Safewhere Identify 5.15 REST API Release Notes

This document summarizes all changes made to Identify REST API in version 5.15.

The default message template is selected when the REST API does not include the "Accept-Language" header

In previous versions, when using the REST API with mail delivery, such as creating a user with mail delivery, the default message template was not selected if the API request did not include the additional "Accept-Language" header.

In version 5.15, the default message template is now selected when the REST API request does not include the "Accept-Language" header or when its value is "*" in the "Accept-Language" header.

Users endpoint

The request URL parameter of a HTTPRequest configuration section has a new attribute:

{
    "userId": "string",
    "firstFactorConnectionName": "string",
    "firstFactorConnectionDescription": "string", (*)
    "secondFactorConnectionName": "string",
    "secondFactorConnectionDescription": "string",
    "enabledAuthenticator": true,
    "secretCode": "string"
}

  • New configuration fields:

    • firstFactorConnectionDescription.

  • Affected operations: GET /authenticators.

  • Behaviors:

    Name Data type Require? Default value Description
    firstFactorConnectionDescription string ⬜️ N/A The detailed description of a first-factor connection.

SMS configuration endpoint

The request URL parameter of a HTTPRequest configuration section has a new attribute:

{
    "parameters": {
        "requestUrlParameters": [
            {
                "sensitive": true,
                "isHeaderParameter": false, (*)
                "key": "username",
                "value": "usernamevalue"
            }
        ],
        ...,
        "httpMethod": "GET"
    },
    "name": "HTTPRequestSmsGatewayConfiguration",
    "displayName": "HTTPRequestSmsGatewayConfiguration",
    "url": "http://path_to_the_server_endpoint/sendsms",
    "providerType": "HTTPRequest",
    "isDefault": true,
    "smsTemplateName": "DefaultSMSOTPCodeTemplate"
}

  • New configuration fields:

    • isHeaderParameter:
      • Supported value: true or false
      • Default value: false

  • Affected operations: GET /smsgateway, POST /smsgateway, PUT /smsgateway.

  • Behaviors:

    Name Data type Require? Default value Description
    isHeaderParameter boolean ⬜️ false When isHeaderParameter is true, the parameter is added to the request's header list instead of request URL

Connections endpoint

The find criterion of a certificate reference configuration section model has some new attributes:

{
    "isSelfSigned": false,
    "revocationCheck": "None",
    "storeReference": {
        "storeName": "TrustedPeople",
        "storeLocation": "CurrentUser"
    },
    "findCriterion": {
        "findType": "FindByThumbprint",
        "value": "3C1FD735A4035E3B78D33444DE5327C393AA282E",
        "validOnly": true (*)
    },
    "keyName": "" (*)
},

  • New configuration fields:

    • validOnly:
      • Supported value: true or false
      • Default value: true
    • keyName: Its value is extracted from the KeyName field within the KeyDescriptor of the SAML metadata.

  • Affected operations: POST /connections, PUT /connections.

  • Behaviors:

    Name Data type Require? Default value Description
    validOnly string ⬜️ true It allows accepting and saving a WSFED/WSTrust application that has expired or revoked certificates when configuring the Received Security Token Encryption certificate setting
    keyName string ⬜️ N/A If the KeyDescriptor of the uploaded metadata contains a KeyName value, it will be preserved in this field

The OAuth authentication connection configuration section model has some new attributes:

"configurations": [
    {
      "clientId": "clientid",
      "clientSecret": "cliensecret",
      ...,
      "allowSamlBearerFlow": false, (*) 
      "allowJwtBearerFlow": false, (*)
      "bootstrapTokenTrustedIssuers": [ (*)
          {
            "certificateReference": {
              "isSelfSigned": false,
              "revocationCheck": "None",
              "storeReference": {
                  "storeName": "TrustedPeople",
                  "storeLocation": "CurrentUser"
              },
              "findCriterion": {
                  "findType": "FindByThumbprint",
                  "value": "",
                  "validOnly": false
              }
            },
            "issuer": "https://path.to/token.idp"
          }
      ], 
      "receivedSecurityTokenEncryptionCertificate": { (*)
          "isSelfSigned": false,
          "revocationCheck": "None",
          "storeReference": {
        "storeName": "TrustedPeople",
        "storeLocation": "LocalMachine"
          },
          "findCriterion": {
        "findType": "FindByThumbprint",
        "value": "",
        "validOnly": false
          }
      },
      "receivedSecurityTokenAzureKeyVault": { (*)
          "azureKeyVaultEnable": false,
          "useManagedIdentity": false,
          "azureTenantId": "",
          "azureClientId": "",
          "azureClientSecret": "",
          "azureKeyVaultUrl": "",
          "azureKeyVaultKeyName": "",
          "base64Certificate": "",
          "keyVaultMode": "Certificate"
      },
      "validateTargetAudience": false, (*)
      "detectReplayAttackWhenDoingTokenExchange": false, (*)
      "signingCertificateRevocationCheck": "None", (*)
      ...
    }
  ],

  • New configuration fields:

    • allowSamlBearerFlow
      • Supported value: true or false
      • Default value: false
    • allowJwtBearerFlow:
      • Supported value: true or false
      • Default value: false
    • bootstrapTokenTrustedIssuers.
    • receivedSecurityTokenEncryptionCertificate.
    • receivedSecurityTokenAzureKeyVault.
    • validateTargetAudience
      • Supported value: true or false
      • Default value: false
    • detectReplayAttackWhenDoingTokenExchange
      • Supported value: true or false
      • Default value: false
    • signingCertificateRevocationCheck:
      • Supported modes: None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludeRoot, and CheckChainExcludeRootCacheOnly
      • Default value: None

  • Affected operations: POST /connections, PUT /connections.

  • Behaviors:

    Name Data type Require? Default value Description
    allowSamlBearerFlow boolean ⬜️ false Allow SAML bearer flow
    allowJwtBearerFlow boolean ⬜️ false Allow JWT bearer flow
    bootstrapTokenTrustedIssuers list of objects ⬜️ N/A Bootstrap token trusted issuers
    receivedSecurityTokenEncryptionCertificate object ⬜️ N/A Received security token encryption certificate
    receivedSecurityTokenAzureKeyVault object ⬜️ N/A Received security token Azure key vault
    validateTargetAudience boolean ⬜️ false Validate target audience
    detectReplayAttackWhenDoingTokenExchange boolean ⬜️ false Detect replay attack when doing token exchange
    signingCertificateRevocationCheck enum = {Node, CheckEndCert, CheckEndCertCacheOnly,
    CheckChain, CheckChainCacheOnly,
    CheckChainExcludeRoot or CheckChainExcludeRootCacheOnly.}    		 ⬜️ None Specifies the signing certificate revocation check mode