- Created by Karolin Hemmingsson, last modified by Ylva Andersson on Jul 29, 2022
This article describes the Identity Manager Process REST API which can be used to control processes in Smart ID Identity Manager.
The API provides a simple RESTful interface for starting and proceeding processes and for exchanging data with it. The Identity Manager Process REST API is part of the Identity Manager main application and will be available automatically after starting the server that hosts the application.
How to use the Identity Manager Process REST API
See the following topics for more information on how to use the Identity Manager Process REST API:
The REST API is secured by default. Therefore it is not possible for intruders to access data and functionality of the REST interface. The default configuration uses our internal authentication profile to authenticate the user and to perform the authorization.
By default, the HTTP Basic Authentication is used. The client calling our service is responsible to fill the Authorization Header of the HTTP request.
Never use the HTTP Basic Authentication without securing the communication channel using SSL, so make sure you access the server using HTTPS.
To configure the authentication process and the security settings, see the Spring Security filter settings in the security-beans.xml.
The root context is the base context for all webservice requests. Specific requests must construct a path consisting of this base context plus the specific functionality.
| context | URL |
|---|---|
root context with https | [root_context] = https://[host]:[port]/[application_name]/ws |
process interface | [root_context]/processes/ |
task interface | [root_context]/tasks/ |
tenant selection |
Depending on the configuration of your server and authorization mechanism, the protocol can be HTTP or HTTPS. For more information, see the previous section.
Make sure you specify the right port for your application server.
To select the tenant id, append the tenant id to the URL, that is, the primary key of the tenant in the database:
- [URL]?tenantId=xxx
http://myServer:8080/idm-operator/ws/processes/MyProcess/start?tenantId=1234
By default, no secrets are resolved when querying for example the data map of a certain process step.
If the user which calls the REST API has the EXECUTION permission api.resolveSecrets, which can be defined in the designer, then secrets are resolved. The field is the same as the one which would contain the UUID of the secretFieldStore, for example Person_PasswordRef.
To run a command on a specific task, you will need a taskId.
To find the taskId, look up the value of the id attribute of the specific process in the BPMN 2.0 process definition, in the file process.xml.
Or, if you rather want to get the information from the database, look into the table ACT_RU_TASK in the column Task_Def_Key_. Don´t use ID_.
Putting variables into the process is possible when starting the process or executing a task by sending an XML snippet to the endpoints respectively. See section "Controlling the execution flow of a process" for more information.
Available commands
Start process
Description
Starts the process defined by processDefinitionKey.
URL
[root_context]/processes/{processDefinitionKey}/start?tenantId=xxx
where processDefinitionKey is the ID of the BPMN process.
Method
POST
Content Type
application/xml
Header Parameters
| Parameter | Description | Required or Optional |
|---|---|---|
| Authorization | To pass authentication information to the server, we use the HTTP basic authentication. The authorization information is passed as HTTP header parameter in the form username:password Base64 encoded (admin:admin in the following example): Authorization: Basic YWRtaW46YWRtaW4= | Required |
| Accept-Language | If the exception which can occur on the server is translatable you can determine the output language of the exception message with this parameter: Accept-Language: en | Optional |
Request Parameters
Multiple Request Parameters can be concatenated with "&"
| Parameter | Description | Required or Optional |
|---|---|---|
| ?searchConfigName=myName | This query parameter identifies the search configuration for searching for one core object. | Optional |
?tenantId=myTenant | This query parameter identifies the tenant for which the process should be started. This information is also used to authenticate the user (depending on the authorization mechanism). | Required |
| ?requiredUserTask=myTask | This query parameter identifies a user task task has to be present in the given top-level process for the process to be started. | Optional |
Body
The request body can be used to fill the data map for the process which shall be started. The form should be like:
<data>
<field name="BaseDpEmployee_FirstName">Max</field>
<field name="BaseDbEmployee_Photo">{base64EncodedPhoto}</field>
</data>
Response
Possible response codes:
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad Request: see RestError in response body for details |
| 401 | Unauthorized: no valid authentication provided |
| 403 | Forbidden: the user does not have the permissions to execute/acccess the user task |
| 500 | Internal Server Error: see RestError in response body for details |
Example responses
process definition [myProcess] with required user-task [myTask] does not exist
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<restError>
<message>No core template with name "null" was found.</message>
</restError>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <process instanceId="4711"/>
Execute task
Description
Executes a task for a process instance. The process instance for which the task should be executed is given by the passed processInstanceId. The task to execute is given by the passed task id.
URL
[root_context]/tasks/{processInstanceId}/{taskId}?tenantId=xxx
To find the task id, look up the id of the task in the BPMN 2.0 process definition.
Method
POST
Content Type
application/xml
Header Parameters
| Parameter | Description | Required or Optional |
|---|---|---|
| Authorization | To pass authentication information to the server, we use the HTTP basic authentication. The authorization information is passed as HTTP header parameter in the form username:password Base64 encoded (admin:admin in the following example): Authorization: Basic YWRtaW46YWRtaW4= | Required |
| Accept-Language | If the exception which can occur on the server is translatable you can determine the output language of the exception message with this parameter: Accept-Language: en | Optional |
Response
Possible response codes:
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad Request: see RestError in response body for details |
| 401 | Unauthorized: no valid authentication provided |
| 403 | Forbidden: the user does not have the permissions to execute/acccess the user task |
| 500 | Internal Server Error: see RestError in response body for details |
Example responses
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<restError>
<message>No core template with name "null" was found.</message>
</restError>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <process instanceId="4711"/>
Obtain task data
Description
Obtains the data map a the start of a task for a given process instance. The process instance is given by the parameter processInstanceId. The task which data has to be obtained is given by the passed taskId.
URL
[root_context]/tasks/{processInstanceId}/{taskId}/data?tenantId=xxx
Method
GET
Header Parameters
| Parameter | Description | Required or Optional |
|---|---|---|
| Authorization | To pass authentication information to the server, we use the HTTP basic authentication. The authorization information is passed as HTTP header parameter in the form username:password Base64 encoded (admin:admin in the following example): Authorization: Basic YWRtaW46YWRtaW4= | Required |
| Accept-Language | If the exception which can occur on the server is translatable you can determine the output language of the exception message with this parameter: Accept-Language: en | Optional |
Example response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_Email">max.muster@nexusgroup.de</field> <field name="Person_FirstName">Max</field> <field name="Person_Id">5678</field> <field name="Person_LastName">Muster</field> <field name="Meta_CoreTemplateName_Person">Person</field> <field name="Person_PersonnelNumber">123456</field> </data>
Start process, poll for data and execute task
Description
This command will start a process. The process is expected to reach a user task without further interaction. Also,the user task is intended merely as a waiting point and must not make any changes. The command will try to fetch the process data before the user task and then execute the user task (like clicking "Next").
URL
[root_context]/processes/{processDefinitionKey}/startGetDataAndExecute/{taskId}?tenantId=xxx
where processDefinitionKey is the ID of the BPMN process and taskId is the ID of the user task at which to get the data and which to execute.
To find the task id, look up the id of the task in the BPMN 2.0 process definition.
Method
POST
Content Type
application/xml
Header Parameters
| Parameter | Description | Required or Optional |
|---|---|---|
| Authorization | To pass authentication information to the server, we use the HTTP basic authentication. The authorization information is passed as HTTP header parameter in the form username:password Base64 encoded (admin:admin in the following example): Authorization: Basic YWRtaW46YWRtaW4= | Required |
| Accept-Language | If the exception which can occur on the server is translatable you can determine the output language of the exception message with this parameter: Accept-Language: en | Optional |
Request Parameters
Multiple Request Parameters can be concatenated with "&"
| Parameter | Description | Required or Optional |
|---|---|---|
| ?searchConfigName=myName | This query parameter identifies the search configuration for searching for one core object. | Optional |
?tenantId=myTenant | This query parameter identifies the tenant for which the process should be started. This information is also used to authenticate the user (depending on the authorization mechanism). | Required |
| ?maxAttempts=10 | This query parameter defines how often to poll for data at the given task before giving up. Minimum value: 1 | Required |
| ?interval=5000 | This query parameter defines the polling interval in msec. Minimum value: 100 | Required |
Body
The request body can be used to fill the data map for the process which shall be started. The form should be like:
<data>
<field name="BaseDpEmployee_FirstName">Max</field>
<field name="BaseDbEmployee_Photo">{base64EncodedPhoto}</field>
</data>
Response
Possible response codes:
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad Request: see RestError in response body for details |
| 401 | Unauthorized: no valid authentication provided |
| 403 | Forbidden: the user does not have the permissions to execute/acccess the user task |
| 500 | Internal Server Error: see RestError in response body for details |
Example responses
process definition [myProcess] with user-task [myTask] does not exist
maxAttempts must be at least 1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<restError>
<message>All [10] data fetch attempts attempts with interval [5000]msec for task [myTask] of process [myProcessDefinition] failed. Process instance[4711] might be stuck!</message>
</restError>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<restError>
<message>No core template with name "null" was found.</message>
</restError>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<data>
<!-- note the additional field "RestError" compared to a successful response -->
<field name="RestError>some error happened trying to execute the task</field>
<field name="Person_Email">max.muster@nexusgroup.de</field>
<field name="Person_FirstName">Max</field>
<field name="Person_Id">5678</field>
<field name="Person_LastName">Muster</field>
<field name="Meta_CoreTemplateName_Person">Person</field>
<field name="Person_PersonnelNumber">123456</field>
</data>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_Email">max.muster@nexusgroup.de</field> <field name="Person_FirstName">Max</field> <field name="Person_Id">5678</field> <field name="Person_LastName">Muster</field> <field name="Meta_CoreTemplateName_Person">Person</field> <field name="Person_PersonnelNumber">123456</field> </data>
Obtain task data and execute task if data available
Description
Obtains the data map at the start of a task for a given process instance. If data could be obtained, the task will then be executed (like clicking "Next"). The process instance is given by the parameter processInstanceId. The task which data has to be obtained is given by the passed taskId.
URL
[root_context]/tasks/{processInstanceId}/{taskId}/dataExec?tenantId=xxx
Method
POST
Header Parameters
| Parameter | Description | Required or Optional |
|---|---|---|
| Authorization | To pass authentication information to the server, we use the HTTP basic authentication. The authorization information is passed as HTTP header parameter in the form username:password Base64 encoded (admin:admin in the following example): Authorization: Basic YWRtaW46YWRtaW4= | Required |
| Accept-Language | If the exception which can occur on the server is translatable you can determine the output language of the exception message with this parameter: Accept-Language: en | Optional |
Response
If no data is available, you get the following status code:
| Status Code | Description |
|---|---|
| 204 | No Content |
Possible response codes:
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad Request: see RestError in response body for details |
| 401 | Unauthorized: no valid authentication provided |
| 403 | Forbidden: the user does not have the permissions to execute/acccess the user task |
| 500 | Internal Server Error: see RestError in response body for details |
Example responses
no running process with instance id [4711] exists
no task [myTask] exists on process with instance id [4711]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<data>
<!-- note the additional field "RestError" compared to a successful response -->
<field name="RestError>some error happened trying to execute the task</field>
<field name="Person_Email">max.muster@nexusgroup.de</field>
<field name="Person_FirstName">Max</field>
<field name="Person_Id">5678</field>
<field name="Person_LastName">Muster</field>
<field name="Meta_CoreTemplateName_Person">Person</field>
<field name="Person_PersonnelNumber">123456</field>
</data>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_Email">max.muster@nexusgroup.de</field> <field name="Person_FirstName">Max</field> <field name="Person_Id">5678</field> <field name="Person_LastName">Muster</field> <field name="Meta_CoreTemplateName_Person">Person</field> <field name="Person_PersonnelNumber">123456</field> </data>
Controlling the execution flow of a process
Description
Use the Execute task endpoint of the REST API to complete the user task (open task) and control the flow of the process.
Executing a process via the public REST interface behaves as follows when the process encounters a user task:
- The process stops and waits for further input
- The API user must provide the form data as payload of an http request to the exec endpoint
- The process continues its execution regardless of any button that is associated to the form/user task
- In order to influence the execution path of the process (for example at gateways), you can also set the values of the flow variables in the payload
Examples
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_FirstName" type="STRING">Bernhard</field> <field name="Person_LastName" type="STRING">Adam</field> <field name="action" type="BOOLEAN">true</field> </data>
The action variable must be true.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_FirstName" type="STRING">Bernhard</field> <field name="Person_LastName" type="STRING">Adam</field> </data>
The action variable is not required here
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <data> <field name="Person_FirstName" type="STRING">Bernhard</field> <field name="Person_LastName" type="STRING">Adam</field> <field name="action" type="BOOLEAN">false</field> </data>
The action variable must be false.
- The first two examples (simulating a click on the NEXT button) are alternatives.
- As soon as a gateway uses a variable in its condition and there is no flow marked as default, then the variable must be set and send to the endpoint. Otherwise you get an error response.
- You can not add variables to the 'Obtain task data and execute task' endpoint even though it is POST request. But you may send variables to the process when starting it.
- The button function CANCEL is not supported. Executing an open user task through the REST API will always continue with the button function NEXT.
This article is valid for Smart ID 22.04.1 and later.