Home TeamSite

Is there some way to handle OTDS authentication with API REST and SAML assertion?

Hi all,

I have a portal that login users with ADFS and SAML. After the authenitcation the user should be authorized to use the API REST of Content Server.
I have configured OTDS to use SAML 2.0 Authentication Handler and it works when I login user from OTDS login.

Now I would use the Content Server API REST but I don't figure out how can I obtain an OTCS ticket.
First I thought to use a SAML Bearer OAuth2 flow as described in https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-08 but I don't find any documentation about it so I suppose that this standard is not supported.

Looking at OTDS API REST I see the endpoint /authentication/token and I'm trying with it but I don't understand how to use it. I suppose to have to put some SAML assertions in the tokenBinary property.

POST /authentication/token
Content-Type: application/json

{
  "tokenBinary": "base64 saml assertions here?"
}

Is it correct? And if so, how can I retrieve the SAML assertion I have to use?

Comments

  • You are on the right track and for anyone else's referenced I've covered this in a video KB here:

    https://knowledge.opentext.com/knowledge/cs.dll/kcs/kbarticle/view/KB4242339

    As for the SAML assertion you would need to make a separate call to your IdP to authenticate there first and then use the resulting encoded assertion in OTDS.

    Jamie Pepper
    Sr Technical Analyst
    OpenText

  • Hi JPepper,

    I am trying to integrate OTCS 16.2 and my Java web application using REST and both have been setup to use OKTA (SAML 2.0) for authentication. I have followed the instructions provide in the link above.

    I post the SAML response to the OTDS REST endpoint.
    http://[SERVER]/otdsws/rest/authentication/token

    And this is the response from the OTDS server
    {
    "status": -805306355,
    "error": "INVALID_CREDENTIALS",
    "errorDetails": null
    }

    I am able to use OKTA to login to my application as well as OTCS. But am unable to use the SAML response to get a ticket to call REST APIs on OTCS from my app.

    What am I doing wrong here?

  • JPepperJPepper EM mod
    edited March 11

    @sandeepvk1234 If you set your OTDS log level to debug under System Config in the admin UI you should be able to see the assertion coming through for your normal requests and for this REST API request. My guess is that the user we are decoding from the assertion does not exist in OTDS but if that user is you and the same user you use via the OTDS Web UI or via OTCS that shouldn't be occurring.

    Please also note that that endpoint is protected so when calling it using something like PostMan and not our Swagger interface you would need to pass an OTDSTicket value in the header from a previously authenticated user to be able to use the API endpoint.

    Jamie Pepper
    Sr Technical Analyst
    OpenText

  • Hi JPepper,

    Thank you. I am able to use the SAML assertion to get the OTDSTICKET now. It was a missconfiguration on my part on OTDS.

Sign In or Register to comment.