Help & DocumentationCloud Access ManagementAPI DocumentationCAM API 2017STS Related APIRequesting Temporary Credentials for a Role Based on SAML Assertion
Requesting Temporary Credentials for a Role Based on SAML Assertion
Last updated: 2019-04-17 16:42:47
PDFAPI Description
This API (AssumeRoleWithSAML) is used to request temporary credentials for a role based on SAML assertion.
Request domain name: sts.api.qcloud.com
Request method: HTTP POST
Input parameters
The following request parameter list only provides API request parameters. Other common parameters can be found in Common Request Parameters.
| Parameter Name | Required | Type | Description |
|---|---|---|---|
| SAMLAssertion | Yes | String | Base64-encoded SAML assertion |
| PrincipalArn | Yes | String | Name of the resource accessible to the principal |
| RoleArn | Yes | String | Name of the resource accessible to the role |
| RoleSessionName | Yes | String | Session name |
Output parameters
| Parameter Name | Type | Description |
|---|---|---|
| credentials | credentials | The object contains a triad of token, tmpSecretId and tmpSecretKey. |
| expiredTime | Integer | Temporary certificate expiration time (Unix timestamp in second) |
| expiration | String | Temporary certificate expiration time (UTC time in ISO8601 format) |
Credential Data Structures
| Parameter Name | Type | Description |
|---|---|---|
| token | String | Token value |
| tmpSecretId | String | Temporary security certificate ID |
| tmpSecretKey | String | Temporary security certificate Key |
Example
Create a SAML identity provider named IdP.
Input example:
POST /v2/index.php HTTP/1.1
Host: sts.api.qcloud.com
Accept: */*
Content-Length: 3927
Content-Type: application/x-www-form-urlencoded
Action=AssumeRoleWithSAML
&PrincipalArn=qcs::cam::uin/798950673:saml-provider/OneLogin
&RoleArn=qcs::cam::uin/798950673:roleName/OneLogin-Role
&RoleSessionName=test
&SAMLAssertion=c2FtbCBhc3NlcnRpb24=
&<Common request parameters>Output example:
{
"code": 0,
"message": "",
"codeDesc": "Success",
"data": {
"credentials": {
"sessionToken": "d154fa74af184dfac3deb3a729c103a3003d52f840001",
"tmpSecretId": "AKID7byWjIxUdUuRfhuctpd2T7XLpkCeqMub",
"tmpSecretKey": "LN1yqrCt2oejxQB7AQsL8iP9VE4hzfZ9"
},
"expiredTime": 1541594376,
"expiration": "2018-11-07T12:39:36Z"
}
}Error codes
The following only lists the error codes related to this API. For other error codes, see Common Error Codes.
| Error Code | Description |
|---|---|
| InvalidParameter.ProviderNotExist | The IdP already exists. |
| InvalidParameter.SAMLResponse | Invalid SAML assertion response |
| InvalidParameter.InvalidRoleArn | Invalid name of the role allowed to access |
