Create authentication settings for IdP SSO or metadata URL. You must include either the metadata_url field or all of the following fields: idp_sso_url, idp_issuer, and idp_certificate.
You must have Instance Administrator permissions to run this endpoint.
Authorization
String
required
{api_key}
{api_key}
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
xXdrAuthId_example
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/authentication-settings/create'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/authentication-settings/create", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/authentication-settings/create")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"name": "string",
"default_role": "string",
"is_account_role": false,
"domain": "string",
"mappings": {
"email": "string",
"firstname": "string",
"lastname": "string",
"group_name": "string"
},
"advanced_settings": {
"relay_state": "string",
"idp_single_logout_url": "string",
"service_provider_public_cert": "string",
"service_provider_private_key": "string",
"authn_context_enabled": false,
"force_authn": false
},
"idp_sso_url": "string",
"idp_certificate": "string",
"idp_issuer": "string",
"metadata_url": "string"
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/authentication-settings/create");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/authentication-settings/create")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"name": "string",
"default_role": "string",
"is_account_role": false,
"domain": "string",
"mappings": [
"email": "string",
"firstname": "string",
"lastname": "string",
"group_name": "string"
],
"advanced_settings": [
"relay_state": "string",
"idp_single_logout_url": "string",
"service_provider_public_cert": "string",
"service_provider_private_key": "string",
"authn_context_enabled": false,
"force_authn": false
],
"idp_sso_url": "string",
"idp_certificate": "string",
"idp_issuer": "string",
"metadata_url": "string"
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/authentication-settings/create")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/authentication-settings/create",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/authentication-settings/create");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/authentication-settings/create");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"name\":\"string\",\"default_role\":\"string\",\"is_account_role\":false,\"domain\":\"string\",\"mappings\":{\"email\":\"string\",\"firstname\":\"string\",\"lastname\":\"string\",\"group_name\":\"string\"},\"advanced_settings\":{\"relay_state\":\"string\",\"idp_single_logout_url\":\"string\",\"service_provider_public_cert\":\"string\",\"service_provider_private_key\":\"string\",\"authn_context_enabled\":false,\"force_authn\":false},\"idp_sso_url\":\"string\",\"idp_certificate\":\"string\",\"idp_issuer\":\"string\",\"metadata_url\":\"string\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);request_dataobjectrequired
namestringThe name of the SSO integration.
The name of the SSO integration.
default_rolestringThe default role automatically assigned to every user who authenticates to Cortex using SAML. This is an inherited role and is not the same as a direct role assigned to the user.
If a role with the same name exists on both Cortex Gateway and the tenant, the role will mapped to the role from the tenant. If you want to use specifically the role from Cortex Gateway, use the is_account_role parameter set to true.
The default role automatically assigned to every user who authenticates to Cortex using SAML. This is an inherited role and is not the same as a direct role assigned to the user.
If a role with the same name exists on both Cortex Gateway and the tenant, the role will mapped to the role from the tenant. If you want to use specifically the role from Cortex Gateway, use the is_account_role parameter set to true.
is_account_rolebooleanWhether the role was created in Cortex Gateway or in the tenant. When the value is true, the role was created in Cortex Gateway.
Whether the role was created in Cortex Gateway or in the tenant. When the value is true, the role was created in Cortex Gateway.
domainstringWhen configuring the first SSO, this parameter should be included as empty because it is the default SSO and has a fixed, read-only value.
For additional SSOs, specify this IdP with an email domain (user@). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.
When configuring the first SSO, this parameter should be included as empty because it is the default SSO and has a fixed, read-only value.
For additional SSOs, specify this IdP with an email domain (user@
mappingsobjectrequiredThese IdP attribute mappings are dependent on your organization’s IdP.
These IdP attribute mappings are dependent on your organization’s IdP.
emailstringThe IdP attribute mapped to the user's email address in the Syslog server.
The IdP attribute mapped to the user's email address in the Syslog server.
firstnamestringThe IdP attribute mapped to the user's first name.
The IdP attribute mapped to the user's first name.
lastnamestringThe IdP attribute mapped to the user's last name.
The IdP attribute mapped to the user's last name.
group_namestringThe IdP attribute mapped to the user's group membership for authorization.
Note: Cortex requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma-separated list), by default, you must configure IdP to send the Group CN (Common Name) instead.
The IdP attribute mapped to the user's group membership for authorization.
Note: Cortex requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma-separated list), by default, you must configure IdP to send the Group CN (Common Name) instead.
advanced_settingsobjectThe advanced settings are optional to configure and some are specific for a particular IdP.
The advanced settings are optional to configure and some are specific for a particular IdP.
relay_statestringThe URL for a specific page that you want users to be directed to after they've been authenticated by your organization's IdP and log in to Cortex.
The URL for a specific page that you want users to be directed to after they've been authenticated by your organization's IdP and log in to Cortex.
idp_single_logout_urlstringThe URL of the IdP's Single Logout endpoint. This ensures that when a user initiates a logout from Cortex, the identity provider logs the user out of all applications in the current identity provider login session.
The URL of the IdP's Single Logout endpoint. This ensures that when a user initiates a logout from Cortex, the identity provider logs the user out of all applications in the current identity provider login session.
service_provider_public_certstringThe Syslog server's public X.509 certificate in PEM format for IdP validation.
The Syslog server's public X.509 certificate in PEM format for IdP validation.
service_provider_private_keystringThe Syslog server's private key in PEM format for signing SAML responses. (This is mostly required for ADFS)
The Syslog server's private key in PEM format for signing SAML responses. (This is mostly required for ADFS)
authn_context_enabledbooleanWhether to remove the RequestedAuthnContext parameter from SAML requests.
If true, allows users to log in by using additional authentication methods.
Whether to remove the RequestedAuthnContext parameter from SAML requests.
If true, allows users to log in by using additional authentication methods.
force_authnbooleanWhether to force users to reauthenticate to access the Cortex tenant if requested by the IdP, even if they already authenticated to access other applications.
Whether to force users to reauthenticate to access the Cortex tenant if requested by the IdP, even if they already authenticated to access other applications.
idp_sso_urlstringThe login URL of your IdP and should be copied from your SAML integration configuration on the IdP.
For example:
- Okta: https://cortex-test.okta.com/app/cortex-test/eacbt6b2jj08CasdUQ7sdf15d7/sso/SAML
- Microsoft Azure: https://login.microsoftonline.com/6a5a9780-96a4-41ef-bf45-0535d8a70025/saml2
The login URL of your IdP and should be copied from your SAML integration configuration on the IdP. For example:
- Okta: https://cortex-test.okta.com/app/cortex-test/eacbt6b2jj08CasdUQ7sdf15d7/sso/SAML
- Microsoft Azure: https://login.microsoftonline.com/6a5a9780-96a4-41ef-bf45-0535d8a70025/saml2
idp_certificatestringThe Idp's public X.509 digital certificate in PEM format for verification, which is copied from your organization's IdP.
The Idp's public X.509 digital certificate in PEM format for verification, which is copied from your organization's IdP.
idp_issuerstringThe unique identifier of the IdP issuing SAML assertions, which is copied from your organization's IdP.
The unique identifier of the IdP issuing SAML assertions, which is copied from your organization's IdP.
metadata_urlstringThe metadata URL provides information about hte IdP's capabilities, endpoints, keys, and more.
For example:
- Okta: https://cortex-test.okta.com/app/exkbuuzw77Bh04V6M6b8/sso/saml/metadata
- Microsoft Azure: https://login.microsoftonline.com/6a5a9780-96a4-41ef-bf45-0535d8a70025/saml2/metadata
The metadata URL provides information about hte IdP's capabilities, endpoints, keys, and more. For example:
- Okta: https://cortex-test.okta.com/app/exkbuuzw77Bh04V6M6b8/sso/saml/metadata
- Microsoft Azure: https://login.microsoftonline.com/6a5a9780-96a4-41ef-bf45-0535d8a70025/saml2/metadata
{
"request_data": {
"name": "IdP configuration",
"default_role": "Analyst",
"domain": "my-test-domain.com",
"mappings": {
"email": "user@company.com",
"firstname": "John",
"lastname": "Smith",
"group_name": "analysts"
},
"idp_sso_url": "https://cortex-test.okta.com/app/cortex-test/xxxxxxx/sso/SAML",
"idp_certificate": "MY_CERTIFICATE_FROM_OKTA",
"idp_issuer": "https://cortex-test.okta.com/idp",
"advanced_settings": {},
"is_account_role": true
}
}OK
replyboolean
{
"reply": true
}Bad Request. Got an invalid JSON.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}