Automate user creation and deletion with the Account Manager REST API
The Account Manager REST API includes operations for creating, viewing, and deleting users. These operations enable you to automate user creation and deletion in DigiCert ONE.
For example, if your organization uses an identity provider (IdP) like Okta to manage single sign-on (SSO), you can write a program that automatically creates a new DigiCert ONE user each time your IdP admin enables application access for a new employee. Later, when the employee changes roles or leaves your organization, you can automatically delete their DigiCert ONE user from your account.
Identify triggering events
The first step in building your automation is to identify events you want to use as triggers for creating and deleting users.
For example, your IdP may provide webhooks that can send data to event listeners when administrators enable or disable application access for individuals at your organization. If this is the case, you can write a program that uses these events to trigger API calls.
At a high level:
When the program receives an event indicating a new individual has been granted access to DigiCert ONE, trigger a call to the Create user API endpoint.
When the program receives an event indicating an individual’s access to DigiCert ONE has been revoked, trigger a call to the Delete user API endpoint.
ヒント
The form and contents of outbound event data varies from one IdP to the next. Some IdPs offer a robust selection of outbound events with granular data. Other IdPs offer a more limited selection. To see what options are available to you, check the documentation for your organization’s IdP.
Automate user creation
After determining which events should trigger user creation, you’re ready to call the Create user API.
Create user request format
To create a user in DigiCert ONE, submit a POST request to the Create user API endpoint:
POST https://one.digicert.com/account/api/v1/user
注記
For more information about the Create user API, visit the Swagger UI reference documentation: Create user.
The Create user API accepts a JSON payload with key/value pairs containing user information. Requests that create a standard user require these parameters:
user_name
(string): Unique username for the new user. If SSO is enabled for your account, make sure to pass in the same username assigned to the user in your IdP.first_name
(string): User first name.last_name
(string): User last name.email
(string): User email address.user_type
(string): User type (service
orstandard
). Defaults toservice
. To create a standard user, pass in a value ofstandard
.roles
(array of strings): List of roles to assign the user. Roles determine what the user can see and do inside of DigiCert ONE.accounts
(array of strings): List of account IDs for each account the user can access. When creating a standard user, the first account in this list is the user’s primary account and is the account used for authorization.
Requests that create a standard user have these optional parameters:
phone_number
(string): User phone number.password
(string): User’s password for signing in to DigiCert ONE.If you omit this field and password-only sign-in is enabled for the DigiCert ONE account, the user receives an email with a link to finish setting up their account and create their own password.
A successful request results in a status of 201 Created. The response contains the id
(UUID) of the newly created user. If SSO is enabled for the account, the user receives an email with a link to access DigiCert ONE via your company’s sign-on portal.
Examples
Automate user deletion
After determining which events should trigger user deletion, you’re ready to delete the user.
Deleting a user is a two step process:
Identify the user in DigiCert ONE.
Delete the user.
List users request format
Before you can delete a user, you need their user id
. To search for a user in DigiCert ONE, submit a GET request to the List users API endpoint:
GET https://one.digicert.com/account/api/v1/user
注記
For more information about the List users API, visit the Swagger UI reference documentation: List all users.
The List users API endpoint supports query parameters you can use to search for a specific user. Combine these filters to further refine your results.
user_name
(string): Limit results to users with the given username. Must be an exact match.Because the same username value can be used as the standard login username (
user_name
) and SSO username (oidc_user_name
orsaml_user_name
) for different users, theuser_name
filter may return multiple users.email
(string): Limit results to users with the given email address. Must be an exact match.Users are not required to have a unique email address. The
email
filter returns all users with an email address that matches the given value.user_type
(string): By default, the List users API only returns standard users. To search for a service user instead, append the URL query stringuser_type=service
to your request.status
(string): Limit results to users with the given status (active
,disabled
,deleted
,locked
,pending
)
Examples
Delete user request format
After identifying the user you want to delete, you’re ready to call the Delete user API endpoint:
DELETE https://one.digicert.com/account/api/v1/user/{user_id}
危険
Deleting a service user can disrupt client integrations reliant on the service user’s API token.
注記
For more information about the Delete user API, visit the Swagger UI reference documentation: Delete user.
In the request URL, replace {user_id}
with the user ID you retrieved from the List users API endpoint.
A successful request results in a status of 204 No Content.