Referensi API GetApplicationSsoConfig untuk SSO EIAM - EIAM - Alibaba Cloud - Identity as a Service

Mengambil konfigurasi Single Sign-On (SSO) untuk aplikasi di EIAM.

Coba sekarang

Coba API ini di OpenAPI Explorer tanpa perlu penandatanganan manual. Panggilan yang berhasil akan secara otomatis menghasilkan contoh kode SDK sesuai dengan parameter Anda. Unduh kode tersebut dengan kredensial bawaan yang aman untuk penggunaan lokal.

Test

RAM authorization

Tabel berikut menjelaskan otorisasi yang diperlukan untuk memanggil API ini. Anda dapat menentukannya dalam kebijakan Resource Access Management (RAM). Kolom pada tabel dijelaskan sebagai berikut:

Action: Aksi yang dapat digunakan dalam elemen Action pada pernyataan kebijakan izin RAM untuk memberikan izin guna melakukan operasi tersebut.
API: API yang dapat Anda panggil untuk melakukan aksi tersebut.
Access level: Tingkat akses yang telah ditentukan untuk setiap API. Nilai yang valid: create, list, get, update, dan delete.
Resource type: Jenis resource yang mendukung otorisasi untuk melakukan aksi tersebut. Ini menunjukkan apakah aksi tersebut mendukung izin tingkat resource. Resource yang ditentukan harus kompatibel dengan aksi tersebut. Jika tidak, kebijakan tersebut tidak akan berlaku.
- Untuk API dengan izin tingkat resource, jenis resource yang diperlukan ditandai dengan tanda bintang (*). Tentukan Nama Sumber Daya Alibaba Cloud (ARN) yang sesuai dalam elemen Resource pada kebijakan.
- Untuk API tanpa izin tingkat resource, ditampilkan sebagai All Resources. Gunakan tanda bintang (*) dalam elemen Resource pada kebijakan.
Condition key: Kunci kondisi yang didefinisikan oleh layanan. Kunci ini memungkinkan kontrol granular, berlaku baik hanya untuk aksi maupun untuk aksi yang terkait dengan resource tertentu. Selain kunci kondisi spesifik layanan, Alibaba Cloud menyediakan serangkaian common condition keys yang berlaku di semua layanan yang didukung RAM.
Dependent action: Aksi dependen yang diperlukan untuk menjalankan aksi tersebut. Untuk menyelesaikan aksi tersebut, pengguna RAM atau role RAM harus memiliki izin untuk melakukan semua aksi dependen.

Action

Access level

Resource type

Condition key

Dependent action

eiam:GetApplicationSsoConfig

get

*Application

acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}

None

Parameter permintaan

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	ID Instans.	idaas_ue2jvisn35ea5lmthk267xxxxx
ApplicationId	string	Yes	ID aplikasi.	app_mkv7rgt4d7i4u7zqtzev2mxxxx

Elemen respons

Element	Type	Description	Example
	object
RequestId	string	The request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A
ApplicationSsoConfig	object	The SSO configuration of the application.
SamlSsoConfig	object	The SSO configuration parameters for the application that uses Security Assertion Markup Language (SAML) 2.0. This parameter is returned only when the application uses SAML 2.0 for SSO.
SpSsoAcsUrl	string	The SAML assertion consumer service (ACS) URL of the application (service provider).	https://signin.aliyun.com/saml-role/sso
SpEntityId	string	The SAML EntityID of the application (service provider).	urn:alibaba:cloudcomputing
NameIdFormat	string	The format of the NameID in the SAML protocol. Valid values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified. The application determines how to parse the NameID. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email address format. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent NameID. urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient NameID.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameIdValueExpression	string	The expression used to generate the value of the NameID in the SAML assertion.	user.username
DefaultRelayState	string	The default value of RelayState. If the SSO is initiated by EIAM, the RelayState in the SAML response is set to this value.	https://home.console.alibabacloud.com
SignatureAlgorithm	string	The signature algorithm for the SAML assertion.	RSA-SHA256
ResponseSigned	boolean	Indicates whether the response needs to be signed. ResponseSigned and AssertionSigned cannot both be false. true: The response must be signed. false: The response does not need to be signed.	true
AssertionSigned	boolean	Indicates whether the assertion needs to be signed. ResponseSigned and AssertionSigned cannot both be false. true: The assertion must be signed. false: The assertion does not need to be signed.	true
AttributeStatements	array<object>	The configuration of additional user attributes in the SAML assertion.
	object
AttributeName	string	The name of the attribute in the SAML assertion.	https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
AttributeValueExpression	string	The expression used to generate the value of the attribute in the SAML assertion.	user.username
IdPEntityId	string	The EntityID of the identity provider (IdP) in the SAML protocol.	https://example.com/
OptionalRelayStates	array<object>	The optional RelayState values. The display names of multiple redirect URLs are shown on the application card in the application portal. After a user clicks a URL and completes the SSO, the user is redirected to the URL. You must specify a default redirect URL before you can specify optional RelayState values.
	object
RelayState	string	The optional RelayState value. The display names of multiple redirect URLs are shown on the application card in the application portal. After a user clicks a URL and completes the SSO, the user is redirected to the URL.	https://home.console.alibabacloud.com
DisplayName	string	The display name of the RelayState.	Ram Account SSO
OidcSsoConfig	object	The SSO configuration parameters for the application that uses OpenID Connect (OIDC). This parameter is returned only when the application uses OIDC for SSO.
RedirectUris	array	The list of redirect URIs that the application supports.
	string	The redirect URI that the application supports.	https://example.com/oidc/login/callback
PostLogoutRedirectUris	array	The list of post-logout redirect URIs.
	string	The post-logout redirect URI that is added to the whitelist. When the application initiates a logout request, you can specify the post_logout_redirect_uri parameter.	https://example.com/oidc/login/logout
GrantTypes	array	The list of OIDC grant types that are supported.	authorization_code
	string	The OIDC grant type. Valid values: authorization_code: Authorization code. implicit: Implicit. refresh_token: Refresh token. urn:ietf:params:oauth:grant-type:device_code: Device code. password: Password.	refresh_token
ResponseTypes	array	The response type that the application supports. This parameter is returned only if OidcSsoConfig.GrantTypes is set to implicit.	token id_token
	string	The OIDC-compliant response_type parameter. This parameter is valid only if GrantTypes is set to implicit. Valid values: token: Returns only an access token. id_token: Returns only an ID token. token id_token: Returns both an access token and an ID token.	token id_token
GrantScopes	array	The OIDC-compliant scope parameter. This parameter specifies the scope of user attributes that can be returned by the userinfo endpoint or included in the ID token.	profile，email
	string	The OIDC-compliant scope parameter. This parameter specifies the scope of user attributes that can be returned by the userinfo endpoint or included in the ID token. Valid values: openid: An OIDC-compliant parameter that specifies the unique ID of the user. profile: The user profile. email: The user's email address. phone: The user's mobile number.	openid
PasswordTotpMfaRequired	boolean	Indicates whether Time-based One-Time Password (TOTP) multi-factor authentication (MFA) is required for password-based logon. This parameter is valid only if GrantTypes for the OIDC application is set to password.	true
PasswordAuthenticationSourceId	string	The ID of the authentication source for password-based logon. This parameter is valid only if GrantTypes for the OIDC application is set to password.	ia_password
PkceRequired	boolean	Indicates whether Proof Key for Code Exchange (PKCE) is required for the application SSO. For more information, see RFC 7636.	true
PkceChallengeMethods	array	The algorithm used to calculate the code challenge in PKCE.	S256
	string	The algorithm used to calculate the code challenge in PKCE. Valid values: plain: Plaintext. S256: SHA-256.	S256
AccessTokenEffectiveTime	integer	The validity period of the access token. Unit: seconds. Default value: 1200 (20 minutes).	1200
CodeEffectiveTime	integer	The validity period of the authorization code. Unit: seconds. Default value: 60 (1 minute).	60
IdTokenEffectiveTime	integer	The validity period of the ID token. Unit: seconds. Default value: 300 (5 minutes).	1200
RefreshTokenEffective	integer	The validity period of the refresh token. Unit: seconds. Default value: 86400 (1 day).	86400
CustomClaims	array<object>	The custom claims that are returned in the ID token.
	object
ClaimName	string	The name of the claim.	userOuIds
ClaimValueExpression	string	The expression used to generate the value of the claim.	ObjectToJsonString(user.organizationalUnits)
SubjectIdExpression	string	The expression used to generate the value of the sub claim in the ID token.	user.userid
AllowedPublicClient	string	Indicates whether the application is allowed to make requests to the IDaaS EIAM authorization server as a public client. This feature is supported only for the authorization code and device code grant types. Default value: false.	true
ProtocolEndpointDomain	object	The configuration of the metadata endpoint provided by the application.
SamlSsoEndpoint	string	The endpoint that receives AuthnRequest requests for the SAML protocol. This parameter is returned only when the application uses SAML 2.0 for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso
SamlMetaEndpoint	string	The metadata endpoint for the SAML protocol. This parameter is returned only when the application uses SAML 2.0 for SSO.	https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta
OidcIssuer	string	The OIDC issuer. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc
OidcJwksEndpoint	string	The JSON Web Key Set (JWKS) endpoint for OIDC. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks
Oauth2AuthorizationEndpoint	string	The OAuth 2.0 authorization endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize
Oauth2RevokeEndpoint	string	The OAuth 2.0 token revocation endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke
Oauth2TokenEndpoint	string	The OAuth 2.0 token endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token
Oauth2DeviceAuthorizationEndpoint	string	The OAuth 2.0 device authorization endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code
Oauth2UserinfoEndpoint	string	The OIDC userinfo endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo
OidcLogoutEndpoint	string	The OIDC Relying Party (RP)-initiated logout endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout
SsoStatus	string	The status of the SSO feature for the application. Valid values: enabled: Enabled. disabled: Disabled.	enabled
InitLoginType	string	The SSO initiation method. Valid values: only_app_init_sso: SSO is initiated only by the application. This is the default value for OIDC applications. If this method is used for a SAML application, you must specify InitLoginUrl. idaas_or_app_init_sso: SSO can be initiated by the IDaaS console or the application. This is the default value for SAML applications. If this method is used for an OIDC application, you must specify InitLoginUrl.	only_app_init_sso
InitLoginUrl	string	The URL that triggers SSO. This parameter is required when InitLoginType for an OIDC application is set to idaas_or_app_init_sso. This parameter is also required when InitLoginType for a SAML application is set to only_app_init_sso.	http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF

Contoh

Respons sukses

JSONformat

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A",
  "ApplicationSsoConfig": {
    "SamlSsoConfig": {
      "SpSsoAcsUrl": "https://signin.aliyun.com/saml-role/sso",
      "SpEntityId": "urn:alibaba:cloudcomputing",
      "NameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
      "NameIdValueExpression": "user.username",
      "DefaultRelayState": "https://home.console.alibabacloud.com",
      "SignatureAlgorithm": "RSA-SHA256",
      "ResponseSigned": true,
      "AssertionSigned": true,
      "AttributeStatements": [
        {
          "AttributeName": "https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName",
          "AttributeValueExpression": "user.username"
        }
      ],
      "IdPEntityId": "https://example.com/",
      "OptionalRelayStates": [
        {
          "RelayState": "https://home.console.alibabacloud.com",
          "DisplayName": "Ram Account SSO"
        }
      ]
    },
    "OidcSsoConfig": {
      "RedirectUris": [
        "https://example.com/oidc/login/callback\n"
      ],
      "PostLogoutRedirectUris": [
        "https://example.com/oidc/login/logout\n"
      ],
      "GrantTypes": [
        "refresh_token"
      ],
      "ResponseTypes": [
        "token id_token"
      ],
      "GrantScopes": [
        "openid"
      ],
      "PasswordTotpMfaRequired": true,
      "PasswordAuthenticationSourceId": "ia_password",
      "PkceRequired": true,
      "PkceChallengeMethods": [
        "S256"
      ],
      "AccessTokenEffectiveTime": 1200,
      "CodeEffectiveTime": 60,
      "IdTokenEffectiveTime": 1200,
      "RefreshTokenEffective": 86400,
      "CustomClaims": [
        {
          "ClaimName": "userOuIds",
          "ClaimValueExpression": "ObjectToJsonString(user.organizationalUnits)"
        }
      ],
      "SubjectIdExpression": "user.userid",
      "AllowedPublicClient": "true"
    },
    "ProtocolEndpointDomain": {
      "SamlSsoEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso",
      "SamlMetaEndpoint": "https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta",
      "OidcIssuer": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc",
      "OidcJwksEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks",
      "Oauth2AuthorizationEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize",
      "Oauth2RevokeEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke",
      "Oauth2TokenEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token",
      "Oauth2DeviceAuthorizationEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code",
      "Oauth2UserinfoEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo",
      "OidcLogoutEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout"
    },
    "SsoStatus": "enabled",
    "InitLoginType": "only_app_init_sso",
    "InitLoginUrl": "http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF"
  }
}

Kode kesalahan

Lihat Error Codes untuk daftar lengkap.

Catatan rilis

Lihat Release Notes untuk daftar lengkap.