Custom APIs

The Delinea SCIM Connector provides additional endpoints that are not part of the SCIM Standard. These custom endpoints allow you to post secrets or retrieve unencrypted secret fields.

You can POST the Privilege data (Secret) through the SCIM Connector by using the following endpoints:

  • GET v2/PrivilegedData/Stub

  • POST v2/PrivilegedData

  • PUT v2/PrivilegedData/{id}

It is also available to fetch unencrypted Privileged data (Secret) fields using the v2/PrivilegedData/GetFields endpoint.

GET Secret Stub

A secret stub is a list of fields with their default values for a new secret. Using this endpoint, you can get the format in which the secret object can be posted via SCIM connector to the Secret Server.

{{SCIMUrl}}/v2/PrivilegedData/stub?secretTemplateId=6001&folderId=1

IT accepts the following parameters:

  • The folderId parameter is optional and can be used only when the stub location is known. It defines the folder in the Secret Server where the secret stub must be fetched from.
  • The secretTemplateId parameter is the Id of the Secret Server template which will be used to create a secret.

Template Examples:

  • Web Password (secretTemplateId = 9)
  • Windows Account (secretTemplateId = 6003)
  • Active Directory Account (secretTemplateId = 6001)
  • MySql Account (secretTemplateId = 6017)

How to Fetch the templateId for a Specific Template from Secret Server

  1. Log in to your Secret Server account.

  2. Go to the Administration tab.

    alt

  3. Go to the Secret Templates tab.

    alt

  4. Open the template that you want to use (Active Directory Account in this example).

    alt

  5. The integer value 6001 after ../secret-template/ in the URL of the page is the templateId for this Active Directory Account template.

    alt

The following is the response from the above API call. You can ignore any fields other than the items array. While sending the POST call, you must fill this array as per your requirements.

Copy
Copy 
{

"id": 0,

"name": **null**,

"secretTemplateId": 6001,

"folderId": 0,

"active": **true**,

"items": [

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": **null**,

"fieldId": 87,

"fieldName": "Domain",

"slug": "domain",

"fieldDescription": "The Location of the Active Directory Domain.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": **null**,

"fieldId": 90,

"fieldName": "Username",

"slug": "username",

"fieldDescription": "The Domain Username.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": **null**,

"fieldId": 89,

"fieldName": "Password",

"slug": "password",

"fieldDescription": "The password of the Domain User.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **true**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": **null**,

"fieldId": 88,

"fieldName": "Notes",

"slug": "notes",

"fieldDescription": "Any additional notes.",

"isFile": **false**,

"isNotes": **true**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

}

],

"launcherConnectAsSecretId": -1,

"checkOutMinutesRemaining": -1,

"checkedOut": **false**,

"checkOutUserDisplayName": "",

"checkOutUserId": 0,

"isRestricted": **false**,

"isOutOfSync": **false**,

"outOfSyncReason": "",

"autoChangeEnabled": **false**,

"autoChangeNextPassword": **null**,

"requiresApprovalForAccess": **false**,

"requiresComment": **false**,

"checkOutEnabled": **false**,

"checkOutIntervalMinutes": -1,

"checkOutChangePasswordEnabled": **false**,

"accessRequestWorkflowMapId": **null**,

"proxyEnabled": **false**,

"sessionRecordingEnabled": **false**,

"restrictSshCommands": **false**,

"jumpboxRouteId": **null**,

"allowOwnersUnrestrictedSshCommands": **false**,

"isDoubleLock": **false**,

"doubleLockId": 0,

"enableInheritPermissions": **true**,

"passwordTypeWebScriptId": -1,

"siteId": -1,

"enableInheritSecretPolicy": **false**,

"secretPolicyId": -1,

"lastHeartBeatStatus": "Pending",

"lastHeartBeatCheck": "0001-01-01T00:00:00",

"failedPasswordChangeAttempts": 0,

"lastPasswordChangeAttempt": "0001-01-01T00:00:00",

"secretTemplateName": "Active Directory Account",

"responseCodes": [],

"webLauncherRequiresIncognitoMode": **false**

}

**POST New Secret**

The API call for a POST secret is as follows:

**{{SCIMUrl}}/v2/PrivilegedData**

The parameters for this request would be passed through the request body in the
form of a JSON object. For the items array, take the response of the Get secret
stub API call and only modify the **itemValue** field with your value for the
secret field. Do not modify the **fieldName** as it may lead to a syntax error.

{

"schemas": [

"urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData",

"urn:ietf:params:scim:schemas:extension:pam:1.0:PrivilegedData"

],

"Name": " Secret1",

"DisplayName": "custom",

"Description": "custom",

"urn:ietf:params:scim:schemas:extension:pam:1.0:PrivilegedData":

{

"templateId": "6001",

"folderId": "224",

"siteId": "1",

"items": [

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "scim.com",

"fieldId": 87,

"fieldName": "Domain",

"slug": "domain",

"fieldDescription": "The Location of the Active Directory Domain.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": **“User1”**,

"fieldId": 90,

"fieldName": "Username",

"slug": "username",

"fieldDescription": "The Domain Username.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "pass_1",

"fieldId": 89,

"fieldName": "Password",

"slug": "password",

"fieldDescription": "The password of the Domain User.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **true**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "This is a custom secret",

"fieldId": 88,

"fieldName": "Notes",

"slug": "notes",

"fieldDescription": "Any additional notes.",

"isFile": **false**,

"isNotes": **true**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

}

]

}

}

Fields:

  • Name: This field specifies the name of the secret. There could be multiple secrets with the same name in the same folder.
  • DisplayName: This specifies the display name of the secret in Secret Server.
  • Description: This field specifies the details of the secret.
  • templateId: This field specifies the template number in which format the secret must be created in the Secret Server. We are using the Active Directory Account template here with templateId 6001.
  • folderId: This field specifies the folder number in the Secret Server where the secret must be created.
  • siteId: This field points to the site location of the secret on the Secret Server.

  • Items: This list of objects is used to specify secret values specific to a template. In this example, we fetched the Active directory stub with fields Domain, Username, Password, and Notes. The secret values for these fields will be specified in this items array. For the Domain value of the secret, the item value field has to be modified with the value for the domain (scim.com here).

PUT Secret

The API call to update an existing secret is as follows:

{{SCIMUrl}}/v2/PrivilegedData/urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData:4919

The last part of the request after PrivilegedData: is the secret Id that has to be updated (4919 here).

The parameters for this request would be passed through the request body in the form of a JSON object. For the items array, only modify the itemValue field with your value for the Secret field. Do not modify the fieldName as it may lead to a syntax error.

Copy
Copy
Copy 
{

"schemas": [

"urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData",

"urn:ietf:params:scim:schemas:extension:pam:1.0:PrivilegedData"

],

"Name": "Secret1",

"DisplayName": "custom",

"Description": "custom",

"urn:ietf:params:scim:schemas:extension:pam:1.0:PrivilegedData":

{

"templateId": "6001",

"folderId": "224",

"siteId": "1",

"items": [

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "scim.server.com",

"fieldId": 87,

"fieldName": "Domain",

"slug": "domain",

"fieldDescription": "The Location of the Active Directory Domain.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "user1",

"fieldId": 90,

"fieldName": "Username",

"slug": "username",

"fieldDescription": "The Domain Username.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": "pass_1",

"fieldId": 89,

"fieldName": "Password",

"slug": "password",

"fieldDescription": "The password of the Domain User.",

"isFile": **false**,

"isNotes": **false**,

"isPassword": **true**,

"isList": **false**,

"listType": "None"

},

{

"fileAttachmentId": **null**,

"fifilenamelter": **null**,

"itemValue": " This is a custom secret ",

"fieldId": 88,

"fieldName": "Notes",

"slug": "notes",

"fieldDescription": "Any additional notes.",

"isFile": **false**,

"isNotes": **true**,

"isPassword": **false**,

"isList": **false**,

"listType": "None"

}

]

}

}

Fields:

  • Name: This field specifies the name of the secret. There could be multiple secrets with the same name in the same folder.
  • DisplayName: This specifies the display name of the secret in secret server.
  • Description: This field specifies the details of the secret.
  • templateId: This field specifies the template number in which format the secret has to be created in the Secret Server. In this example, we are using the Active Directory Account template with the templateId 6001.
  • folderId: This field specifies the folder number in the Secret Server where the secret has to be created.
  • siteId: This field points to the site location of the secret on the Secret Server.

  • Items: This list of objects is used to specify secret values specific to a template. In this example, we fetched the Active directory stub with

    fields Domain, Username, Password, and Notes. The secret values for these

    fields will be specified in this items array. For the “Domain” value of the secret, the itemValue field has to be modified with the value for the domain (scim.com here).

To update an existing secret, mention the secret Id of it in the API call and modify the itemValue fields of the items array according to the new values.

Get Unencrypted Secret Fields

To fetch unencrypted fields of a secret, you need to do configuration on the secret template level. Each field in the secret template has a configurable setting called “Expose to Display”, which must be enabled to retrieve the secret field value in unencrypted format.

To enable the “Expose to Display” setting:

  1. Open a secret template.

  2. Under the Fields tab, select the specific field which value you want to access in unencrypted format.

  3. Edit the Template Field Details.

  4. Select the “Expose For Display” checkbox.

  5. On the displayed confirmation popup, select Confirm.

  6. Select Save.

SCIMConnector provides an endpoint to fetch unencrypted secret fields as v2/PrivilegedData/GetFields. You can utilize this endpoint in several ways:

  • Get a secret field by secret ID and slug name

    Endpoint: v2/PrivilegedData/GetFields/{privilegedDataId}/{slugname}

    Example: https://localhost/SCIMConnector/v2/PrivilegedData/GetFields/urn:ietf:params:scim:schemas:pam:1.0:privilegeddata:123/username

  • Get secret all fields by secret ID

    Endpoint: v2/PrivilegedData/GetFields/{privilegedDataId}

    Example:

    https://localhost/SCIMConnector/v2/PrivilegedData/GetFields/urn:ietf:params:scim:schemas:pam:1.0:privilegeddata:123

  • Get all secrets field by slug name

    Endpoint: v2/PrivilegedData/GetFields/{slugname}

    Example:

    https://localhost/SCIMConnector/v2/PrivilegedData/GetFields/username

  • Get all secrets field by slug name with filter

    Endpoint: v2/PrivilegedData/GetFields/{slugname}?filter=<fieldname> <op> <value>

    Example:

    https://localhost/SCIMConnector/v2/PrivilegedData/GetFields/username?filter=username eq "Test_UserName"

  • Get all secrets fields

    Endpoint: v2/PrivilegedData/GetFields

    Example:

    https://localhost/SCIMConnector/v2/PrivilegedData/GetFields

  • Get all secrets fields with filter

    Endpoint: v2/PrivilegedData/GetFields?filter=<fieldname> <op> <value>

    Example:

    https://localhost/SCIMConnector/v2/PrivilegedData/GetFields?filter=username eq "Test_UserName"