PUT /manage/v2/external-security/{id|name}/properties

Summary

This resource address can be used to update the properties for the specified external-security configuration.

For more information on external security, see External Security in the Security Guide.

URL Parameters
format	The format of the posted data. Can be either `json` (default) or `xml`. This value overrides the Accept header if both are present.

Request Headers
Accept	The expected MIME type of the response. If the `format` parameter is present, it takes precedence over the Accept header.
Content-type	The MIME type of the data in the request body, either `application/xml` or `application/json`.

Response Headers
Content-type	The MIME type of the data in the response body. Depending upon the value of the `format` parameter or Accept header, either `application/xml` or `application/json`.

Response

Upon success, MarkLogic Server returns status code 204 (No Content). If the payload is malformed or the external-security configuration does not exist, a status code of 400 (Bad Request) is returned. A status code of 401 (Unauthorized) is returned if the user does not have the necessary privileges.

Required Privileges

This operation requires one of the following:

the manage-admin and security role
the following privileges:
http://marklogic.com/xdmp/privileges/manage

http://marklogic.com/xdmp/privileges/manage-admin

http://marklogic.com/xdmp/privileges/external-security-get-authentication

Usage Notes

The structure of the data in the request body is as follows. If specified, the name property must match the name specified in the URI.

The structure of the output returned from this REST API is as follows:

external-security-id

An external security id (unique key).

external-security-name

External security name (unique)

description

An object's description.

authentication

Authentication

cache-timeout

The login cache timeout, in seconds.

authorization

An authorization scheme.

ldap-server-uri

URI of the LDAP server. Required if authentication or authorization is LDAP.

ldap-base

starting point for search. Required if authentication or authorization is LDAP.

ldap-attribute

LDAP attribute for user lookup. Required if authentication or authorization is LDAP.

ldap-default-user

LDAP user used by MarkLogic server. Required if authentication is kerberos and authorization is LDAP or bind method is simple.

ldap-password

password of the default LDAP user. Required if authentication is kerberos and authorization is LDAP or bind method is simple.

ldap-bind-method

LDAP bind method.

ldap-memberof-attribute

LDAP attribute for group lookup. This is optional. If it is not specified, "memberOf" will be used for search for the groups of a user.

ldap-member-attribute

LDAP attribute for group lookup. This is optional. If it is not specified, "member" will be used for search for the group of a group.

ldap-start-tls

Whether or not to use start TLS request to the LDAP server.

ldap-certificate

The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server. It can be used for mutual authentication if bind method is MD5 or simple. Or it can be used for external binding.

ldap-private-key

The PEM encoded private key corresponding to the certificate.

ldap-nested-lookup

Whether or not to perform nested group lookup.

ldap-remove-domain

Whether or not to remove domain before matching with ldap-attribute.

ldap-negative-cache-timeout

The LDAP negative cache timeout, in seconds.

ldap-server

An LDAP server configuration.

This is a complex structure with the following children:

ldap-server-uri: URI of the LDAP server. Required if authentication or authorization is LDAP.
ldap-base: starting point for search. Required if authentication or authorization is LDAP.
ldap-attribute: LDAP attribute for user lookup. Required if authentication or authorization is LDAP.
ldap-default-user: LDAP user used by MarkLogic server. Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-password: password of the default LDAP user. Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-bind-method: LDAP bind method.
ldap-memberof-attribute: LDAP attribute for group lookup. This is optional. If it is not specified, "memberOf" will be used for search for the groups of a user.
ldap-member-attribute: LDAP attribute for group lookup. This is optional. If it is not specified, "member" will be used for search for the group of a group.
ldap-start-tls: Whether or not to use start TLS request to the LDAP server.
ldap-certificate: The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server. It can be used for mutual authentication if bind method is MD5 or simple. Or it can be used for external binding.
ldap-private-key: The PEM encoded private key corresponding to the certificate.
ldap-nested-lookup: Whether or not to perform nested group lookup.
ldap-remove-domain: Whether or not to remove domain before matching with ldap-attribute.
ldap-negative-cache-timeout: The LDAP negative cache timeout, in seconds.

saml-server

An SAML server configuration.

This is a complex structure with the following children:

saml-entity-id

SAML entity id. Required if authorization is SAML.

saml-destination

SAML destination.

saml-issuer

SAML issuer.

saml-assertion-host

SAML assertion host.

saml-idp-certificate-authority

The PEM encoded X509 certificate authority for SAML IDP.

saml-sp-certificate

The PEM encoded X509 certificate for SAML SP.

saml-sp-private-key

The PEM encoded private key for SAML SP.

saml-authn-signature

saml-attribute-names

A list of SAML attribute names.

This is a complex structure with the following children:

saml-attribute-name: SAML attribute name.

saml-privilege-attribute-name

SAML privilege attribute name.

http-options

The HTTP options to use when connecting to the replication application server.

This is a complex structure with the following children:

timeout: The timeout
data
headers: The headers.
method: The method to use.
username
password
credential-id: The credential id.
client-cert
client-key
pass-phrase
verify-cert: Whether the server's certificate should be verified.
proxy: The network location of the proxy server.
kerberos-ticket-forwarding: The option for kerberos ticket forwarding. If it is "disabled", the user ticket is not used. This is the default. If it is "required", the user ticket is forwarded. If the user ticket is not forwardable, XDMP-NOFORWARDTICKET is thrown. If it is "optional", the user ticket is forwarded if it is forwardable. But no error if it is not forwardable.

ssl-client-certificate-authorities

This is a complex structure with the following children:

ssl-client-certificate-authority: An SSL certificate authority

ssl-require-client-certificate

oauth-server

OAuth server configuration.

This is a complex structure with the following children:

oauth-flow-type

OAuth 2.0 flow type.

oauth-vendor

Third-party OAuth 2.0 vendor.

oauth-server-uri

OAuth 2.0 server URI. TLS (HTTPS) required. Optional.

oauth-authorization-server-uri

OAuth 2.0 authorization endpoint. Required when "OAuth Flow Type" is "Authorization code". TLS (HTTPS) required.

oauth-token-server-uri

OAuth 2.0 token service endpoint. Required if "OAuth Flow Type" is not "Resource server". TLS (HTTPS) required.

oauth-introspection-server-uri

OAuth Introspection endpoint. Required if "OAuth Token Type" is "Internally managed reference tokens". TLS (HTTPS) required.

oauth-scope

OAuth 2.0 scopes. Optional.

oauth-client-authentication-method

OAuth 2.0 vendor client authentication method. Required if "OAuth Token Type" is "Internally managed reference tokens".

oauth-client-id

Required. OAuth 2.0 Client ID.

oauth-client-secret

OAuth 2.0 client secret. Required when OAuth Client Authentication Method is "Client secret".

oauth-redirect-uri

OAuth 2.0 redirect URI. Optional. TLS (HTTPS) required or be a loopback URI.

oauth-jwt-issuer-uri

OAuth 2.0 JWT Issuer URI. Required if "OAuth Vendor" is "Microsoft Entra" or "Amazon Cognito".

oauth-token-type

OAuth 2.0 access token format.

oauth-username-attribute

Required. The JSON claim name containing username information.

oauth-role-attribute

Required. The JSON claim name containing role information.

oauth-privilege-attribute

The JSON claim name containing privilege information. Optional.

oauth-jwt-alg

Signature algorithm for JWT access tokens. Required if "OAuth Token Type" is "JSON Web Tokens".

oauth-jwt-secrets

A list of OAuth JWT secrets. Secrets information will be updated after pressing the OK button. Required if "OAuth Token Type" is "JSON Web Tokens".

This is a complex structure with the following children:

oauth-jwt-secret

OAuth JWT secret for signing JWTs.

This is a complex structure with the following children:

oauth-jwt-key-id: OAuth JWT key-id used to find JWT keys used for signing.
oauth-jwt-internal-id: OAuth JWT internal-id used to find the JWT secret from the SoftHSM.
oauth-jwt-secret-value: OAuth JWT secret used to sign JWTs. Only used as a placeholder for REST and built-ins to work.

oauth-jwks-uri

JSON Web Key Sets endpoint. TLS (HTTPS) required. Optional.

Example


curl -X PUT  --anyauth -u admin:admin \
-H "Content-Type:application/json" -d '{"cache-timeout": "300"}' \
http://localhost:8002/manage/v2/external-security/MyExternalName/properties
 
==>  Changes the "cache-timeout" property to 300 in the external-security 
     configuration, named "MyExternalName."

Stack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.

MarkLogic

Semaphore

OpenEdge

DataDirect

Sitefinity

Telerik

Kendo UI

Corticon

DataDirect

MOVEit

Chef

Flowmon

Kemp LoadMaster

WhatsUp Gold

Telerik

Kendo UI

Fiddler

Test Studio

MOVEit

WS_FTP

PUT /manage/v2/external-security/{id|name}/properties

Summary

Response

Required Privileges

Usage Notes

Example