Ana içeriğe atla

General Information

Policy Type

policy-saml-validation

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-saml-validation",
            "name": "saml-validation-policy",
            "description": "Validate SAML assertions",
            "active": true,
            "keyStoreName": "saml-keystore",
            "allowUnknownSigner": false,
            "clearSaml": false,
            "clearSamlPath": null
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example - Full Validation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-saml-validation",
    "description": "Validate SAML assertions with signature verification",
    "active": true,
    "keyStoreName": "saml-keystore",
    "allowUnknownSigner": false,
    "clearSaml": false,
    "clearSamlPath": null
  }
}
Full JSON Body Example - Clear SAML After Validation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-saml-validation",
    "description": "Validate and clear SAML assertions",
    "active": true,
    "keyStoreName": "saml-keystore",
    "allowUnknownSigner": false,
    "clearSaml": true,
    "clearSamlPath": "/soap:Envelope/soap:Header/wsse:Security/saml:Assertion"
  }
}

Request Body Fields

operationMetadata
FieldTypeRequiredDefaultDescription
targetScopestringYes-Policy scope: ALL or ENDPOINT
targetEndpointstringNo*-Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethodstringNo*-HTTP method (required if targetScope=ENDPOINT)
targetPipelinestringYes-Pipeline: REQUEST, RESPONSE, or ERROR
deploybooleanNotrueWhether to deploy after adding policy
deployTargetEnvironmentNameListarrayNo[]List of environment names to deploy to
orderintegerNonullPolicy execution order (starts from 1)
Enum: targetScope
  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint
Enum: targetPipeline
  • REQUEST - Executes in request pipeline (validates request SAML)
  • RESPONSE - Executes in response pipeline (validates response SAML)
  • ERROR - Executes in error pipeline
Enum: targetEndpointHTTPMethod
  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
FieldTypeRequiredDefaultDescription
typestringYes-Policy type: policy-saml-validation
descriptionstringNo-Policy description
activebooleanNotrueWhether policy is active
keyStoreNamestringYes-Keystore name for SAML signature validation
allowUnknownSignerbooleanNofalseAllow unknown signer for SAML validation
clearSamlbooleanNofalseClear SAML assertion after validation
clearSamlPathstringNo*nullXPath to SAML assertion to clear (required if clearSaml=true)

Note

  • keyStoreName is required and must reference a valid KeyStore containing SAML signing certificates.
  • KeyStore name is automatically resolved to KeyStore ID (searches in project KeyStores first, then global KeyStores).
  • If clearSaml: true, clearSamlPath is required (XPath expression to locate SAML assertion).

XPath Examples

  • /soap:Envelope/soap:Header/wsse:Security/saml:Assertion - SOAP header SAML assertion
  • //saml:Assertion - Anywhere in document
  • /root/saml:Assertion - Root element SAML assertion

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/saml-validation-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-saml-validation",
      "description": "Validate SAML assertions",
      "active": true,
      "keyStoreName": "saml-keystore",
      "allowUnknownSigner": false,
      "clearSaml": false
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-saml-validation",
    "description": "Updated: SAML validation with enhanced security settings",
    "active": true,
    "keyStoreName": "test-keystores",
    "allowUnknownSigner": false,
    "clearSaml": true,
    "clearSamlPath": "$.assertion"
  }
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValue
AuthorizationBearer {token}
Content-Typeapplication/json

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

  • KeyStore:
    • keyStoreName must reference a valid KeyStore containing SAML signing certificates
    • KeyStore name is automatically resolved to KeyStore ID (searches in project KeyStores first, then global KeyStores)
    • KeyStore must contain public keys or certificates for signature validation
    • Certificates must match the signer’s certificate used in SAML assertion
  • Signature Validation:
    • Validates SAML assertion signature using certificates from KeyStore
    • Signature must be valid and certificate must be trusted
    • Assertion must not be expired
  • Unknown Signer:
    • When allowUnknownSigner: false, only signers with certificates in KeyStore are allowed
    • When allowUnknownSigner: true, validation proceeds even if signer is not in KeyStore (less secure)
  • Clear SAML:
    • When clearSaml: true, SAML assertion is removed after validation
    • clearSamlPath must be a valid XPath expression pointing to SAML assertion
    • Useful for removing sensitive SAML data before forwarding request
  • XPath:
    • clearSamlPath must be a valid XPath expression
    • Supports namespaces (e.g., soap:Envelope, saml:Assertion)
    • Use absolute paths for precise location
  • SAML Format:
    • Supports SAML 1.1 and SAML 2.0 assertions
    • Supports SAML assertions in SOAP headers (WS-Security)
    • Supports SAML assertions in HTTP headers or body
  • Performance: SAML validation adds processing overhead. Use for necessary validation only.
  • Pipeline:
    • REQUEST pipeline validates SAML in request before processing
    • RESPONSE pipeline validates SAML in response before sending to client
    • Validation failure results in 401 Unauthorized or 403 Forbidden response
  • Error Handling: Invalid SAML assertion or signature causes validation to fail
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.