Automate user creation and deletion with the Account Manager REST API

The Account Manager REST API includes operations for creating, viewing, and deleting users. These operations enable you to automate user creation and deletion in DigiCert ONE.

For example, if your organization uses an identity provider (IdP) like Okta to manage single sign-on (SSO), you can write a program that automatically creates a new DigiCert ONE user each time your IdP admin enables application access for a new employee. Later, when the employee changes roles or leaves your organization, you can automatically delete their DigiCert ONE user from your account.

Identify triggering events

The first step in building your automation is to identify events you want to use as triggers for creating and deleting users.

For example, your IdP may provide webhooks that can send data to event listeners when administrators enable or disable application access for individuals at your organization. If this is the case, you can write a program that uses these events to trigger API calls.

At a high level:

When the program receives an event indicating a new individual has been granted access to DigiCert ONE, trigger a call to the Create user API endpoint.
When the program receives an event indicating an individual’s access to DigiCert ONE has been revoked, trigger a call to the Delete user API endpoint.

Astuce

The form and contents of outbound event data varies from one IdP to the next. Some IdPs offer a robust selection of outbound events with granular data. Other IdPs offer a more limited selection. To see what options are available to you, check the documentation for your organization’s IdP.

Automate user creation

After determining which events should trigger user creation, you’re ready to call the Create user API.

Create user request format

To create a user in DigiCert ONE, submit a POST request to the Create user API endpoint:

POST https://one.digicert.com/account/api/v1/user

Note

For more information about the Create user API, visit the Swagger UI reference documentation: Create user.

The Create user API accepts a JSON payload with key/value pairs containing user information. Requests that create a standard user require these parameters:

user_name (string): Unique username for the new user. If SSO is enabled for your account, make sure to pass in the same username assigned to the user in your IdP.
first_name (string): User first name.
last_name (string): User last name.
email (string): User email address.
user_type (string): User type (service or standard). Defaults to service. To create a standard user, pass in a value of standard.
roles (array of strings): List of roles to assign the user. Roles determine what the user can see and do inside of DigiCert ONE.
accounts (array of strings): List of account IDs for each account the user can access. When creating a standard user, the first account in this list is the user’s primary account and is the account used for authorization.

Requests that create a standard user have these optional parameters:

phone_number (string): User phone number.
password (string): User’s password for signing in to DigiCert ONE.
If you omit this field and password-only sign-in is enabled for the DigiCert ONE account, the user receives an email with a link to finish setting up their account and create their own password.

A successful request results in a status of 201 Created. The response contains the id (UUID) of the newly created user. If SSO is enabled for the account, the user receives an email with a link to access DigiCert ONE via your company’s sign-on portal.

Examples

Automate user deletion

After determining which events should trigger user deletion, you’re ready to delete the user.

Deleting a user is a two step process:

Identify the user in DigiCert ONE.
Delete the user.

List users request format

Before you can delete a user, you need their user id. To search for a user in DigiCert ONE, submit a GET request to the List users API endpoint:

GET https://one.digicert.com/account/api/v1/user

Note

For more information about the List users API, visit the Swagger UI reference documentation: List all users.

The List users API endpoint supports query parameters you can use to search for a specific user. Combine these filters to further refine your results.

user_name (string): Limit results to users with the given username. Must be an exact match.
Because the same username value can be used as the standard login username (user_name) and SSO username (oidc_user_name or saml_user_name) for different users, the user_name filter may return multiple users.
email (string): Limit results to users with the given email address. Must be an exact match.
Users are not required to have a unique email address. The email filter returns all users with an email address that matches the given value.
user_type (string): By default, the List users API only returns standard users. To search for a service user instead, append the URL query string user_type=service to your request.
status (string): Limit results to users with the given status (active, disabled, deleted, locked, pending)

Examples

Exemple 6. 200 OK

[
  {
    "id": "baaff0f5-61ae-46c0-b289-166da6a9d39f",
    "user_name": "john.doe",
    "oidc_username": "john.doe",
    "first_name": "John",
    "last_name": "Doe",
    "email": "john.doe@example.com",
    "phone": "+8005550199",
    "status": "ACTIVE",
    "access_scope": "account",
    "primary_account_id": "a9819c47-5ec0-4dba-b7e7-a74b069dc163",
    "created_at": "2023-01-24T11:18:01Z",
    "created_by": "c3d94ee0-b91f-4d98-8d6d-d47700676d16",
    "user_type": "standard",
    "locale": "en_US",
    "applications": [
      {
        "id": "745cb624-f8f8-4f68-a14c-18dc5886c66b",
        "name": "Document Signing Manager",
        "app_code": "document_signing_manager",
        "permissions": [
          "VIEW_DSM_VALIDATION_PROFILE",
          "VIEW_DSM_CREDENTIAL_PROFILE"
        ]
      },
      {
        "id": "18f06501-84bf-4c5d-81d8-08076bee2f53",
        "name": "Account Manager",
        "app_code": "account_manager",
        "permissions": [
          "VIEW_AM_ACCOUNT"
        ]
      }
    ],
    "accounts": [
      {
        "id": "9fd17a0c-5913-4f57-8fe6-c06060b50df2",
        "name": "Example Account",
        "active": true,
        "service_period": {
          "from": "2021-05-06",
          "to": "2030-05-06"
        },
        "friendly_identifier": "1234567",
        "locale": "en_US",
        "enabled_feature_ids": [
          "ftr_em_auto_cert_mgmt"
        ]
      }
    ]
  }
]

Delete user request format

After identifying the user you want to delete, you’re ready to call the Delete user API endpoint:

DELETE https://one.digicert.com/account/api/v1/user/{user_id}

Danger

Deleting a service user can disrupt client integrations reliant on the service user’s API token.

Note

For more information about the Delete user API, visit the Swagger UI reference documentation: Delete user.

In the request URL, replace {user_id} with the user ID you retrieved from the List users API endpoint.

A successful request results in a status of 204 No Content.

Dans cette section:

Automate user creation and deletion with the Account Manager REST API

Identify triggering events

Astuce

Automate user creation

Create user request format

Note

Examples

Automate user deletion

List users request format

Note

Examples

Delete user request format

Danger

Note

Résultats de la recherche