You can use a JSON web token (JWT) as an OAuth access token to log in to Informatica Intelligent Cloud Services. To log in using a JWT access token, your organization must have a registered identity provider. Use the IdentityProviders resource to register and manage your identity provider.
You can use the IdentityProviders resource to accomplish the following tasks:
•Register an identity provider.
•Get details about an identity provider.
•Update an identity provider.
•Delete an identity provider.
Registering an identity provider
Use a POST request to register an identity provider.
Note: An organization can have no more than one registered identity provider.
POST request
To register an identity provider for an organization, use the following URI:
/public/core/v3/Orgs/<orgId>/IdentityProviders
Include the following fields in the request:
Field
Type
Required
Description
type
String
Yes
Type of identity provider.
Supported type is OIDC.
endPoints
Object
Yes
Object that includes the URLs for the identity provider issuer and the JWT tokens.
issuer
String
Yes
Include in the endPoints object.
Absolute URL of the identity provider issuer.
Must use the same HTTPS scheme as the key URL and be a subset of the key URL.
Maximum length is 255 characters.
keys
String
Yes
Include in the endPoints object.
Absolute URL of the JWT tokens.
Must use the same HTTPS scheme as the issuer URL.
Maximum length is 255 characters.
accountPolicy
Object
Yes
Object that defines the account policy.
link
String
Yes
Include in the accountPolicy object.
Object that includes properties for identifying the user.
tokenClaim
String
-
Include in the link object.
Name of the claim to be used to identify the user for JWT validation. Default is sub.
Maximum length is 64 characters.
matchType
String
Yes
Include in the link object.
The Informatica Cloud attribute name to identify the Informatica Intelligent Cloud Services user. Use one of the following values:
- aliasName
- uid
Maximum length is 64 characters.
signingAlgorithm
String
-
Token signing algorithm. Use one of the following values:
- HS256
- HS 384
- HS512
- RS256
- RS384
- RS512
- ES256
- ES384
- ES412
- PS256
- PS384
- PS512
- EdDSA
- ES256K
Default is RS256.
POST response
If unsuccessful, returns an error object. If successful, returns the following information:
Field
Type
Description
id
String
User ID.
orgId
String
ID of the organization the user belongs to.
type
String
Type of identity provider.
Supported type is OIDC.
endPoints
Object
Object that includes the URLs for the identity provider issues and the JWT tokens.
issuer
String
Included in the endPoints object.
Absolute URL of the identity provider issuer.
keys
String
Included in the endPoints object.
Absolute URL of the JWT tokens.
accountPolicy
Object
Object that defines the account policy.
link
String
Included in the accountPolicy object.
Object that includes properties for identifying the user.
tokenClaim
String
Included in the link object.
Name of the claim to be used to identify the user for JWT validation.
matchType
String
Included in the link object.
The Informatica Cloud attribute name to identify the Informatica Intelligent Cloud Services user.
signingAlgorithm
String
Token signing algorithm.
createTime
String
When the identity provider was registered.
createdBy
String
Informatica Intelligent Cloud Services user who registered the identity provider.
updateTime
String
When the identity provider was last updated.
updatedBy
String
Informatica Intelligent Cloud Services user who last updated the identity provider.
POST request example
You might use a request similar to the following example:
POST <BaseApiUrl>/public/core/v3/Orgs/ppbg1kOl2Jo13b/IdentityProviders HTTP/<HTTP version> Content-Type: application/json Accept: application/json INFA-SESSION-ID: <SessionId>
You can include the following fields in the request:
Field
Type
Required
Description
endPoints
Object
Yes
Object that includes the URLs for the identity provider issuer and the JWT tokens.
issuer
String
Yes
Include in the endPoints object.
Absolute URL of the identity provider issuer.
Must use the same HTTPS scheme as the key URL and be a subset of the key URL.
Maximum length is 255 characters.
keys
String
Yes
Include in the endPoints object.
Absolute URL of the JWT tokens.
Must use the same HTTPS scheme as the issuer URL.
Maximum length is 255 characters.
accountPolicy
Object
Yes
Object that defines the account policy.
link
String
Yes
Include in the accountPolicy object.
Object that includes properties for identifying the user.
tokenClaim
String
-
Include in the link object.
Name of the claim to be used to identify the user for JWT validation. Default is sub.
Maximum length is 64 characters.
matchType
String
Yes
Include in the link object.
The Informatica Cloud attribute name to identify the Informatica Intelligent Cloud Services user. Use one of the following values:
- aliasName
- uid
Maximum length is 64 characters.
signingAlgorithm
String
-
Token signing algorithm. Use one of the following values:
- HS256
- HS 384
- HS512
- RS256
- RS384
- RS512
- ES256
- ES384
- ES412
- PS256
- PS384
- PS512
- EdDSA
- ES256K
Default is RS256.
Returns the 204 response code if successful. Returns an error object if errors occurs.
Note: When you update an identity provider for an organization, it might take a negligible amount of time before JWTs that conform to the updated configuration are accepted.
PUT request example
You might send a request similar to the following example:
PUT <BaseApiUrl>/public/core/v3/Orgs/<orgId>/IdentityProviders/<identity provider ID> Content-Type: application/json Accept: application/json INFA-SESSION-ID: <SessionId>
Returns the 204 response code if successful. Returns an error object if errors occurs.
Note: When you delete an identity provider for an organization, it might take a negligible amount of time before the JWTs that conform to the deleted identity provider are rejected.