Create multiple users
POST/api/web/v3/users/multiple
Create multiple users. Caller requires the USERS:ADD permission.
Request
- application/json
Body
required
Array [
Array [
]
Array [
]
Array [
]
]
If set to true, the operation stops on the first operation that fails. Otherwise the operation continues for each specified user. If not specified, this defaults to false.
users
object[]
required
The list of users to be created.
Indicates if the user is granted a new frozen grace period. This value is not used when creating a user. If provided, it will be ignored.
The email address of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. It must be set to use EMAIL OTP authentication and other features that require an email address. To remove the existing value, set the value to an empty string.
Indicates if a verification email message should be sent to the user if the user now requires verification. The user's policy requiring user verification must also be enabled for the user. If not set, this value defaults to true.
An optional external ID for this user. This value can be used to track the external identity of an Identity as a Service user. To unset the external ID, specify an empty string.
An optional value that describes the source when the user is synchronized from an external source. To unset the external source, specify an empty string.
The first name of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. To remove the existing value, set the value to an empty string.
A list of group UUIDs to be assigned to this user. If specified, these groups replace existing groups.
The last name of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. To remove the existing value, set the value to an empty string.
Possible values: [da
, de
, en
, es
, fr
, it
, ja
, ko
, nl
, nb
, pl
, pt
, ru
, sv
, th
, tr
, zh-cn
, zh-tw
]
The locale of this user. If not set, the default account locale will be used. To remove the existing value, set the value to an empty string.
Indicates if all the user's authenticators are locked or not.
The mobile number of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. It must be set to use SMS OTP authentication. To remove the existing value, set the value to an empty string.
A list of oauth role UUIDs to be assigned to this user. If specified, these oauth roles replace existing oauth roles.
A list of organization UUIDs to be assigned to this user. If specified, these organizations replace existing organizations.
The phone number of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. It must be set to use VOICE OTP authentication. To remove the existing value, set the value to an empty string.
Possible values: [EMAIL
, SMS
, VOICE
, SYSTEM
]
Preferred OTP delivery type (SMS, EMAIL or VOICE) or SYSTEM to use the system defined default.
preferredOtpDeliveryContactAttributes
object
Preferred OTP delivery contact attribute for the given type (i.e., OTP_EMAIL, OTP_SMS, OTP_VOICE. An empty string means no override for that type).
Preferred OTP delivery contact attribute for the given type (i.e., OTP_EMAIL, OTP_SMS, OTP_VOICE. An empty string means no override for that type).
Indicates whether self-registration is required. If not set when the user is created, this value defaults to true.
The security ID of this user. The security ID is a unique value used to identity the user when performing smart card login to Microsoft Windows.
Possible values: [ACTIVE
, INACTIVE
]
The state of this user. Only users in the ACTIVE state can perform authentication. If not set when the user is created, this value defaults to ACTIVE.
userAliases
object[]
A list of user aliases for this user. Alias values must be unique with respect to the userId and other aliases of this user and other users.
The UUID of this user alias set when the user alias is created.
Possible values: [CUSTOM
, DERIVED
, USERID
]
The type of user alias. A value of USERID is used for an alias that will represent the actual user id value. A value of CUSTOM is used for aliases manually created by an administrator. A value of DERIVED is defined for future use and should not be used at this time.
The UUID of the user to which this user alias belongs.
The value for the user alias.
userAttributeValues
object[]
A list of user attribute values for this user.
A flag indicating if this user attribute value can be modified.
The UUID of this user attribute value set when the user attribute value is created.
The last time the attribute value was updated.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the user attribute that defines this user attribute value. The userAttributeId must be provided when creating or modifying a user attribute value.
The UUID of the user to which this user attribute value belongs.
The value for the user attribute.
userExtraAttributes
object[]
A list of extra optional attributes for this user.
The name for the extra user attribute.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of custom user attribute.
The value for the extra user attribute.
The user ID for this user. This value is required when creating the user, optional during update. The userId must be unique with respect to aliases of this user and the userId and aliases of all other users.
The user principal name of this user. This value may or may not be required depending on configuration. If it is required, it must be specified when creating the user. If it is required, it must be specified when updating the user and a value is not currently set. To remove the existing value, set the value to an empty string.
Indicates whether verification is required. If not set when the user is created, this value defaults to true.
Responses
- 200
- 400
- 401
- 403
- 404
- 409
Successful
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
]
error
object
Object containing information about errors reported by services.
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
Indicates if the user was successfully created (true) or not (false).
user
object
The values stored for a user. This structure is passed when creating or modifying a user. It is returned when querying a user.
alternateEmails
object[]
A list of all the users alternate emails.
Name of the email attribute.
Value of the email attribute.
authenticatorLockoutStatus
object[]
A list of all authenticators that the user has with their lockout status.
The date the user was locked. Null means the user is not locked.
if remainingAuthenticationAttempts is 0 then a lockoutExpiryDate of null means the lockout never expires. Otherwise a value of null means the user isn't locked out.
The number of authentication attempts remaining before the user is locked out.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
The type of the authenticator.
The DN of the user in the directory the user was synchronized from.
If the user was synchronized from a directory, the UUID of that directory.
If the user was synchronized from a directory, the name of that directory.
The objectGUID of the user in the directory the user was synchronized from.
Possible values: [ON_PREM
, AZURE
, AD_CONNECTOR
]
The type of the directory user was synchronized from.
The email address of this user. This value may or may not be required depending on configuration. It must be set to use EMAIL OTP authentication and other features that require an email address.
An optional external ID for this user. This value can be used to track the external identity of an Identity as a Service user.
An optional value that describes the source when the user is synchronized from an external source.
fidoTokens
object[]
A list of all the FIDO tokens owned by this user.
Possible values: [DELETE
, ENABLE
, DISABLE
, RENAME
]
Administration actions that can be performed on this FIDO token.
The date on which the FIDO token was created.
The unique UUID assigned to the fido token when it is registered.
The date on which this FIDO token was last used for authentication. This value will be null if the FIDO token has never been used.
The name of this FIDO token.
The origin of where the FIDO token was generated.
The relying party ID of where the FIDO token was generated.
Possible values: [ACTIVE
, INACTIVE
]
The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication.
The user Id of the user who owns this FIDO token.
Indicates if the userId was stored on the FIDO token.
The UUID of the user who owns this FIDO token.
The first name of this user. This value may or may not be required depending on configuration.
Indicates whether a user is unable to authenticate due to inactivity.
Indicates a user's frozen grace period.
grids
object[]
A list of all the grids owned by this user.
Possible values: [CANCEL
, DELETE
, ENABLE
, DISABLE
, ASSIGN
, UNASSIGN
]
A list of what actions are currently allowed for this grid.
For unassigned grids which were assigned to the user, the date on which the grid was assigned.
The date on which the grid was created.
A flag indicating if this grid is currently expired.
If the grid policy defines an expiry date, the date on which this grid will expire. Expired grids cannot be used for authentication.
The grid contents of this grid. Only administrators with the GRIDCONTENTS:VIEW permission will receive this value.
The UUIDs of groups to which this grid belongs. This value is only used for unassigned grids. Only groups to which the current administrator has access will be returned.
The unique UUID assigned to the grid when it is created.
The date on which this grid was last used for authentication. This value will be null if the grid has never been used.
The unique numeric serial number assigned to the grid when it is created.
Possible values: [ACTIVE
, INACTIVE
, UNASSIGNED
, PENDING
, CANCELED
]
The state of this grid. Only grids in the ACTIVE or PENDING state can be used for authentication.
The UUID of the user who owns this grid. If the grid is not assigned, this value will be null.
The user Id for this user. If the grid is not assigned, this value will be null.
groups
object[]
A list of all groups to which this user belongs.
When the group was created.
The externalId of this group.
The UUID of this group. This value is generated when the group is created.
When the group was last modified.
The name of this group.
Possible values: [LDAP_AD
, MGMT_UI
]
The type of group indicating if this group was synchronized from a directory (LDAP_AD) or was created in Identity as a Service (MGMT_UI).
The unique UUID for this user. This value is generated by the service when a user is created.
The last time this user successfully authenticated. Null if the user has never authenticated.
When the user was last modified.
The last name of this user. This value may or may not be required depending on configuration.
The locale of this user. If not set, the default account locale will be used.
A flag indicating if this user is locked.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
The user authenticators that are locked.
Possible values: [PASSWORD
, KBA
, TEMP_ACCESS_CODE
, GRID
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
, ENTRUST_SOFT_TOKEN
, ENTRUST_SOFT_TOKEN_PUSH
, GOOGLE_AUTHENTICATOR
, HARDWARE_TOKEN
, FIDO
, SMARTCREDENTIALPUSH
, USER_CERTIFICATE
, MACHINE
, FACE
]
The user authenticators that are locked. Deprecated: use lockedAuthenticatorTypes
If the user is locked, this value will specify the time at which the lockout will expire.
Indicates whether Magic Links are enabled for this user.
A flag indicating if this user was migrated from Entrust IdentityGuard.
The mobile number of this user. This value may or may not be required depending on configuration. It must be set to use SMS OTP authentication.
oauthRoles
object[]
A list of all oauth roles to which this user belongs.
The set of ancestor oauth role ids.
The set of descendant oauth role ids.
The description of this oauth role.
The UUID of this oauth role. This value is generated when the oauth role is created.
The set of resource server scopes ids associated with this oauth role based on inheritance from its ancestors.
The name of this oauth role.
The UUID of the parent of this oauth role, if one exists.
The set of resource server scopes ids associated with this oauth role.
organizations
object[]
A list of the user organizations.
The description of the organization.
The display name of the organization.
The unique UUID assigned to the organization when it is created.
The URI of the logo to display when showing organizations.
The name of the organization.
If the user has an OTP, this attribute specifies when the user's OTP was created.
The password expiration time.
The phone number of this user. This value may or may not be required depending on configuration. It must be set to use VOICE OTP authentication.
Possible values: [EMAIL
, SMS
, VOICE
, SYSTEM
]
Preferred OTP delivery type (SMS, EMAIL or VOICE) or SYSTEM to use the system defined default.
preferredOtpDeliveryContactAttributes
object
Preferred OTP delivery contact attribute for the given type (i.e., OTP_EMAIL, OTP_SMS, OTP_VOICE. An empty string means no override for that type).
Preferred OTP delivery contact attribute for the given type (i.e., OTP_EMAIL, OTP_SMS, OTP_VOICE. An empty string means no override for that type).
Indicates whether registration is enabled for this user.
Indicates whether self-registration is required. This attribute doesn't apply to administrators.
The security ID of this user. The security ID is a unique value used to identity the user when performing smart card login to Microsoft Windows.
Indicates whether to show notifications to this user.
smartCredentials
object[]
A list of all the smart credentials owned by this user.
Possible values: [ACTIVATE
, REACTIVATE
, UPDATE
, UNASSIGN
, UNBLOCK
, ENABLE
, DISABLE
, DELETE
, VIEW_CERTIFICATES
]
A list of administration actions currently allowed for this smart credential.
cardDigitalConfig
object
Information that defines how digital ids are created in the CA.
If true, digital ids using this config will be set to have all CA groups.
If allCAGroups is set to false then digital ids using this config will use this specified list of CA groups.
The UUID of the CA for this digital id config.
The name of the CA for this digital id config.
Possible values: [EDC
, MS
, PKIAAS
]
The CA type of this Digital Id Config.
certTemplates
object[]
A list of cert templates associated with this digital id config.
The UUID of the Digital Id Config that owns this Digital Id Config Cert Template.
The UUID of the Digital Id Config Cert Template.
Possible values: [RSA_2048
, EC_P_256
]
The key type of the Digital Id Config Cert Template.
The name of the Digital Id Config Cert Template.
Possible values: [PivAuth
, CardAuth
, DigSig
, KeyMgmt
, None
]
The PIV container of the Digital Id Config Cert Template.
The CA certificate type which digital ids using this config will use.
When creating a digital id config, default values can be provided from this specified digital id config template.
A flag indicating if digital ids using this config will create directory entries in the CA.
The format which digital ids using this config will use for their DN.
Whether digital ids using this config should include the searchbase in their DN.
The UUID of this Digital Id Config.
The name of this Digital Id Config.
The CA role which digital ids using this config will use.
The searchbase within the CA in which digital ids using this config will be created.
subjectAltNames
object[]
A list of subjectAltNames associated with this digital id config.
The UUID of the digital id config that owns this subjectAltName.
The UUID of this Digital Id Config SubjectAltName.
Possible values: [EMAIL
, UPN
, IP
, DNS
, OTHER
, X400
, DN
, EDI
, URI
, REGISTERED_ID
]
The type of subjectAltName.
The value for the subjectAltName.
Possible values: [PIV_CARDHOLDER
, PIV_CARD
]
The type of digital id.
The CA user type which digital ids using this config will use.
variables
object[]
A list of variables associated with this digital id config.
The UUID of the Digital Id Config that owns this Digital Id Config Variable.
The UUID of the Digital Id Config Variable.
A flag indicating if values for this variable are included in the Digital Id's DN when it is generated by the CA.
The name of the Digital Id Config Variable.
Possible values: [CERTIFICATE
, USER
, VARIABLE
, CUSTOM
]
The type of the Digital Id Config Variable.
The value of the Digital Id Config Variable.
The UUID of the Card Digital Id config of this smart credential. If not set, the smart credential will not have a Card Digital Id.
Indicates if the card digitalid config is required or not.
cardHolderDigitalConfig
object
Information that defines how digital ids are created in the CA.
If true, digital ids using this config will be set to have all CA groups.
If allCAGroups is set to false then digital ids using this config will use this specified list of CA groups.
The UUID of the CA for this digital id config.
The name of the CA for this digital id config.
Possible values: [EDC
, MS
, PKIAAS
]
The CA type of this Digital Id Config.
certTemplates
object[]
A list of cert templates associated with this digital id config.
The UUID of the Digital Id Config that owns this Digital Id Config Cert Template.
The UUID of the Digital Id Config Cert Template.
Possible values: [RSA_2048
, EC_P_256
]
The key type of the Digital Id Config Cert Template.
The name of the Digital Id Config Cert Template.
Possible values: [PivAuth
, CardAuth
, DigSig
, KeyMgmt
, None
]
The PIV container of the Digital Id Config Cert Template.
The CA certificate type which digital ids using this config will use.
When creating a digital id config, default values can be provided from this specified digital id config template.
A flag indicating if digital ids using this config will create directory entries in the CA.
The format which digital ids using this config will use for their DN.
Whether digital ids using this config should include the searchbase in their DN.
The UUID of this Digital Id Config.
The name of this Digital Id Config.
The CA role which digital ids using this config will use.
The searchbase within the CA in which digital ids using this config will be created.
subjectAltNames
object[]
A list of subjectAltNames associated with this digital id config.
The UUID of the digital id config that owns this subjectAltName.
The UUID of this Digital Id Config SubjectAltName.
Possible values: [EMAIL
, UPN
, IP
, DNS
, OTHER
, X400
, DN
, EDI
, URI
, REGISTERED_ID
]
The type of subjectAltName.
The value for the subjectAltName.
Possible values: [PIV_CARDHOLDER
, PIV_CARD
]
The type of digital id.
The CA user type which digital ids using this config will use.
variables
object[]
A list of variables associated with this digital id config.
The UUID of the Digital Id Config that owns this Digital Id Config Variable.
The UUID of the Digital Id Config Variable.
A flag indicating if values for this variable are included in the Digital Id's DN when it is generated by the CA.
The name of the Digital Id Config Variable.
Possible values: [CERTIFICATE
, USER
, VARIABLE
, CUSTOM
]
The type of the Digital Id Config Variable.
The value of the Digital Id Config Variable.
The UUID of the Card Holder Digital Id config of this smart credential. If not set, the smart credential will not have a Card Holder Digital Id.
Indicates if the card holder digitalid config is required or not.
certificates
object[]
A list of certificates associated with this smart credential.
The description providing the purpose of this certificate.
The UUID of the digital id to which this certificate belongs
Possible values: [PIV_CARDHOLDER
, PIV_CARD
]
The type of the digital Id to which this certificate belongs.
The UUID of this Digital Id Certificate.
The issuer DN of this certificate.
The expiry date of this certificate.
The issue date of this certificate.
The name of the PIV container that stores this certificate on the smart card.
The serial number of this certificate.
Possible values: [ACTIVE
, REVOKED
, HOLD
, EXPIRED
, NOT_AVAILABLE
]
The status of this certificate. If not set, the revocation status has not been retrieved from the CA.
The subject DN of this certificate.
The chip id of the smart card set when the smart credential is encoded.
digitalIds
object[]
A list of digital ids associated with this smart credential.
certificates
object[]
The certificates associated with this digital id.
The description providing the purpose of this certificate.
The UUID of the digital id to which this certificate belongs
Possible values: [PIV_CARDHOLDER
, PIV_CARD
]
The type of the digital Id to which this certificate belongs.
The UUID of this Digital Id Certificate.
The issuer DN of this certificate.
The expiry date of this certificate.
The issue date of this certificate.
The name of the PIV container that stores this certificate on the smart card.
The serial number of this certificate.
Possible values: [ACTIVE
, REVOKED
, HOLD
, EXPIRED
, NOT_AVAILABLE
]
The status of this certificate. If not set, the revocation status has not been retrieved from the CA.
The subject DN of this certificate.
The UUID of the digital Id config that defines this digital Id.
The name of the digital id Config that defines this digital Id.
Possible values: [PIV_CARDHOLDER
, PIV_CARD
]
The type of this digital Id.
The current DN of the digital id.
The UUID of this DigitalId.
For smart credentials that have failed to encode, the encode message stores a message providing information about the failure.
Possible values: [ENCODE_START
, ENCODE_DONE
, ENCODE_ERROR
]
The encode state of a smart credential indicates if encoding has started, completed successfully or failed.
Possible values: [ENROLLING
, ENROLLED
]
The enrollment state of a smart credential indicates if all of the necessary enrollment values have been collected. Only smart credentials in the ENROLLED state can be activated.
For issued smart credentials, the expiry date is the date on which the smart credential will expire.
The unique UUID assigned to the smart credential when it is created.
The date on which the smart credential was issued.
A flag indicating if notification is enabled for this smart credential.
The platform of the Mobile SC application on which this smart credential was encoded.
The UUID of the Smart Credential Definition that defines this smart credential.
The name of the smart credential definition of this smart credential.
The unique serial number of the smart credential generated when it is created.
Possible values: [ACTIVE
, INACTIVE
]
The state of the smart credential. Only smart credentials in the ACTIVE state can be used for authentication.
The UUID of the user that owns this smart credential.
The user Id of the user that owns this smart credential.
variableValues
object[]
Variable values for this smart credential
scDefnVariable
object
SC Defn Variables define the details about variables defined in the SC Defn.
The default value of this variable.
A flag indicating if values for this variable should be displayed.
A flag indicating if the initial value for this variable should be generated.
A length value used when generating values for this variable.
The UUID of this SC Defn Variable.
A flag indicating if values for this variable can be modified.
The name of this SC Defn Variable.
A value that specifies the order of this variable with respect to the other variables in the SC Defn.
Optional prompt to be used when prompting for a value for this variable.
A flag indicating if a value is required for this variable.
Possible values: [ALLOWED
, REQUIRED
, NOT_ALLOWED
, NOT_SET
]
A value specifying restrictions on digits appearing in values of this variable.
Possible values: [ALLOWED
, REQUIRED
, NOT_ALLOWED
, NOT_SET
]
A value specifying restrictions on lowercase characters appearing in values of this variable.
A value indicating a maximum for values of this variable. How this is enforced depends on the variable type.
A value indicating a minimum for values of this variable. How this is enforced depends on the variable type.
A value specifying a regex that values of this variable must match.
Possible values: [ALLOWED
, REQUIRED
, NOT_ALLOWED
, NOT_SET
]
A value specifying restrictions on special characters appearing in values of this variable.
Possible values: [ALLOWED
, REQUIRED
, NOT_ALLOWED
, NOT_SET
]
A value specifying restrictions on uppercase characters appearing in values of this variable.
The UUID of the SC Defn that owns this variable definition.
Possible values: [STRING
, BOOLEAN
, INTEGER
, UUID
]
The type of this variable.
Possible values: [GLOBAL
, USER
, NONE
]
A flag indicating if values of this variable must be unique and if so within what scope.
A value that allows a variable to be defined unique in the scope of another variable.
The UUID of the SC Defn Variable that defines the variable.
The variable value.
The version of the Mobile SC application on which this smart credential was encoded.
Possible values: [ACTIVE
, INACTIVE
]
The state of this user. Only users in the ACTIVE state can perform authentication.
tempAccessCode
object
Information returned from the service about a temporary access code.
The actual temporary access code. This value will only be returned if the administrator has the TEMPACCESSCODECONTENTS:VIEW permission.
The date on which this temporary access code was created.
A flag indicating if this temporary access code is expired now.
The expiry date of this temporary access code. If not set, it never expires.
The unique UUID assigned to the temporary access code when it is created.
The maximum number of times this temporary access code can be used. If not set, there are no limits.
The number of times this temporary access code has been used.
tokens
object[]
A list of all the tokens owned by this user.
Possible values: [AT
, OATH_HOTP
, OATH_OCRA
, OATH_TOTP
, VENDOR
]
The algorithm type used by the token that was created or loaded into the system to generate OTP values.
Possible values: [ACTIVATE
, REACTIVATE
, ACTIVATE_COMPLETE
, DELETE
, UNLOCK
, ENABLE
, DISABLE
, RESET
, ASSIGN
, UNASSIGN
]
Actions that can be performed on this token.
Optional text describing this token.
The UUIDs of groups to which this token belongs. This value is only used for unassigned tokens. Only groups to which the current administrator has access will be returned.
The unique UUID assigned to the token when it is created.
Optional label to identify an assigned token: a String up to 100 characters.
The date on which the token was last used for authentication. This value will be null if the token has never been used.
The date on which the token was created or loaded into the system.
Base-64 encoded logo. If a custom logo is provided by the customer it is returned. Otherwise a system default logo is returned.
An optional name for the token.
The mobile device platform on which an Entrust Soft Token was activated.
A flag indicating if the Entrust Soft Token has registered for transactions. Only tokens that are registered can perform token push authentication.
The serial number of the token either generated when the token was created or loaded into the system.
Possible values: [NEW
, ACTIVATING
, ACTIVE
, INACTIVE
, UNASSIGNED
]
The state of the token. For most tokens, only tokens in the ACTIVE state can be used for authentication. Google Authenticator tokens in the ACTIVATING state can also be used for authentication.
A flag indicating if the Token supports challenge response processing.
A flag indicating if the Token supports response processing.
A flag indicating if the Token supports signature processing.
A flag indicating if the Token supports unlock processing.
A flag indicating if the Token supports unlock using TOTP processing.
Possible values: [ENTRUST_PHYSICAL_TOKEN
, ENTRUST_SOFT_TOKEN
, GOOGLE_AUTHENTICATOR
, OATH_PHYSICAL_TOKEN
, ENTRUST_LEGACY_TOKEN
]
The type of token specified when the token was created or loaded into the system.
If the token is assigned to a user, this value specifies that user's user id.
Possible values: [LDAP_AD
, MGMT_UI
, EXTERNAL
]
The type of user. A value of LDAP_AD means the user was synchronized from a directory. A value of MGMT_UI means the user was created in Identity as a Service. A value of EXTERNAL means the user was synchronized from an external source.
userAliases
object[]
A list of user aliases for this user.
The UUID of this user alias set when the user alias is created.
Possible values: [CUSTOM
, DERIVED
, USERID
]
The type of user alias. A value of USERID is used for an alias that will represent the actual user id value. A value of CUSTOM is used for aliases manually created by an administrator. A value of DERIVED is defined for future use and should not be used at this time.
The UUID of the user to which this user alias belongs.
The value for the user alias.
userAttributeValues
object[]
A list of user attribute values for this user.
A flag indicating if this user attribute value can be modified.
The UUID of this user attribute value set when the user attribute value is created.
The last time the attribute value was updated.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the user attribute that defines this user attribute value. The userAttributeId must be provided when creating or modifying a user attribute value.
The UUID of the user to which this user attribute value belongs.
The value for the user attribute.
The time this user was created.
userExtraAttributes
object[]
A list of extra optional attributes for this user.
The UUID of this extra user attribute.
The name for the extra user attribute.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of custom user attribute.
The value for the extra user attribute.
The user ID for this user.
The user principal name of this user. This value may or may not be required depending on configuration.
Indicates whether verification is enabled for this user.
Indicates whether verification is required. This attribute doesn't apply to administrators.
[
{
"error": {
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
},
"success": true,
"user": {
"alternateEmails": [
{
"name": "Secondary email",
"value": "secondary@mycompany.com"
}
],
"authenticatorLockoutStatus": [
{
"lockoutDate": "2019-02-19T13:15:27Z",
"lockoutExpiryDate": "2019-02-20T13:15:27Z",
"remainingAuthenticationAttempts": 0,
"type": "OTP"
}
],
"directoryDN": "string",
"directoryId": "string",
"directoryName": "string",
"directoryObjectGUID": "string",
"directoryType": "ON_PREM",
"email": "string",
"externalId": "John",
"externalSource": "string",
"fidoTokens": [
{
"allowedActions": [
"DELETE"
],
"createDate": "2019-02-19T13:15:27Z",
"id": "string",
"lastUsedDate": "2019-02-21T11:37:27Z",
"name": "string",
"origin": "string",
"relyingPartyId": "string",
"state": "ACTIVE",
"userId": "string",
"userIdStored": true,
"userUUID": "string"
}
],
"firstName": "string",
"frozen": true,
"frozenGracePeriod": "2019-02-19T13:15:27Z",
"grids": [
{
"allowedActions": [
"CANCEL"
],
"assignDate": "2019-02-19T13:17:27Z",
"createDate": "2019-02-19T13:15:27Z",
"expired": true,
"expiryDate": "2019-08-19T13:15:27Z",
"gridContents": [
[
"string"
]
],
"groups": [
"string"
],
"id": "string",
"lastUsedDate": "2019-02-19T13:15:27Z",
"serialNumber": 0,
"state": "ACTIVE",
"userId": "45f5a855-962a-4b5f-b5c5-7ceeae235875",
"userName": "john.doe"
}
],
"groups": [
{
"created": "2019-02-19T13:15:27Z",
"externalId": "string",
"id": "string",
"lastModified": "2019-02-19T13:15:27Z",
"name": "string",
"type": "MGMT_UI"
}
],
"id": "string",
"lastAuthTime": "2019-02-19T13:15:27Z",
"lastModified": "2019-02-19T13:15:27Z",
"lastName": "string",
"locale": "string",
"locked": true,
"lockedAuthenticatorTypes": [
"MACHINE"
],
"lockoutExpiry": "2019-02-19T13:15:27Z",
"magicLinkEnabled": true,
"migrated": true,
"mobile": "string",
"oauthRoles": [
{
"ancestorIds": [
"string"
],
"descendantIds": [
"string"
],
"description": "string",
"id": "string",
"inheritedResourceServerScopeIds": [
"string"
],
"name": "string",
"parentId": "string",
"resourceServerScopeIds": [
"string"
]
}
],
"organizations": [
{
"description": "string",
"displayName": "string",
"id": "string",
"logoUri": "https://account.mycompany.com/images/logo.png",
"name": "string"
}
],
"otpCreateTime": "2019-02-11T11:45:27Z",
"passwordExpirationTime": "2019-02-19T13:15:27Z",
"phone": "string",
"preferredOtpDelivery": "SYSTEM",
"preferredOtpDeliveryContactAttributes": {
"OTP_EMAIL": "Email",
"OTP_SMS": "Personal Mobile",
"OTP_VOICE": "default"
},
"registrationEnabled": true,
"registrationRequired": true,
"securityId": "8c35d5f2-a18a-11ed-a8fc-0242ac120002",
"showNotification": true,
"smartCredentials": [
{
"allowedActions": [
"ACTIVATE"
],
"cardDigitalConfig": {
"allCAGroups": true,
"caGroups": [
"string"
],
"caId": "string",
"caName": "string",
"caType": "EDC",
"certTemplates": [
{
"digitalIdConfigId": "string",
"id": "string",
"keyType": "RSA_2048",
"name": "string",
"pivContainer": "PivAuth"
}
],
"certificateType": "string",
"digitalIdConfigTemplateId": "string",
"directoryEntry": true,
"dnFormat": "string",
"dnFormatSearchbaseIncluded": true,
"id": "string",
"name": "string",
"role": "string",
"searchbase": "string",
"subjectAltNames": [
{
"digitalIdConfigId": "string",
"id": "string",
"type": "EMAIL",
"value": "string"
}
],
"type": "PIV_CARDHOLDER",
"userType": "string",
"variables": [
{
"digitalIdConfigId": "string",
"id": "string",
"includedInDN": true,
"name": "string",
"type": "CERTIFICATE",
"value": "string"
}
]
},
"cardDigitalConfigId": "string",
"cardDigitalConfigRequired": true,
"cardHolderDigitalConfig": {
"allCAGroups": true,
"caGroups": [
"string"
],
"caId": "string",
"caName": "string",
"caType": "EDC",
"certTemplates": [
{
"digitalIdConfigId": "string",
"id": "string",
"keyType": "RSA_2048",
"name": "string",
"pivContainer": "PivAuth"
}
],
"certificateType": "string",
"digitalIdConfigTemplateId": "string",
"directoryEntry": true,
"dnFormat": "string",
"dnFormatSearchbaseIncluded": true,
"id": "string",
"name": "string",
"role": "string",
"searchbase": "string",
"subjectAltNames": [
{
"digitalIdConfigId": "string",
"id": "string",
"type": "EMAIL",
"value": "string"
}
],
"type": "PIV_CARDHOLDER",
"userType": "string",
"variables": [
{
"digitalIdConfigId": "string",
"id": "string",
"includedInDN": true,
"name": "string",
"type": "CERTIFICATE",
"value": "string"
}
]
},
"cardHolderDigitalConfigId": "string",
"cardHolderDigitalConfigRequired": true,
"certificates": [
{
"description": "string",
"digitalIdId": "string",
"digitalIdType": "PIV_CARDHOLDER",
"id": "string",
"issuerDN": "string",
"notAfter": "2019-02-19T13:15:27Z",
"notBefore": "2019-02-19T13:15:27Z",
"pivContainer": "string",
"serialNumber": "string",
"status": "ACTIVE",
"subjectDN": "string"
}
],
"chipId": "string",
"digitalIds": [
{
"certificates": [
{
"description": "string",
"digitalIdId": "string",
"digitalIdType": "PIV_CARDHOLDER",
"id": "string",
"issuerDN": "string",
"notAfter": "2019-02-19T13:15:27Z",
"notBefore": "2019-02-19T13:15:27Z",
"pivContainer": "string",
"serialNumber": "string",
"status": "ACTIVE",
"subjectDN": "string"
}
],
"digitalIdConfigId": "string",
"digitalIdConfigName": "string",
"digitalIdConfigType": "PIV_CARDHOLDER",
"dn": "string",
"id": "string"
}
],
"encodeMsg": "string",
"encodeState": "ENCODE_START",
"enrollState": "ENROLLING",
"expiryDate": "2019-02-19T13:15:27Z",
"id": "string",
"issueDate": "2019-02-19T13:15:27Z",
"notifyEnabled": true,
"platform": "string",
"scDefnId": "string",
"scDefnName": "string",
"serialNumber": "string",
"state": "ACTIVE",
"userId": "string",
"userUserId": "string",
"variableValues": [
{
"scDefnVariable": {
"defaultValue": "string",
"displayable": true,
"generate": true,
"generateLength": 0,
"id": "string",
"modifiable": true,
"name": "string",
"order": 0,
"prompt": "string",
"required": true,
"restrictionDigits": "ALLOWED",
"restrictionLower": "ALLOWED",
"restrictionMax": 0,
"restrictionMin": 0,
"restrictionRegex": "string",
"restrictionSpecial": "ALLOWED",
"restrictionUpper": "ALLOWED",
"scDefnId": "string",
"type": "STRING",
"uniqueness": "GLOBAL",
"uniquenessScopeId": "string"
},
"scDefnVariableId": "string",
"value": "string"
}
],
"version": "string"
}
],
"state": "ACTIVE",
"tempAccessCode": {
"code": "string",
"createDate": "2019-02-19T13:15:27Z",
"expired": true,
"expiryDate": "2019-03-19T13:15:27Z",
"id": "string",
"maxUses": 0,
"numUses": 0
},
"tokens": [
{
"algorithmType": "AT",
"allowedActions": [
"ACTIVATE"
],
"description": "string",
"groups": [
"string"
],
"id": "string",
"label": "PENDING",
"lastUsedDate": "2019-02-20T10:05:27Z",
"loadDate": "2019-02-19T13:15:27Z",
"logo": "string",
"name": "string",
"platform": "string",
"registeredForTransactions": true,
"serialNumber": "string",
"state": "NEW",
"supportsChallengeResponse": false,
"supportsResponse": true,
"supportsSignature": false,
"supportsUnlock": true,
"supportsUnlockTOTP": false,
"type": "ENTRUST_PHYSICAL_TOKEN",
"userId": "string"
}
],
"type": "LDAP_AD",
"userAliases": [
{
"id": "76234da-3cf2-4t6u-8d02-8234fdfc472",
"type": "CUSTOM",
"userId": "42133ed4-3cf2-4t6u-8d02-8234fdfc472",
"value": "some-alias"
}
],
"userAttributeValues": [
{
"editable": true,
"id": "76234da-3cf2-4t6u-8d02-8234fdfc472",
"lastUpdate": "2019-02-19T13:15:27Z",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "76234da-3cf2-4t6u-8d02-8234fdfc472",
"userId": "John",
"value": "value"
}
],
"userCreationTime": "2019-02-19T13:15:27Z",
"userExtraAttributes": [
{
"id": "76234da-3cf2-4t6u-8d02-8234fdfc472",
"name": "some-attr-name",
"type": "OTP_SMS",
"value": "some-value"
}
],
"userId": "string",
"userPrincipalName": "string",
"verificationEnabled": true,
"verificationRequired": true
}
}
]
Bad Request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Conflict
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}