identityprovider.v1
Available Services
arista/identityprovider.v1/identityprovider.proto
OAuthConfig
OAuthConfig holds the configuration for an OAuth provider.
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | key is the ID of the OAuth provider. |
| endpoint | google.protobuf.StringValue | endpoint is the URL that identifies an OAuth authorization server. This endpoint is used to interact with the provider. It must be a URI [RFC3986] with a scheme component that must be https, a host component, and optionally, port and path components, but no query or fragment components. |
| client_id | google.protobuf.StringValue | client_id is the ID that the OAuth authorization server issues to the registered client. |
| client_secret | google.protobuf.StringValue | client_secret is the secret that the OAuth authorization server issues to the registered client. |
| algorithms | fmp.RepeatedString | algorithms is the set of signing algorithms. This is an optional field. If specified, only this set of algorithms may be used to sign the JWT. Otherwise, this defaults to the set of algorithms that the provider supports. |
| link_to_shared_provider | google.protobuf.BoolValue | link_to_shared_provider indicates whether or not use the provider as a shared provider. This is an optional field and set to false by default. |
| jwks_uri | google.protobuf.StringValue | jwks_uri is where signing keys are downloaded. This is an optional field. Only needed if the default construction from endpoint would be incorrect. |
| permitted_email_domains | fmp.RepeatedString | permitted_email_domains are domains of emails that users are allowed to use. This is an optional field. If not set, all domains are accepted by default. |
| roles_scope_name | google.protobuf.StringValue | roles_scope_name is the name for a scope tied to a claim that holds CloudVision roles in ID Token. CloudVision uses scope values to specify what access privileges are being requested for id token. CloudVision appends this value to This is an optional field. If not set, CloudVision determines that mapping roles from the provider is disabled. If it's set, roles_claim_name also needs to be set. |
| bearer_token_introspection_endpoint | google.protobuf.StringValue | bearer_token_introspection_endpoint is the provider instrospection endpoint used in Bearer Token based login support for CloudVision. This is an optional field. If specified, this endpoint will be used to verify bearer tokens generated via the provider to log in automated user accounts. |
| roles_claim_name | google.protobuf.StringValue | roles_claim_name is the name for a claim that holds CloudVision roles in ID Token. CloudVision uses this value to look up roles in the ID Token. This is an optional field. If not set, CloudVision determines that mapping roles from the provider is disabled. If it's set, roles_scope_name also needs to be set. |
OAuthKey
OAuthKey contains OAuth provider ID.
| Field Name | Type | Description |
|---|---|---|
| provider_id | google.protobuf.StringValue | provider_id is the ID of the OAuth provider. |
SAMLConfig
SAMLConfig holds the configuration for a SAML provider.
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | key is the ID of the SAML provider. |
| idp_issuer | google.protobuf.StringValue | idp_issuer identifies the SAML provider. There is no restriction on its format other than a string to carry the issuer's name. |
| idp_metadata_url | google.protobuf.StringValue | idp_metadata_url is the URL that CloudVision uses to fetch the SAML provider metadata. |
| authreq_binding | ProtocolBinding | authreq_binding specifies the ProtocolBinding used to send SAML authentication request to the SAML provider. |
| email_attrname | google.protobuf.StringValue | email_attrname specifies the Attribute name for email ID in Assertion of SAMLResponse from the SAML provider. |
| link_to_shared_provider | google.protobuf.BoolValue | link_to_shared_provider indicates whether or not use the provider as a shared provider. This is an optional field and set to false by default. |
| permitted_email_domains | fmp.RepeatedString | permitted_email_domains are domains of emails that users are allowed to use. This is an optional field. If not set, all domains are accepted by default. |
| force_saml_authn | google.protobuf.BoolValue | force_saml_authn indicates wether or not enable force authentication in SAML login. This is an optional field. If not set, it defaults to false. |
| roles_attrname | google.protobuf.StringValue | roles_attrname specifies the Attribute name for CloudVision roles in the Assertion of SAMLResponse. This is an optional field. If not set, CloudVision determines that mapping roles from the provider is disabled. |
| org_attrname | google.protobuf.StringValue | org_attrname specifies the Attribute name for CloudVision organization/tenant in the Assertion of SAMLResponse. This is an optional field. CloudVision supports use of certain shared SAML Identity Providers for authenticating users across multiple CloudVision organizations/tenants. In case a given organization uses a shared provider, then, CloudVision needs this attribute to determine if the organization that the shared SAML Identity Provider is sending the assertion for is the same as the one the user requested to be logged into. For an existing user on CloudVision, the user's email is used to determine which organization the user belongs to do the same verification but in case a dynamic user creation is needed and the given user doesn't exist on CloudVision currently then the matching organization attribute from the shared Identity Privder becomes necessary. Dynamic user creation is disabled for a given organization using shared Identity Provider if this attribute is not specified. |
| username_attrname | google.protobuf.StringValue | username_attrname specifies Attribute name for CloudVision users' username in the Assertion of SAMLResponse. This is an optional field as long as mapping roles from provider is not enabled. Once enabled, this field becomes mandatory. |
SAMLKey
SAMLKey contains SAML Provider ID.
| Field Name | Type | Description |
|---|---|---|
| provider_id | google.protobuf.StringValue | provider_id is the ID of the SAML provider. |
ProtocolBinding
ProtocolBinding indicates SAML protocol binding to be used.
| Name | Number | Description |
|---|---|---|
| PROTOCOL_BINDING_UNSPECIFIED | 0 | PROTOCOL_BINDING_UNSPECIFIED indicates that a protocol binding is unspecified. |
| PROTOCOL_BINDING_HTTP_POST | 1 | PROTOCOL_BINDING_HTTP_POST indicates HTTP-POST SAML protocol binding. |
| PROTOCOL_BINDING_HTTP_REDIRECT | 2 | PROTOCOL_BINDING_HTTP_REDIRECT indicates HTTP-Redirect SAML protocol binding. |
arista/identityprovider.v1/services.gen.proto
MetaResponse
| Field Name | Type | Description |
|---|---|---|
| time | google.protobuf.Timestamp | Time holds the timestamp of the last item included in the metadata calculation. |
| type | arista.subscriptions.Operation | Operation indicates how the value in this response should be considered. Under non-subscribe requests, this value should always be INITIAL. In a subscription, once all initial data is streamed and the client begins to receive modification updates, you should not see INITIAL again. |
| count | google.protobuf.UInt32Value | Count is the number of items present under the conditions of the request. |
OAuthConfigBatchedStreamRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | OAuthConfig[...] | PartialEqFilter provides a way to server-side filter a GetAll/Subscribe. This requires all provided fields to be equal to the response. While transparent to users, this field also allows services to optimize internal subscriptions if filter(s) are sufficiently specific. |
| time | arista.time.TimeBounds | TimeRange allows limiting response data to within a specified time window. If this field is populated, at least one of the two time fields are required. For GetAll, the fields start and end can be used as follows: * end: Returns the state of each OAuthConfig at end. * Each OAuthConfig response is fully-specified (all fields set). * start: Returns the state of each OAuthConfig at start, followed by updates until now. * Each OAuthConfig response at start is fully-specified, but updates may be partial. * start and end: Returns the state of each OAuthConfig at start, followed by updates until end. * Each OAuthConfig response at start is fully-specified, but updates until end may be partial. This field is not allowed in the Subscribe RPC. |
| max_messages | google.protobuf.UInt32Value | MaxMessages limits the maximum number of messages that can be contained in one batch. MaxMessages is required to be at least 1. The maximum number of messages in a batch is min(max_messages, INTERNAL_BATCH_LIMIT) INTERNAL_BATCH_LIMIT is set based on the maximum message size. |
OAuthConfigBatchedStreamResponse
| Field Name | Type | Description |
|---|---|---|
| responses | OAuthConfigStreamResponse[...] | Values are the values deemed relevant to the initiating request. The length of this structure is guaranteed to be between (inclusive) 1 and min(req.max_messages, INTERNAL_BATCH_LIMIT). |
OAuthConfigDeleteAllRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | OAuthConfig[...] | PartialEqFilter provides a way to server-side filter a DeleteAll. This requires all provided fields to be equal to the response. A filtered DeleteAll will use GetAll with filter to find things to delete. |
OAuthConfigDeleteAllResponse
| Field Name | Type | Description |
|---|---|---|
| type | fmp.DeleteError | This describes the class of delete error. A DeleteAllResponse is only sent when there is an error. |
| error | google.protobuf.StringValue | This indicates the error message from the delete failure. |
| key | OAuthKey | This is the key of the OAuthConfig instance that failed to be deleted. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp when the key was being deleted. |
OAuthConfigDeleteRequest
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | Key indicates which OAuthConfig instance to remove. This field must always be set. |
OAuthConfigDeleteResponse
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | Key echoes back the key of the deleted OAuthConfig instance. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp at which the system recognizes the deletion. The only guarantees made about this timestamp are: - it is after the time the request was received - a time-ranged query with StartTime==DeletedAt will not include this instance. |
OAuthConfigDeleteSomeRequest
| Field Name | Type | Description |
|---|---|---|
| keys | OAuthKey[...] | key contains a list of OAuthConfig keys to delete |
OAuthConfigDeleteSomeResponse
OAuthConfigDeleteSomeResponse is only sent when there is an error.
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | |
| error | string |
OAuthConfigRequest
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | Key uniquely identifies a OAuthConfig instance to retrieve. This value must be populated. |
| time | google.protobuf.Timestamp | Time indicates the time for which you are interested in the data. If no time is given, the server will use the time at which it makes the request. |
OAuthConfigResponse
| Field Name | Type | Description |
|---|---|---|
| value | OAuthConfig | Value is the value requested. This structure will be fully-populated as it exists in the datastore. If optional fields were not given at creation, these fields will be empty or set to default values. |
| time | google.protobuf.Timestamp | Time carries the (UTC) timestamp of the last-modification of the OAuthConfig instance in this response. |
OAuthConfigSetRequest
| Field Name | Type | Description |
|---|---|---|
| value | OAuthConfig | OAuthConfig carries the value to set into the datastore. See the documentation on the OAuthConfig struct for which fields are required. |
OAuthConfigSetResponse
| Field Name | Type | Description |
|---|---|---|
| value | OAuthConfig | Value carries all the values given in the OAuthConfigSetRequest as well as any server-generated values. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp at which the system recognizes the creation. The only guarantees made about this timestamp are: - it is after the time the request was received - a time-ranged query with StartTime==CreatedAt will include this instance. |
OAuthConfigSetSomeRequest
| Field Name | Type | Description |
|---|---|---|
| values | OAuthConfig[...] | value contains a list of OAuthConfig values to write. It is possible to provide more values than can fit within either: - the maxiumum send size of the client - the maximum receive size of the server If this error occurs you must reduce the number of values sent. See gRPC "maximum message size" documentation for more information. |
OAuthConfigSetSomeResponse
| Field Name | Type | Description |
|---|---|---|
| key | OAuthKey | |
| error | string |
OAuthConfigSomeRequest
| Field Name | Type | Description |
|---|---|---|
| keys | OAuthKey[...] | |
| time | google.protobuf.Timestamp | Time indicates the time for which you are interested in the data. If no time is given, the server will use the time at which it makes the request. |
OAuthConfigSomeResponse
| Field Name | Type | Description |
|---|---|---|
| value | OAuthConfig | Value is the value requested. This structure will be fully-populated as it exists in the datastore. If optional fields were not given at creation, these fields will be empty or set to default values. |
| error | google.protobuf.StringValue | Error is an optional field. It should be filled when there is an error in the GetSome process. |
| time | google.protobuf.Timestamp |
OAuthConfigStreamRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | OAuthConfig[...] | PartialEqFilter provides a way to server-side filter a GetAll/Subscribe. This requires all provided fields to be equal to the response. While transparent to users, this field also allows services to optimize internal subscriptions if filter(s) are sufficiently specific. |
| time | arista.time.TimeBounds | TimeRange allows limiting response data to within a specified time window. If this field is populated, at least one of the two time fields are required. For GetAll, the fields start and end can be used as follows: * end: Returns the state of each OAuthConfig at end. * Each OAuthConfig response is fully-specified (all fields set). * start: Returns the state of each OAuthConfig at start, followed by updates until now. * Each OAuthConfig response at start is fully-specified, but updates may be partial. * start and end: Returns the state of each OAuthConfig at start, followed by updates until end. * Each OAuthConfig response at start is fully-specified, but updates until end may be partial. This field is not allowed in the Subscribe RPC. |
OAuthConfigStreamResponse
| Field Name | Type | Description |
|---|---|---|
| value | OAuthConfig | Value is a value deemed relevant to the initiating request. This structure will always have its key-field populated. Which other fields are populated, and why, depends on the value of Operation and what triggered this notification. |
| time | google.protobuf.Timestamp | Time holds the timestamp of this OAuthConfig's last modification. |
| type | arista.subscriptions.Operation | Operation indicates how the OAuthConfig value in this response should be considered. Under non-subscribe requests, this value should always be INITIAL. In a subscription, once all initial data is streamed and the client begins to receive modification updates, you should not see INITIAL again. |
SAMLConfigBatchedStreamRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | SAMLConfig[...] | PartialEqFilter provides a way to server-side filter a GetAll/Subscribe. This requires all provided fields to be equal to the response. While transparent to users, this field also allows services to optimize internal subscriptions if filter(s) are sufficiently specific. |
| time | arista.time.TimeBounds | TimeRange allows limiting response data to within a specified time window. If this field is populated, at least one of the two time fields are required. For GetAll, the fields start and end can be used as follows: * end: Returns the state of each SAMLConfig at end. * Each SAMLConfig response is fully-specified (all fields set). * start: Returns the state of each SAMLConfig at start, followed by updates until now. * Each SAMLConfig response at start is fully-specified, but updates may be partial. * start and end: Returns the state of each SAMLConfig at start, followed by updates until end. * Each SAMLConfig response at start is fully-specified, but updates until end may be partial. This field is not allowed in the Subscribe RPC. |
| max_messages | google.protobuf.UInt32Value | MaxMessages limits the maximum number of messages that can be contained in one batch. MaxMessages is required to be at least 1. The maximum number of messages in a batch is min(max_messages, INTERNAL_BATCH_LIMIT) INTERNAL_BATCH_LIMIT is set based on the maximum message size. |
SAMLConfigBatchedStreamResponse
| Field Name | Type | Description |
|---|---|---|
| responses | SAMLConfigStreamResponse[...] | Values are the values deemed relevant to the initiating request. The length of this structure is guaranteed to be between (inclusive) 1 and min(req.max_messages, INTERNAL_BATCH_LIMIT). |
SAMLConfigDeleteAllRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | SAMLConfig[...] | PartialEqFilter provides a way to server-side filter a DeleteAll. This requires all provided fields to be equal to the response. A filtered DeleteAll will use GetAll with filter to find things to delete. |
SAMLConfigDeleteAllResponse
| Field Name | Type | Description |
|---|---|---|
| type | fmp.DeleteError | This describes the class of delete error. A DeleteAllResponse is only sent when there is an error. |
| error | google.protobuf.StringValue | This indicates the error message from the delete failure. |
| key | SAMLKey | This is the key of the SAMLConfig instance that failed to be deleted. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp when the key was being deleted. |
SAMLConfigDeleteRequest
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | Key indicates which SAMLConfig instance to remove. This field must always be set. |
SAMLConfigDeleteResponse
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | Key echoes back the key of the deleted SAMLConfig instance. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp at which the system recognizes the deletion. The only guarantees made about this timestamp are: - it is after the time the request was received - a time-ranged query with StartTime==DeletedAt will not include this instance. |
SAMLConfigDeleteSomeRequest
| Field Name | Type | Description |
|---|---|---|
| keys | SAMLKey[...] | key contains a list of SAMLConfig keys to delete |
SAMLConfigDeleteSomeResponse
SAMLConfigDeleteSomeResponse is only sent when there is an error.
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | |
| error | string |
SAMLConfigRequest
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | Key uniquely identifies a SAMLConfig instance to retrieve. This value must be populated. |
| time | google.protobuf.Timestamp | Time indicates the time for which you are interested in the data. If no time is given, the server will use the time at which it makes the request. |
SAMLConfigResponse
| Field Name | Type | Description |
|---|---|---|
| value | SAMLConfig | Value is the value requested. This structure will be fully-populated as it exists in the datastore. If optional fields were not given at creation, these fields will be empty or set to default values. |
| time | google.protobuf.Timestamp | Time carries the (UTC) timestamp of the last-modification of the SAMLConfig instance in this response. |
SAMLConfigSetRequest
| Field Name | Type | Description |
|---|---|---|
| value | SAMLConfig | SAMLConfig carries the value to set into the datastore. See the documentation on the SAMLConfig struct for which fields are required. |
SAMLConfigSetResponse
| Field Name | Type | Description |
|---|---|---|
| value | SAMLConfig | Value carries all the values given in the SAMLConfigSetRequest as well as any server-generated values. |
| time | google.protobuf.Timestamp | Time indicates the (UTC) timestamp at which the system recognizes the creation. The only guarantees made about this timestamp are: - it is after the time the request was received - a time-ranged query with StartTime==CreatedAt will include this instance. |
SAMLConfigSetSomeRequest
| Field Name | Type | Description |
|---|---|---|
| values | SAMLConfig[...] | value contains a list of SAMLConfig values to write. It is possible to provide more values than can fit within either: - the maxiumum send size of the client - the maximum receive size of the server If this error occurs you must reduce the number of values sent. See gRPC "maximum message size" documentation for more information. |
SAMLConfigSetSomeResponse
| Field Name | Type | Description |
|---|---|---|
| key | SAMLKey | |
| error | string |
SAMLConfigSomeRequest
| Field Name | Type | Description |
|---|---|---|
| keys | SAMLKey[...] | |
| time | google.protobuf.Timestamp | Time indicates the time for which you are interested in the data. If no time is given, the server will use the time at which it makes the request. |
SAMLConfigSomeResponse
| Field Name | Type | Description |
|---|---|---|
| value | SAMLConfig | Value is the value requested. This structure will be fully-populated as it exists in the datastore. If optional fields were not given at creation, these fields will be empty or set to default values. |
| error | google.protobuf.StringValue | Error is an optional field. It should be filled when there is an error in the GetSome process. |
| time | google.protobuf.Timestamp |
SAMLConfigStreamRequest
| Field Name | Type | Description |
|---|---|---|
| partial_eq_filter | SAMLConfig[...] | PartialEqFilter provides a way to server-side filter a GetAll/Subscribe. This requires all provided fields to be equal to the response. While transparent to users, this field also allows services to optimize internal subscriptions if filter(s) are sufficiently specific. |
| time | arista.time.TimeBounds | TimeRange allows limiting response data to within a specified time window. If this field is populated, at least one of the two time fields are required. For GetAll, the fields start and end can be used as follows: * end: Returns the state of each SAMLConfig at end. * Each SAMLConfig response is fully-specified (all fields set). * start: Returns the state of each SAMLConfig at start, followed by updates until now. * Each SAMLConfig response at start is fully-specified, but updates may be partial. * start and end: Returns the state of each SAMLConfig at start, followed by updates until end. * Each SAMLConfig response at start is fully-specified, but updates until end may be partial. This field is not allowed in the Subscribe RPC. |
SAMLConfigStreamResponse
| Field Name | Type | Description |
|---|---|---|
| value | SAMLConfig | Value is a value deemed relevant to the initiating request. This structure will always have its key-field populated. Which other fields are populated, and why, depends on the value of Operation and what triggered this notification. |
| time | google.protobuf.Timestamp | Time holds the timestamp of this SAMLConfig's last modification. |
| type | arista.subscriptions.Operation | Operation indicates how the SAMLConfig value in this response should be considered. Under non-subscribe requests, this value should always be INITIAL. In a subscription, once all initial data is streamed and the client begins to receive modification updates, you should not see INITIAL again. |
OAuthConfigService
| Method Name | Request Type | Response Type | Description |
|---|---|---|---|
| GetOne | OAuthConfigRequest | OAuthConfigResponse | |
| GetSome | OAuthConfigSomeRequest | OAuthConfigSomeResponse stream | |
| GetAll | OAuthConfigStreamRequest | OAuthConfigStreamResponse stream | |
| Subscribe | OAuthConfigStreamRequest | OAuthConfigStreamResponse stream | |
| GetMeta | OAuthConfigStreamRequest | MetaResponse | |
| SubscribeMeta | OAuthConfigStreamRequest | MetaResponse stream | |
| Set | OAuthConfigSetRequest | OAuthConfigSetResponse | |
| SetSome | OAuthConfigSetSomeRequest | OAuthConfigSetSomeResponse stream | |
| Delete | OAuthConfigDeleteRequest | OAuthConfigDeleteResponse | |
| DeleteSome | OAuthConfigDeleteSomeRequest | OAuthConfigDeleteSomeResponse stream | |
| DeleteAll | OAuthConfigDeleteAllRequest | OAuthConfigDeleteAllResponse stream | |
| GetAllBatched | OAuthConfigBatchedStreamRequest | OAuthConfigBatchedStreamResponse stream | |
| SubscribeBatched | OAuthConfigBatchedStreamRequest | OAuthConfigBatchedStreamResponse stream |
SAMLConfigService
| Method Name | Request Type | Response Type | Description |
|---|---|---|---|
| GetOne | SAMLConfigRequest | SAMLConfigResponse | |
| GetSome | SAMLConfigSomeRequest | SAMLConfigSomeResponse stream | |
| GetAll | SAMLConfigStreamRequest | SAMLConfigStreamResponse stream | |
| Subscribe | SAMLConfigStreamRequest | SAMLConfigStreamResponse stream | |
| GetMeta | SAMLConfigStreamRequest | MetaResponse | |
| SubscribeMeta | SAMLConfigStreamRequest | MetaResponse stream | |
| Set | SAMLConfigSetRequest | SAMLConfigSetResponse | |
| SetSome | SAMLConfigSetSomeRequest | SAMLConfigSetSomeResponse stream | |
| Delete | SAMLConfigDeleteRequest | SAMLConfigDeleteResponse | |
| DeleteSome | SAMLConfigDeleteSomeRequest | SAMLConfigDeleteSomeResponse stream | |
| DeleteAll | SAMLConfigDeleteAllRequest | SAMLConfigDeleteAllResponse stream | |
| GetAllBatched | SAMLConfigBatchedStreamRequest | SAMLConfigBatchedStreamResponse stream | |
| SubscribeBatched | SAMLConfigBatchedStreamRequest | SAMLConfigBatchedStreamResponse stream |