User Migration API

You must provide two REST endpoints (GET and POST) in your legacy authentication system under the URI ${restClientUri}/{$username}, where ${restClientUri} is a configurable base URL for the endpoints and {$username} is the username of the user that is attempting to sign in.

It is possible to configure the plugin to use the legacy userId instead of the username when making the credential verification request. This option is useful if your legacy system allows users to change their usernames and should only be used when the legacy user ids are migrated.

Customers can use the existing audit logging mechanism to include their own application's events. There is a single API method that will consume events in the representation below and make them available for searching, filtering and exporting.

GET

The GET request will have to return user data as a JSON response in the form:

{
    "id": "string",
    "username": "string",
    "email": "string",
    "firstName": "string",
    "lastName": "string",
    "enabled": "boolean",
    "emailVerified": "boolean",
    "attributes": {
      "key": ["value"]
    },
    "roles": ["string"],
    "groups": ["string"],
    "requiredActions": ["requiredActions"]
}

Any HTTP status other than 200 will be interpreted as the user not having been found.

The id attribute in the above response is optional. If it's not set, a new user id will be generated automatically.

POST

The POST request is for password validation. It will have to accept the following body:

{
    "password": "string"
}

...And return HTTP status 200 if the password is correct. Any other response will be treated as invalid credentials.

Example REST client behavior

Let's assume we have configured the legacy REST service under the URL http://www.old-legacy-system.com/auth.

If a user with the username bob and the password password123 tries to log in for the first time (giving correct credentials), a GET request will be performed to http://www.old-legacy-system.com/auth/bob. The response might look like this:

{
    "id": "12345678",
    "username": "bob",
    "email": "bob@company.com",
    "firstName": "Bob",
    "lastName": "Smith",
    "enabled": "true",
    "emailVerified": "true",
    "attributes": {
      "position": ["rockstar-developer"],
      "likes": ["cats", "dogs", "cookies"]
    },
    "roles": ["admin"],
    "groups": ["migrated_users"],
    "requiredActions": ["CONFIGURE_TOTP", "UPDATE_PASSWORD", "UPDATE_PROFILE", "update_user_locale"]
}

As the user has been found, a POST request will be performed to http://www.old-legacy-system.com/auth/bob, with the body:

{
    "password": "password123"
}

If the plugin is configured to use the user id as the path parameter for the credential verification request, the POST request will be performed to http://www.old-legacy-system.com/auth/12345678, instead.

As this is the correct password, the user will be logged in. In the background, his information will be migrated.

Configuration

In the admin, navigate to "User federation".
Choose "User migration using a REST client" from the "Add provider..." dropdown.
Provide the legacy system endpoint URI in the "Rest client URI" field.
Click "save".

Phase Two will now recognize all users from your legacy authentication system and migrate them automatically.

Optional - additional configuration

Additional configuration options are available for fine-tuning the migration.

Bearer Token Auth

The migration endpoint can be secured with an API token. The configured value will be sent as a bearer token in the authorization header.

If bearer auth is enabled, the configured token value is set to SECRET_API_TOKEN when making the request to the migration endpoints, the rest client will send the following authorization header:

Authorization: Bearer SECRET_API_TOKEN

Basic Auth for migration endpoint

The migration endpoint can be secured with HTTP basic auth. The configured value will be sent as a Basic auth string in the authorization header. Keep in mind that this approach is only secure over an encrypted connection (i.e. HTTPS)

If basic auth is enabled, the username and password will be sent in the authorization header:

Authorization: Basic base64encode(username:password)

Legacy role conversion

If role names in do not perfectly match those in the legacy system, you can configure the provider to automatically map legacy roles to new roles, by specifying the mapping in the format legacyRole:newRole.

Migrate unmapped roles

This switch can be toggled to decide whether roles which are not defined in the legacy role conversion map should be migrated anyway or simply ignored.

Group role conversion

If group names do not perfectly match those in the legacy system, you can configure the provider to automatically map legacy groups to new groups, by specifying the mapping in the format legacyGroup:newGroup.

Migrate unmapped groups

This switch can be toggled to decide whether groups which are not defined in the legacy group conversion map should be migrated anyway or simply ignored.

GET​

POST​

Example REST client behavior​

Configuration​

Optional - additional configuration​

Bearer Token Auth​

Basic Auth for migration endpoint​

Legacy role conversion​

Migrate unmapped roles​

Group role conversion​

Migrate unmapped groups​

GET