• State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 15970 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rest API on 7.1 cannot authenticate

michele.polizio
over 6 years ago

Hi all,

I'm trying to access my IM through web  API:

if I get  appserver/authmodules

it returns

 
Id Caption Password Based Is Default
RoleBasedManualADS Active Directory user account (manual input/role based) false false
RoleBasedADSAccount Active Directory user account (role based) false false
DialogUser System user false true
RoleBasedPerson Employee (role based) false false
ADSAccount Active Directory user account false false
DynamicPerson Employee (dynamic) false false

I'm trying to use the DialogUser method

in the follow way:

calling auth/apphost

with in the body the following json as decribed in the documentation:

{"authString":"Module=DialogUser;User=*SystemUsername*;Password=*SystemUserPassword*"}

 

but I get a 401 - Unauthorized: Access is denied due to invalid credentials

 but the user is an admin user and has all the privileges.

Should I enabled the user to something?

 

Thanks Mik

  • 0 over 6 years ago
    If you're connecting to the Application Server from outside of the application servers domain, you've to authenticate against the domain first before authenticating towards the application server.
  • 0 over 6 years ago

    1)Can i disabled it? Just the firse authentication part?
    2) Or How can I force an autenthication from a web based application to autenthicate agaist the domain before send the username and password from json?
    3) If I get autenthicate in the answer from the server I get this (IN dev I have ton restriction so it works) :

    {
    "claims": {
    "schemas.dell.com/.../identifier": "CCCAdmin",
    "schemas.dell.com/.../useruid": "CCC-65E9B3D39FFE925C4D7747A69876C128",
    "schemas.dell.com/.../module": "DialogUser",
    "schemas.dell.com/.../product": ""
    },
    "passwordBased": true,
    "moduleDisplay": "System user",
    "sessionId": "t0w0JxsyplKZiqqlEQz7",
    "userName": "CCCAdmin",
    "responseStatus": {}
    }

    I think the sessionId is what I need to call API as authenitcated user. But where I have to put it in the request? as header?
    I'd like to use a javascript framework the interrogate rest service with ajax request.

    If I put in a ajax post request the json upon as body of the request it works but how I have to do for get requests?

    Mik

  • 0 over 6 years ago
    The authentication part would be there even without 1IM. This i windows security behaviour when trying to access ressources in domain A while using a user from an untrusted domain B. So you've to find a way to add authentication to your tool you're using. As this is far beyond from 1IM i'd suggest reaching out to the tool support or if you're developing the solution using Java research in the java developer docs on how to handle windows authentication.
    You've got no issue with 1IM or the 1IM application server, all you're trouble is around basic windows behaviour.
  • 0 over 6 years ago
    I noticed that the only differnce between where work and where not is that whre not work I have https enable
  • 0 over 6 years ago
    I resolved it.
    Just enable anonymous authentication in IIS Manager selecting the application and click on icon Authentication under IIS options.
  • 0 over 6 years ago
    Hi Mik,
    Here is a PoSH script that you can use to test. The only thing I see different is adding the accept header:


    #Demo script for using One Identity Manager
    cls

    $BaseURL = "ServerName/D1IMAppServer"
    $AuthString = "Module=DialogUser;User=*systemUSer*;Password=*Password*"

    #This is the auth URL for the web service.
    $AuthURL = "$BaseURL/auth/apphost"

    #You could do this as a string literal, but I like to build a dictionary in case we need to add more later
    $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
    $headers.Add('Accept', 'application/json')

    #The body of the initial post needs to contain the authorization string.
    $AuthBody = ConvertTo-Json(@{authString = $AuthString})

    #Post the body. $response will have detail about the session.
    #It's critical that you pass the name of a varialble to hold the session.
    Try
    {
    Invoke-RestMethod -Uri $AuthURL -Method Post -Headers $headers -ContentType 'application/json' -Body $authBody -SessionVariable theSession
    }
    Catch
    {
    'Error authenticating to' + '$BaseURL: ' + $_.Exception.Message
    Break
    }

    #Now you can do whatever you want. Makes sure that you pass $theSession as a -WebSession in subsequent calls.
  • 0 over 6 years ago

    As jimbot already pointed out (currently I am unable to find his post here but I am sure it reappears), you have to use the accept header Content-Type:application/json

    As described here https://support.oneidentity.com/technical-documents/identity-manager/7.1/rest-api-reference-guide/2#TOPIC-570126

  • 0 over 5 years ago in reply to michele.polizio

    Hi Mik, not sure if you can receive my message or not, we are encountering the similar error currently. For your case, did u put the sessionId as header in the request ?

  • 0 over 5 years ago in reply to michele.polizio

    Hi Mik,

    if you take a look at the PowerShell examples from the REST API documentation you will see that you need to work with session variables. You need to save the successful authentication in a session variable that needs to be passed to every subsequent call against the REST API.