityId}/attribute")
@QueryParam("identityType")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Sets (creates or updates) an attribute for the given entity. The body of the PUT request describes the attribute:
its name, values and group. Its syntax is the same as returned by the GET attributes operation, however the syntax
and direct
shall not be used. No content is returned. Example attribute encoded (email with two values):
{ "values": [ "{\"value\":\"[email protected]\",\"confirmationData\":{\"confirmed\":true,\"confirmationDate\":1491257136061,\"sentRequestAmount\":0},\"tags\":[]}" ], "name": "email", "groupPath": "/A" }
1.19. Bulk set attributes
@Path("/entity/{entityId}/attributes")
@QueryParam("identityType")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Bulk attributes creation or update for a given entity. The body of the PUT request describes the attributes. Its root level element must be JSON array. Elements of the array are attributes expressed in the same way as in the singular set attribute operation.
1.20. Remove attribute
@Path("/entity/{entityId}/attribute/{attributeName}")
@QueryParam("identityType")
@QueryParam("group")
@DELETE
Removes the given attribute of an entity. No content is returned.
1.21. Set credential (admin)
@Path("/entity/{entityId}/credential-adm/{credential}")
@QueryParam("identityType")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Sets a new credential secret for the given entity. The caller must have administrative privileges. Credential name is given as the path parameter, while the secret is carried in the JSON body. No content is returned. For the password credential the complete value could be (with a selected security question and its answer):
{"password":"newpass","answer":"Some answer","question":1}
1.22. Set credential (user)
@Path("/entity/{entityId}/credential/{credential}")
@QueryParam("identityType")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Sets a new credential secret for the given entity. The caller is assumed to change his/her own credential and must provide its current value (assuming the credential was already set). Credential name is given as the path parameter, while the new and current secrets are carried in the JSON body. No content is returned. The body must be a JSON array with one (only when the credential was not yet set) or (typically) two elements. IMPORTANT: the values of the array must be JSON strings, not JSON objects.
For the password credential the complete value could be (with a selected security question and its answer):
[ "{\"password\":\"newpass\",\"answer\":\"Some answer2\",\"question\":0}", "{\"password\":\"currentpass\",\"answer\":\"Some answer\",\"question\":1}" ]
1.23. Get attribute types
@Path("/attributeTypes")
@GET
Returns an array with all attribute types. Example:
[ { "flags": 1, "maxElements": 5, "minElements": 1, "selfModificable": false, "uniqueValues": true, "syntaxState": { "allowed": [ "implicit", "client", "openidHybrid", "authorizationCode" ] }, "displayedName": { "DefaultValue": "sys:oauth:allowedGrantFlows", "Map": { "pl": "Dozwolone granty OAuth", "en": "OAuth client allowed grants" } }, "i18nDescription": { "DefaultValue": null, "Map": { "pl": "Atrybut klienta OAauth...", "en": "OAuth Client specific attribute..." } }, "metadata": {}, "name": "sys:oauth:allowedGrantFlows", "syntaxId": "enumeration" }, ... ]
1.24. Create attribute type
@Path("/attributeType")
@POST
@Consumes(MediaType.APPLICATION_JSON)
Creates a new attribute type. The POSTed request body must contain a JSON description of the attribute type,
with the same syntax as returned by the GET query on attributeTypes. Only a single element is permitted, i.e. do
not pass an JSON array. The flags
field should be always set to 0.
1.25. Update attribute type
@Path("/attributeType")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Updates an existing attribute type. The syntax rules are as for POST, however the name of the updated attribute type must resolve to an existing attribute type.
1.26. Remove attribute type
@Path("/attributeType/{toRemove}")
@QueryParam("withInstances")
@DELETE
Removes a given attribute type. Query parameter withInstances
is used to control whether all attributes of the
removed type should be removed too (value true
) or whether the operation should fail if there are any attributes
(value false
).
1.27. Trigger identity confirmation message
@Path("/confirmation-trigger/identity/{type}/{value}")
@POST
Triggers sending of confirmation message of identity. Nearly always it is a re-send.
1.28. Trigger attribute confirmation message
@Path("/confirmation-trigger/entity/{entityId}/attribute/{attributeName}")
@QueryParam("group")
@QueryParam("identityType")
@POST
Triggers sending of confirmation message for an attribute. Nearly always it is a re-send.
1.29. Get endpoints
@Path("/endpoints")
@GET
Returns all deployed endpoints. Example response with a single endpoint:
[{ "endpoint": { "name": "/admin", "typeId": "WebAdminUI", "contextAddress": "/admin", "configuration": { "displayedName": { "DefaultValue": "UNITY administration interface", "Map": { "pl": "Interfejs administracyjny Unity" } }, "description": "", "configuration": "unity.endpoint.web.enableRegistration=true\n...", "realm": "admin", "authenticationOptions": [ { "primaryAuthenticator": "pwdWeb1" }, { "primaryAuthenticator": "pwdWeb2", "mandatory2ndAuthenticator": "certWeb" }, { "primaryAuthenticator": "certWeb", "mandatory2ndAuthenticator": "pwdWeb2" }, { "primaryAuthenticator": "certWeb" }, { "primaryAuthenticator": "ldapWeb" }, { "primaryAuthenticator": "ldapDNWeb" }, { "primaryAuthenticator": "samlWeb" }, { "primaryAuthenticator": "oauthWeb" } ] } }, "realm": { "description": null, "name": "admin", "allowForRememberMeDays": 0, "blockAfterUnsuccessfulLogins": 5, "blockFor": 8, "maxInactivity": 600 }, "type": { "name": "WebAdminUI", "description": "Web administrative user interface", "supportedBindings": [ "web-vaadin7" ], "paths": { "/admin": "Web admin endpoint" } } }] }]
1.30. Undeploy endpoint
@Path("/endpoint/{id}")
@DELETE
Undeploys a deployed endpoint.
1.31. Deploy endpoint
@Path("/endpoint/{id}")
@QueryParam("typeId")
@QueryParam("address")
@POST
@Consumes(MediaType.APPLICATION_JSON)
Instantiates a new endpoint with a given configuration. Type and context path are specified as query parameters. The overall configuration is given in JSON document sent in the request body. Example:
{ "displayedName" : { "DefaultValue" : "endpointName", "Map" : { } }, "description" : "endpoint description", "authenticationOptions" : [ { "primaryAuthenticator" : "ApassREST" } ], "configuration" : "here comes endpoint configuration, typically in Java properties format", "realm" : "authnRealm" }
1.32. Update endpoint
@Path("/endpoint/{id}")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Updates the given endpoint’s configuration. The configuration is provided in request body (see POST method for example). If some of the elements are missing, then existing values remain unchanged.
1.33. Get registration forms
@Path("/registrationForms")
@GET
Returns a JSON array with registration forms defined in the system. The syntax is complex and is not provided here.
1.34. Remove registration form
@Path("/registrationForm/{formId}")
@QueryParam("dropRequests")
@DELETE
Removes registration form with the given id. An optional query parameter dropRequests
can be
provided with a boolean value, to control whether the form should be removed also if it
has pending requests (the requests will be removed with the form).
1.35. Create registration form
@Path("/registrationForm")
@POST
@Consumes(MediaType.APPLICATION_JSON)
Creates a new registration form specified by the JSON object passed as request body.
The form description is quite complex. The easiest way is to create a registration form using the AdminUI
and then check the resulting JSON (GET on /registrationForms
).
1.36. Update registration form
@Path("/registrationForm")
@QueryParam("ignoreRequests")
@PUT
@Consumes(MediaType.APPLICATION_JSON)
Updates an existing registration form. The body of the request should include
a JSON description of a form, as during form creation. The only difference is
that this method expects existing form id.
The optional boolean ignoreRequests
query parameter can be used to force form
update even if it has attached pending requests. Beware, however, that those
requests can easily become invalid.
1.37. Get registration requests
@Path("/registrationRequests")
@GET
Returns an array with all registration requests which are stored in the system.
1.38. Get registration request
@Path("/registrationRequest/{requestId}")
@GET
Returns a registration request by its id.
1.39. Get registration invitations
@Path("/invitations")
@GET
Returns a JSON array with all existing invitations.
1.40. Get invitation
@Path("/invitation/{code}")
@GET
Returns a JSON encoded invitation with the specified code.
1.41. Remove invitation
@Path("invitation/{code}")
@DELETE
Removes an invitation with a specified code.
1.42. Send invitation
@Path("invitation/{code}/send")
@POST
Triggers sending a message with an invitation. The registration form of the invitation must have an invitation template defined, and the invitation must have contact address and channel set.
1.43. Create invitation
@Path("invitation")
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.TEXT_PLAIN)
Creates a new invitation. Returned string is the unique code of the newly created invitation. Example invitation definition:
{ "formId" : "exForm", "expiration" : 1454703788, "contactAddress" : "[email protected]", "channelId" : "channelId", "identities" : {}, "groupSelections" : {}, "attributes" : {} }
Syntax of prefilled parameters, can be seen in the result of retrieving an AdminUI defined invitation via the REST GET methods.
1.44. Identity bulk processing
@Path("bulkProcessing/instant")
@QueryParam("timeout")
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.TEXT_PLAIN)
Schedules a rule for immediate processing. The optional query param timeout
controls whether the method should return
immediately after scheduling (no parameter) or after completing (parameter set). In the latter case parameter
must specify the maximum wait time in seconds. Returned string is the status of scheduling (not the result of the action).
Possible statuses are: sync
(rule execution was completed in synchronous mode), async
(rule was submitted)
or timeout
(rule was submitted in the synchronous mode but completion await time has passed).
Example rule definition:
{ "condition" : "(idsByType contains 'userName') && (idsByType['userName'] contains 'user-to-remove')", "actionName" : "removeEntity", "params" : [ ] }
1.45. Trigger identity import
@Path("/import/user/{identity}")
@QueryParam("type")
@POST
@Produces(MediaType.APPLICATION_JSON)
Triggers import of the given identity, optionally providing also intended type, though the type is usually not needed. Unity will trigger configured importers in order, stopping at the first which successfully imports the given user. The result is a very detailed dump of import information, starting from status, with unprocessed imported data and processed data after applying the translation profile.
1.46. Trigger system event
@Path("/triggerEvent/{eventName}")
@POST
@Consumes(MediaType.APPLICATION_JSON)
Triggers event with a given name. Body of the request is passed as argument (context) of the event. This feature is typically used to trigger extension script invocation by Unity server: if a script is configured as a handler for the used event it will be launched. That way server REST API functionality can be manually enhanced.
1.47. Get tokens
@Path("/tokens")
@GET
@QueryParam("type")
@QueryParam("owner")
@QueryParam("ownerType")
Returns an array with JSON encoded tokens. If a caller has administrative privileges then returns all tokens.
Otherwise returns tokens only which are owned by the caller.
The optional owner
, ownerType
and type
query parameters can be used to filter returned tokens.
1.48. Remove token
@Path("/token/{type}/{value}")
@DELETE
Removes a requested token. No content is returned. If a caller has administrative privileges then any token can be removed, otherwise it is allowed for removing owned tokens only.