API Authentication

IdentityIQ supports the use of OAuth 2.0 (client credentials) as a token-based protocol for API authentication. Use this feature to create and manage OAuth clients that you use with the IdentityIQ API.

Note: You can set up a proxy user that connects on behalf of the user to avoid exposing sensitive user data. In order for the proxy user to have correct rights to make API calls, you must assign capabilities to that proxy user.

OAuth Client Management

The OAuth Client Management tab is where you create and edit OAuth clients.

  1. From the top menu, navigate to the Gear icon > Global Settings > API Authentication.

  2. On the OAuth Client Management tab, click Create.

  3. In the OAuth Client dialog enter a unique name for Client Name and then enter a user name or select a user from the drop-down list for the Proxy User.

  4. Click Save to save your new OAuth client.

After your create an OAuth client, you can use it with the associated secret to log in and access the token for that proxy user.

The OAuth Client Management tab also gives you these controls for editing the OAuth client and displaying the secret:

  • Secret Details icon – click to display the secret for the OAuth client.

  • Edit icon – click to edit the Client Name or Proxy User.

  • Delete icon – click to delete the OAuth client. You will be prompted to confirm the deletion.

  • Regenerate icon – click to generate a new secret for the OAuth client. Generating a new secret will prevent new tokens from being issued using the existing secret.

General Settings

  • Access Token Expiration in Seconds – set the number of seconds that the OAuth token is valid for.

Token Settings

  • Access Token Authentication Scope – the expected scope of the API access token issuer; for example, GetToken.

  • Access Token Authentication Audience – a suffix that identifies the service or system to which the call is directed; for example /iiq/api. The validator will ensure the SSO audience claim ends with this value.

  • Access Token Authentication Issuers – identification of the SSO token provider; for example, https://sts.windows.net/{{tid}}/.

  • Correlation Variable – the SSO claim used match the requesting user with an existing IdentityIQ user; for example oid.

If you want to remove any required data from these fields, use the Clear and Exit option. This allows you to reset your identity authorization token settings by removing them even though they are required.