Requesting Temporary Credentials for a Role Based on SAML Assertion

Last updated: 2020-06-05 19:45:39

    Note:

    This is a legacy API which has been hidden and will no longer be updated. We recommend using the new CAM API 3.0 which is standardized and faster.

    API Description

    This API (AssumeRoleWithSAML) is used to request temporary credentials for a role based on SAML assertion.
    Request domain name: sts.api.qcloud.com
    Request method: HTTP POST

    Input parameters

    The following request parameter list only provides API request parameters. Other common parameters can be found in Common Request Parameters.

    Parameter Name Required Type Description
    SAMLAssertion Yes String Base64-encoded SAML assertion
    PrincipalArn Yes String Name of the resource accessible to the principal
    RoleArn Yes String Name of the resource accessible to the role
    RoleSessionName Yes String Session name

    Output parameters

    Parameter Name Type Description
    credentials credentials The object contains a triad of token, tmpSecretId and tmpSecretKey.
    expiredTime Integer Temporary certificate expiration time (Unix timestamp in second)
    expiration String Temporary certificate expiration time (UTC time in ISO8601 format)

    Credential Data Structures

    Parameter Name Type Description
    token String Token value
    tmpSecretId String Temporary security certificate ID
    tmpSecretKey String Temporary security certificate Key

    Example

    Create a SAML identity provider named IdP.

    Input example:
    POST /v2/index.php HTTP/1.1
    Host: sts.api.qcloud.com
    Accept: */*
    Content-Length: 3927
    Content-Type: application/x-www-form-urlencoded
    
    Action=AssumeRoleWithSAML
    &PrincipalArn=qcs::cam::uin/798950673:saml-provider/OneLogin
    &RoleArn=qcs::cam::uin/798950673:roleName/OneLogin-Role
    &RoleSessionName=test
    &SAMLAssertion=c2FtbCBhc3NlcnRpb24=
    &<Common request parameters>

    Output example:
    {
        "code": 0,
        "message": "",
        "codeDesc": "Success",
        "data": {
            "credentials": {
                "sessionToken": "d154fa74af184dfac3deb3a729c103a3003d52f840001",
                "tmpSecretId": "AKID7byWjIxUdUuRfhuctpd2T7XLpkCeqMub",
                "tmpSecretKey": "LN1yqrCt2oejxQB7AQsL8iP9VE4hzfZ9"
            },
            "expiredTime": 1541594376,
            "expiration": "2018-11-07T12:39:36Z"
        }
    }

    Error codes

    The following only lists the error codes related to this API. For other error codes, see Common Error Codes.

    Error Code Description
    InvalidParameter.ProviderNotExist The IdP already exists.
    InvalidParameter.SAMLResponse Invalid SAML assertion response
    InvalidParameter.InvalidRoleArn Invalid name of the role allowed to access

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help