We are in-progress of automating the OPENIDConnect provider migration from one environment to another environment. Could you please help me to understand, does this something different than siteminder domain object migration ? What is the root object for authorisation provider and client to export from one environment ?
Any suggestions around this ?
Hi Sasi, from the internal case I did some testing with PS R12.7
I cheated a bit, I did xpsexport, then viewed using SMPolicyReader to build my xcart, then tried xpsexport with the xcart.
Siteminder Policy Reader
Using SMPolicyReader to generate xcart selection.
But I tried this :
1) OpenID Provider
(note my first version of this post has this as failed - it was user error however, as I must have been using older backup, and the xid had changed - using the correct xid then the export worked fine - Mark 7-Feb-2019)
This did not seem to export : I could grab the id :
RIght click add to XCart then Tools/XCart gives a screen then save : gives :
# Type: CA.SM::OAuthIdP# (I): Name : "null"# (C): Desc : "OAuthIdP@21-2daea3f1-02bf-49a5-8cde-13809ec34ec8"CA.SM::OAuthIdP@21-2daea3f1-02bf-49a5-8cde-13809ec34ec8
And then run the export :
> xpsexport output2.xml -xf testxcart.txt -npass
Then it all worked fine :
2) OpenID Client
This did seem to work.
I selected the OIDCClient :
Then with the xcart, it can show refetences, it had one OIDCAdminConfig : so I added that to the cart as well:
Saving the xcart gives :
# Type: CA.FED::OIDCClient# (I): Name : "www-demo-com"# (C): Desc : "CA.FED::OIDCClient@049a2973-ea10-4fc0-877a-d44b3e6e0725"CA.FED::OIDCClient@049a2973-ea10-4fc0-877a-d44b3e6e0725
# Type: CA.FED::OIDCAdminConfig# (I): Name : "openId-provider-example"# (C): Desc : "CA.FED::OIDCAdminConfig@87b4d212-b07e-4b40-bfb8-5da126ebda9c"CA.FED::OIDCAdminConfig@87b4d212-b07e-4b40-bfb8-5da126ebda9c
Then I ran the export - and it did export items:
>xpsexport output.xml -xf testxcart2.txt -npass
That did export those two items, and variety of other items certs etc as well.
That is header of output (I have some XTrace items set so it prints long list of stuff).
I did check and you can get to those items via XPSExplorer as well to build xcart as normal.
And it gives same result from xpsexport once built up xcart list.
Cheers - Mark
Thank you Mark. Much appreciated.
We are building CA SSO 12.8 in cloud and planning to restrict any form of server instances directly (including policy and secure proxy servers). Hence, administrator cannot login to execute these OOTB SSO utilities, Do we have any option for this ? Do we need to write REST API based ?
In the mean time, Let me try your steps to migrate federation objects.
We have an option to perform XPS export and import using REST APIs from CA SSO 12.7. If you would like to try, you can check the REST APIs option in the footer of Administrative UI. Swagger references are included in the documentation, you can see these topics: Policy Object REST APIs/REST API Reference Documentation.
The upcoming validation kit of the CA SSO 14.0 Customer Validation program includes REST APIs for OIDC. You can register to give this feature a try and share your feedback.