LukeParke/developer.sailpoint.com
1
0
Fork 0
mirror of https://github.com/LukeHagar/developer.sailpoint.com.git synced 2025-12-07 20:37:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7194b934e86633cf09409d73337d62d52faea0ad
developer.sailpoint.com/docs/tools/sdk/powershell/refrence/beta/Methods/BetaPasswordManagementApi.md
darrell-thobe-sp bddfeda20e adding method and model docs
2025-01-23 10:09:40 -05:00

12 KiB
Raw Blame History

id, title, pagination_label, sidebar_label, sidebar_class_name, keywords, slug, tags
id title pagination_label sidebar_label sidebar_class_name keywords slug tags
password-management PasswordManagement PasswordManagement PasswordManagement powershellsdk
powershell
PowerShell
sdk
PasswordManagement
/tools/sdk/powershell/beta/methods/password-management
SDK
Software Development Kit
PasswordManagement

PasswordManagement

All URIs are relative to https://sailpoint.api.identitynow.com/beta

Method HTTP request Description
New-BetaDigitToken POST /generate-password-reset-token/digit Generate a digit token
Get-BetaIdentityPasswordChangeStatus GET /password-change-status/{id} Get Password Change Request Status
Search-BetaPasswordInfo POST /query-password-info Query Password Info
Set-BetaIdentityPassword POST /set-password Set Identity's Password

create-digit-token

This API is used to generate a digit token for password management. Requires authorization scope of "idn:password-digit-token:create".

Parameters

Param Type Name Data Type Required Description
Body PasswordDigitTokenReset PasswordDigitTokenReset True

Return type

PasswordDigitToken

Responses

Code Description Data Type
200 The digit token for password management. PasswordDigitToken
400 Client Error - Returned if the request body is invalid. ErrorResponseDto
401 Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. ListAccessModelMetadataAttribute401Response
403 Forbidden - Returned if the user you are running as, doesn't have access to this end-point. ErrorResponseDto
429 Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. ListAccessModelMetadataAttribute429Response
500 Internal Server Error - Returned if there is an unexpected error. ErrorResponseDto

HTTP request headers

  • Content-Type: application/json
  • Accept: application/json

Example

$PasswordDigitTokenReset = @"{
  "durationMinutes" : 5,
  "length" : 8,
  "userId" : "Abby.Smith"
}"@
# Generate a digit token
try {
    $Result = ConvertFrom-JsonToPasswordDigitTokenReset -Json $PasswordDigitTokenReset
    New-BetaDigitToken-BetaPasswordDigitTokenReset $Result
    
    # Below is a request that includes all optional parameters
    # New-BetaDigitToken -BetaPasswordDigitTokenReset $PasswordDigitTokenReset  
} catch {
    Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling New-BetaDigitToken"
    Write-Host $_.ErrorDetails
}

[Back to top]

get-identity-password-change-status

This API returns the status of a password change request. A token with identity owner or trusted API client application authority is required to call this API.

Parameters

Param Type Name Data Type Required Description
Path Id String True

Return type

PasswordStatus

Responses

Code Description Data Type
200 Status of the password change request PasswordStatus
400 Client Error - Returned if the request body is invalid. ErrorResponseDto
401 Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. ListAccessModelMetadataAttribute401Response
403 Forbidden - Returned if the user you are running as, doesn't have access to this end-point. ErrorResponseDto
404 Not Found - returned if the request URL refers to a resource or object that does not exist ErrorResponseDto
500 Internal Server Error - Returned if there is an unexpected error. ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "MyId" # String | 
# Get Password Change Request Status
try {
    Get-BetaIdentityPasswordChangeStatus-BetaId $Id 
    
    # Below is a request that includes all optional parameters
    # Get-BetaIdentityPasswordChangeStatus -BetaId $Id  
} catch {
    Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-BetaIdentityPasswordChangeStatus"
    Write-Host $_.ErrorDetails
}

[Back to top]

query-password-info

This API is used to query password related information.

A token with API authority is required to call this API. "API authority" refers to a token that only has the "client_credentials" grant type, and therefore no user context. A personal access token or a token generated with the authorization_code grant type will NOT work on this endpoint, and a 403 Forbidden response will be returned.

Parameters

Param Type Name Data Type Required Description
Body PasswordInfoQueryDTO PasswordInfoQueryDTO True

Return type

PasswordInfo

Responses

Code Description Data Type
200 Reference to the password info. PasswordInfo
400 Client Error - Returned if the request body is invalid. ErrorResponseDto
401 Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. ListAccessModelMetadataAttribute401Response
403 Forbidden - Returned if the user you are running as, doesn't have access to this end-point. ErrorResponseDto
429 Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. ListAccessModelMetadataAttribute429Response
500 Internal Server Error - Returned if there is an unexpected error. ErrorResponseDto

HTTP request headers

  • Content-Type: application/json
  • Accept: application/json

Example

$PasswordInfoQueryDTO = @"{
  "sourceName" : "My-AD",
  "userName" : "Abby.Smith"
}"@
# Query Password Info
try {
    $Result = ConvertFrom-JsonToPasswordInfoQueryDTO -Json $PasswordInfoQueryDTO
    Search-BetaPasswordInfo-BetaPasswordInfoQueryDTO $Result
    
    # Below is a request that includes all optional parameters
    # Search-BetaPasswordInfo -BetaPasswordInfoQueryDTO $PasswordInfoQueryDTO  
} catch {
    Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Search-BetaPasswordInfo"
    Write-Host $_.ErrorDetails
}

[Back to top]

set-identity-password

This API is used to set a password for an identity.

An identity can change their own password (as well as any of their accounts' passwords) if they use a token generated by their ISC user, such as a personal access token or "authorization_code" derived OAuth token.

A token with API authority can be used to change any identity's password or the password of any of the identity's accounts. "API authority" refers to a token that only has the "client_credentials" grant type.

Note: If you want to set an identity's source account password, you must enable PASSWORD as one of the source's features. You can use the PATCH Source endpoint to add the PASSWORD feature.

You can use this endpoint to generate an encryptedPassword (RSA encrypted using publicKey). To do so, follow these steps:

  1. Use Query Password Info to get the following information: identityId, sourceId, publicKeyId, publicKey, accounts, and policies.

  2. Choose an account from the previous response that you will provide as an accountId in your request to set an encrypted password.

  3. Use Set Identity's Password and provide the information you got from your earlier query. Then add this code to your request to get the encrypted password:

import javax.crypto.Cipher;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java util.Base64;

String encrypt(String publicKey, String toEncrypt) throws Exception {
  byte[] publicKeyBytes = Base64.getDecoder().decode(publicKey);
  byte[] encryptedBytes = encryptRsa(publicKeyBytes, toEncrypt.getBytes("UTF-8"));
  return Base64.getEncoder().encodeToString(encryptedBytes);
}

private byte[] encryptRsa(byte[] publicKeyBytes, byte[] toEncryptBytes) throws Exception {
  PublicKey key = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(publicKeyBytes));
  String transformation = "RSA/ECB/PKCS1Padding";
  Cipher cipher = Cipher.getInstance(transformation);
  cipher.init(1, key);
  return cipher.doFinal(toEncryptBytes);
}

In this example, toEncrypt refers to the plain text password you are setting and then encrypting, and the publicKey refers to the publicKey you got from the first request you sent.

You can then use Get Password Change Request Status to check the password change request status. To do so, you must provide the requestId from your earlier request to set the password.

Parameters

Param Type Name Data Type Required Description
Body PasswordChangeRequest PasswordChangeRequest True

Return type

PasswordChangeResponse

Responses

Code Description Data Type
202 Reference to the password change. PasswordChangeResponse
400 Client Error - Returned if the request body is invalid. ErrorResponseDto
401 Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. ListAccessModelMetadataAttribute401Response
403 Forbidden - Returned if the user you are running as, doesn't have access to this end-point. ErrorResponseDto
429 Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. ListAccessModelMetadataAttribute429Response
500 Internal Server Error - Returned if there is an unexpected error. ErrorResponseDto

HTTP request headers

  • Content-Type: application/json
  • Accept: application/json

Example

$PasswordChangeRequest = @"{
  "sourceId" : "8a807d4c73c545510173c545d4b60246",
  "accountId" : "CN=Abby Smith,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=acme,DC=com",
  "identityId" : "8a807d4c73c545510173c545f0a002ff",
  "publicKeyId" : "YWQ2NjQ4MTItZjY0NC00MWExLWFjMjktOGNmMzU3Y2VlNjk2",
  "encryptedPassword" : "XzN+YwKgr2C+InkMYFMBG3UtjMEw5ZIql/XFlXo8cJNeslmkplx6vn4kd4/43IF9STBk5RnzR6XmjpEO+FwHDoiBwYZAkAZK/Iswxk4OdybG6Y4MStJCOCiK8osKr35IMMSV/mbO4wAeltoCk7daTWzTGLiI6UaT5tf+F2EgdjJZ7YqM8W8r7aUWsm3p2Xt01Y46ZRx0QaM91QruiIx2rECFT2pUO0wr+7oQ77jypATyGWRtADsu3YcvCk/6U5MqCnXMzKBcRas7NnZdSL/d5H1GglVGz3VLPMaivG4/oL4chOMmFCRl/zVsGxZ9RhN8rxsRGFFKn+rhExTi+bax3A=="
}"@
# Set Identity's Password
try {
    $Result = ConvertFrom-JsonToPasswordChangeRequest -Json $PasswordChangeRequest
    Set-BetaIdentityPassword-BetaPasswordChangeRequest $Result
    
    # Below is a request that includes all optional parameters
    # Set-BetaIdentityPassword -BetaPasswordChangeRequest $PasswordChangeRequest  
} catch {
    Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Set-BetaIdentityPassword"
    Write-Host $_.ErrorDetails
}

[Back to top]