External User Info Endpoint

Last updated 8 months ago

Was this helpful?

External User Info Endpoint

Immuta can consume user attributes from an external HTTP endpoint in an out-of-band fashion. This feature allows you to retrieve users' groups and authorizations from an additional resource, alongside the user attributes retrieved in the authentication flow. Such an external endpoint can be configured on any of the Identity Provider types that Immuta supports.

Implement the HTTP Service

The following section instructs how to implement the HTTP service.

Specifications

Authentication

The service can authenticate requests with both or either of the following methods:

Basic username and password Authorization header
SSL cert validation

For more information, refer to .

Note: Immuta will expect non 200 error codes when the user info cannot be retrieved.

GET /user-info

The user info endpoint will be called each time Immuta needs to synchronize with a remote IAM on user groups and authorizations. Immuta will query the endpoint with the user ID specified in request's query.

Note: The endpoint's path does not necessarily have to be /user-info.

Parameters

Name

Located in

Description

Required

Schema

userid

query

The unique user identifier (username in Immuta)

Yes

string

Responses

Code

Description

200

successful operation - user info retrieved successfully

Response schema

Name

Example

groups

[{"name": "<group_name>"}]

authorizations

{"<authorization_name>": ["<value>"]}

Below is an example value that could be returned by the endpoint:

{
  "groups": [{
    "name":  "Accountants",
  }, {
    "name":  "Controllers",
  }],
  "authorizations": {
    "EMEA": ["Sales", "Expenses"],
    "APAC": ["Sales"]
  }
}

Configure an External User Info Endpoint

Click the App Settings icon in the left sidebar.
If you are modifying an existing IAM, click the name of the IAM. If you are creating a new IAM, click Add IAM.
At the very bottom of the IAM section, check the External Groups and Authorizations Endpoint checkbox.
In the External User Info URI field, enter the full path to your customer HTTP endpoint.
Optionally, check the Use Authentication checkbox and provide the username and password with which Immuta should authenticate when querying the user info endpoint. Immuta will subsequently send requests to the service with a Basic authorization header.
Optionally, enable SSL by checking the Enable SSL checkbox.
Optionally, if SSL is enabled, check the Require SSL Request Cert if your service requires SSL certificate validation. This step will require that you upload three files:
- The SSL key file (*.pem)
- The SSL cert file (*.pem)
- The SSL CA file (*.pem)

Last updated 8 months ago

Was this helpful?

Implement the HTTP Service

The following section instructs how to implement the HTTP service.

Specifications

Authentication

The service can authenticate requests with both or either of the following methods:

Basic username and password Authorization header
SSL cert validation

For more information, refer to .

Note: Immuta will expect non 200 error codes when the user info cannot be retrieved.

GET /user-info

Note: The endpoint's path does not necessarily have to be /user-info.

Parameters

Name

Located in

Description

Required

Schema

userid

query

The unique user identifier (username in Immuta)

Yes

string

Responses

Code

Description

200

successful operation - user info retrieved successfully

Response schema

Name

Example

groups

[{"name": "<group_name>"}]

authorizations

{"<authorization_name>": ["<value>"]}

Below is an example value that could be returned by the endpoint:

{
  "groups": [{
    "name":  "Accountants",
  }, {
    "name":  "Controllers",
  }],
  "authorizations": {
    "EMEA": ["Sales", "Expenses"],
    "APAC": ["Sales"]
  }
}

Configure an External User Info Endpoint

Click the App Settings icon in the left sidebar.
If you are modifying an existing IAM, click the name of the IAM. If you are creating a new IAM, click Add IAM.
At the very bottom of the IAM section, check the External Groups and Authorizations Endpoint checkbox.
In the External User Info URI field, enter the full path to your customer HTTP endpoint.
Optionally, check the Use Authentication checkbox and provide the username and password with which Immuta should authenticate when querying the user info endpoint. Immuta will subsequently send requests to the service with a Basic authorization header.
Optionally, enable SSL by checking the Enable SSL checkbox.
Optionally, if SSL is enabled, check the Require SSL Request Cert if your service requires SSL certificate validation. This step will require that you upload three files:
- The SSL key file (*.pem)
- The SSL cert file (*.pem)
- The SSL CA file (*.pem)