Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Development Operations

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(Right click to save as)

Armor Auth CollectionOkta API SSO.postman_collection.json

Instructions:

Requesting an ID Token 

Authentication and ID token generation is handled by https://auth.armor.com To authentication and receive an ID token, follow these steps: 

Authenticate 

POST : https://auth.armor.com/api/v1/authn 

Body: { 

         "username":"{UserNameWithOutMFA}", 

Instructions:

...

          "password":"{Password}" 

        } 

Provide a username (which does not have MFA enabled) and the password. This endpoint would return a SessionToken in response. 

Image Added

A subsequent call to  GET https://

...

amp.

...

armor.com/oauth2/default/

...

  1. amp-account-id can be auto populated with the first account in your account with “[Example] Get User Account Info”

...

  1. mfa token will be set in your Environment

...

  1. id_token will be set in your Environment

...

v1/authorize end point with required query string parameters would return the Id_Token 

QUERY STRING PARAMETERS 

response_type 

required 

string 

The expected response type. Always id_token 

response_mode 

required 

string 

The method by which the ID token will be returned. Always form_post 

client_id 

required

String 

Use this client_Id0oab141ypCQYHHQgI696” 

redirect_uri 

required 

string 

The base URL of the API that will be used in this session. Example: https://api.armor.com/ 

sessionToken 

required 

Value received from the  above step 

scope 

required 

string 

openid email profile 

State 

required 

string 

“state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601" 

Nonce 

required 

string 

“g5ly497e8ps" 

Prompt 

required 

string 

none 


The returned body will contain an HTML <form> element containing the ID token . Proceed to the next relevant step based on the client_id you submitted with the request. This endpoint will return a 200 response. If your HTTP client supports following redirects, enable that option. Otherwise, perform a subsequent GET of the returned location header. 

Response: 

 Image Added

Retrieve Your ID Token 

Similar to how you retrieve the MFA context in the previous step, use xpath or a similar parser to get the value if the id_token HTML input: 

XPath Example 

xpath 'html/body/form/input[@name="id_token"]/@value' 

The resulting value is your ID token. You can now use it to make requests to any OAuth2 endpoint 

 

Requesting a Scoped Access Token 

Scoped access token generation is handled by the api.armor.com  and requires a valid ID token. To retrieve a scoped access token, make the following API request with your ID token: 

POST https://api.armor.com/auth/token 

QUERY STRING PARAMETERS 

scope 

required 

string 

A space-delimited list of scopes to assign to the access token. 

A full list of permission scopes are available by going to the Roles and Permissions Screen  in the Armor Management Portal and selecting a role. The scope name will be the "System" name prefixed with *: 

For example, if the system for a given permission is log-management, the corresponding scope is *:log-management 

The list of scopes must always include at least openid, email, and profile 

REQUEST HEADERS 

authorization 

required 

string 

The authorization header including the Bearer scheme and the ID token from above. 

Example: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9… 

REQUEST BODY SCHEMAapplication/json 

(None) 

null 

The body of this request must be exactly null. 

RESPONSE BODY SCHEMAapplication/json 

assertion 

  

null 

The resulting scoped access token as a JWT. 

scope 

  

null 

A space separated list of scopes included on the token. This should be identical to the requested scopes unless the user does not have any permissions applicable to a requested scope, in which case that scope is excluded. 

token_type 

  

null 

The type of token returned in the assertion field. Always jwt-bearer. 

You can now use the access token from the assertion property of the response, and the ID token retrieved in the previous step to make API calls to any OAuth2 scoped token endpoint. 

Disabling Multi-Factor Authentication (MFA) for Service Accounts 

Disabling MFA for service accounts, scripts, and other non-interactive integrations can be done by creating a ticket requesting MFA be disabled for a certain account. Please be sure to provide justification and an administrator's approval in the ticket.