Ncloud Single Sign-On overview

Available in Classic and VPC

Ncloud Single Sign-On is a NAVER Cloud Platform service that builds a system that allows you to access various applications with a single account. The Ncloud Single Sign-On service provides APIs for application, tenant, external IdP, SSO user, group, permission set, assignment, and IP ACL features in a RESTful form.

Common Ncloud Single Sign-On settings

The following describes commonly used request and response formats in Ncloud Single Sign-On APIs.

Request

The following describes the common request format.

API URL

The request API URL is as follows:

https://sso.apigw.ntruss.com

Request headers

The following describes the request headers.

Field	Required	Description
`x-ncp-apigw-timestamp`	Required	This is the number of milliseconds that have elapsed since January 1, 1970 00:00:00 UTC. Request is considered invalid if the timestamp differs from the current time by more than 5 minutes.
`x-ncp-iam-access-key`	Required	Access key issued on NAVER Cloud Platform Issue and check access key: See Create authentication key. Issue and check access key for sub account: See Create sub account.
`x-ncp-apigw-signature-v2`	Required	Base64-encoded signature that encrypts the request information with a secret key that maps to the access key issued on NAVER Cloud Platform, using the HMAC encryption algorithm (HmacSHA256) Issue and check secret key: See Create authentication key. Create signature: See Create signature.
`Content-type`	Optional	Request data format `application/json` `application/xml`
`Accept`	Optional	Response data format `application/json`

Response

The following describes the common response format.

Response body

The response body includes the following data:

ProcessResult

ProcessResult defines the API processing result. The following describes ProcessResult.

Field	Type	Required	Description
`success`	Boolean	Required	API processing result `true` \| `false` `true`: succeeded `false`: failed
`id`	String	Optional	Creation/modification result ID Use in creation, multiple addition/deletion APIs.
`message`	String	Optional	API processing result message

ErrorResponse
ErrorResponse defines API call failure information. The following describes ErrorResponse.

Field	Type	Required	Description
errorCode	Integer	Required	Errors
message	String	Required	Error message

Response status codes

The following describes the response status codes.

HTTP status code	Code	Message	Description
400	400	The user is not a member of this group.	Input of a user not belonging to the group
400	400	The permission set doesn't exist.	No permission set exists.
400	400	The application name already exists.	Input of an existing application name
400	400	Tenant already exists	Tenant already exists.
400	400	The login ID is already in use.	Login ID already in use entered
400	500	The policy doesn't exist.	Non-existent policy name entered
400	9016	The application does not exist.	Non-existent application ID entered
400	9020	There is a registered identity provider.	External IdP already exists
400	9021	This identify provider doesn't exist.	Non-existent external IdP
400	9023	The identity provider can't be deleted while the organization is integrated.	Unable to delete identity provider while organization is integrated
400	9024	Invalid metadata format.	Metadata format error
400	9025	There is no certificate information for signing in the metadata.	No certificate information for signing metadata
400	9026	There are two or more certificates for signing in the metadata.	Two or more certificates for signing exist in the metadata.
400	9027	There is no SingleSignOnService binding in the metadata.	No protocol binding information in metadata
400	9028	There is no SingleSignOnService location in the metadata.	No SAML login URL information mapped to the binding protocol in metadata
400	9029	There is no entityId in the metadata.	No `entityID` information in metadata
400	9030	There is no IdPSSODescriptor in the metadata.	No `IDPSSODescriptor` information in metadata
400	9031	There is no SingleSignOnService in the metadata.	No SingleSignOnService in metadata
400	9032	There is no SingleSignOnService POST binding or Redirect binding in the metadata.	No HTTP-POST or HTTP-Redirect information in metadata
400	9033	The idpSigninUrl value is not in URL format.	idpSigninUrl value format error
400	9034	There is no KeyInfo in the metadata.	No `KeyInfo` information in metadata
400	9035	This is not the master account of the organization.	Organization integration requested with non-master account
400	9036	The organization doesn't exist.	Organization doesn't exist in master account
400	9046	Invalid certificate format.	Errors in certificate format for metadata signing
400	9050	This user doesn't exist.	Non-existent SSO user ID entered
400	9060	The group name already exists.	Group name already in use entered
400	9061	This group doesn't exist.	Non-existent group ID entered
400	9070	The permission set name already exists.	Permission set name already in use entered
400	9071	At least one policy must be selected.	Policy ID not entered
400	9072	This system managed policy doesn't exist.	Non-existent System Managed policy ID entered
400	9073	The permission set doesn't exist.	Non-existent permission set ID entered
400	9080	Assignment does not exist.	Non-existent assignment ID entered
400	9081	The assignment target doesn't match.	Non-matching assignment target entered
400	9083	The assignment target doesn't exist.	Non-existent assignment target entered
400	9084	An assignment created with the specified account and permission set already exists.	Assignment created with the same information already exists.
400	9085	The assigned account is invalid.	Non-existent account number entered
400	9086	A target already exists in the assignment.	Target information already added entered
400	9087	The Assignment name already exists.	Assignment name already in use entered
400	9100	The IP ACL does not exist.	Non-existent IP ACL ID entered
400	9101	IP ACL destination cannot be empty.	Assignment ID missing
400	9102	A target already exists in the assignment.	Assignment ID already added entered
400	9103	Assignment - remaining IP ACL mapping exists.	Unable to delete because assignment is added to IP ACL
400	9104	IP ACL destination does not match.	Non-existent assignment - IP ACL mapping information entered
400	9105	Assignment - IP ACL mapping does not exist.	Assignment - IP ACL mapping information that already exists entered
400	9106	Invalid access restriction setting for Assignment.	Assignment access control status is `false`
400	9110	An MFA device already exists.	MFA device already exists for SSO user
400	9111	Invalid OTP.	Invalid OTP information entered
400	9112	The MFA device does not exist.	MFA device doesn't exist for SSO user
400	9113	Two-factor authentication not applied.	Two-factor authentication not applied

Note

For response status codes common to NAVER Cloud Platform, see Ncloud API response status codes.

Response example

The response example is as follows:

Succeeded
The following is a sample response upon a successful call.

ProcessResult

{
    "id": "",
    "success": true
}

Failure
The following is a sample response upon a failed call.

{
    "errorCode": 9060,
    "message": "The group name already exists."
}

Ncloud Single Sign-On API

The following describes the APIs provided by the Ncloud Single Sign-On service.

Application

The following describes the application-related APIs.

API	Description
Get application list	Get application list.
Get application	Get details of a single application.
Create application	Create application.
Edit application	Edit application information.
Delete application	Delete application.
Reissue OAuth 2.0 client secret	Reissue OAuth 2.0 client secret.

Tenant

The following describes the tenant-related APIs.

API	Description
Get tenant	Get tenant.
Create tenant	Create tenant.
Edit tenant	Edit tenant information.
Delete tenant	Delete tenant.

External IdP

The following describes the external IdP-related APIs.

API	Description
Get external IdP	Get external IdP.
Create external IdP	Create external IdP.
Edit external IdP	Edit external IdP information.
Delete External IdP	Delete External IdP.
Get attribute mapper	Get attribute mapper.
Edit attribute mapper	Edit attribute mapper.
Parse external IdP metadata	Parse external IdP metadata.
Get Ncloud Single Sign-On metadata	Get Ncloud Single Sign-On metadata.
Get Ncloud Single Sign-On URL data	Get Ncloud Single Sign-On URL data.
Set external IDP login	Set external IDP login information.
Set Organization integration	Integrate Organization.

SSO User

The following describes the SSO user-related APIs.

API	Description
Get SSO user list	Get SSO user list.
Get SSO user	Get details of a single SSO user.
Create SSO user	Create a single SSO user.
Bulk create SSO users	Bulk create SSO users of one or more.
Edit SSO user	Edit SSO user information.
Bulk delete SSO users	Bulk delete SSO users of one or more.
Delete SSO user	Delete SSO user.
Check SSO user login ID	Check validity and duplication of SSO user login ID.
Get SSO user access rule	Get SSO user access rule.
Edit SSO user access rule	Edit SSO user access rule.
Get SSO user profile	Get SSO user profile.
Get SSO user group list	Get group list.
Get SSO user group	Get single group details.
Add SSO user group	Add SSO user to group.
Delete SSO user group	Delete SSO user from group.
Set SSO user status	Enable or disable SSO user.
Get SSO user session	Get SSO user session.
Expire SSO user session	Expire SSO user session.
Get SSO user assignment list	Get the list of assignments the SSO user belongs to.
Delete SSO user assignment	Delete SSO user from assignment.
Get SSO user MFA device list	Get MFA device owned by SSO user.
Add SSO user MFA device	Add MFA device to SSO user.
Delete SSO user MFA device	Delete MFA device owned by SSO user.

Group

The following describes the group-related APIs.

API	Description
Get group list	Get group list.
Get group	Get single group details.
Create group	Create group.
Edit group	Edit group information.
Delete group list	Bulk delete groups of one or more.
Delete group	Delete group.
Check group name	Check validity and duplication of group name.
Get SSO user list of group	Get the list of SSO users in the group.
Add SSO user to group	Add group to SSO user.
Delete SSO user of group	Delete SSO user from group.
Get group assignment list	Get the list of assignments the group belongs to.
Delete group assignment	Delete group from assignment.

Permission Set

The following describes the permission set-related APIs.

API	Description
Get permission set list	Get permission set list.
Get permission set	Get details of a single permission set.
Create permission set	Create permission set.
Edit permission set	Edit permission set information.
Delete permission set list	Bulk delete permission sets of one or more.
Delete permission set	Delete permission set.
Check permission set name	Check validity and duplication of permission set name.
Delete permission set policy	Delete policy assigned to permission set.
Get system managed policy list	Get the list of System Managed policies that can be assigned to permission set.
Check existence of user created policy	Check for the existence of User Created policy in permission set.

Assignment

The following describes the assignment-related APIs.

API	Description
Get assignment list	Get assignment list.
Get assignment	Get details of a single assignment.
Create assignment	Create assignment.
Edit assignment	Edit assignment information.
Delete assignment	Delete assignment.
Set assignment status	Enable or disable assignment.
Get assignment target list	Get the list of targets (SSO users, groups) added to assignment.
Add assignment target	Add target (SSO user, group) to assignment.
Delete assignment target	Delete target (SSO user, group) from assignment.
Get IP ACL assignment list	Get the list of IP ACLs added to assignment.
Add IP ACL to assignment	Add IP ACL to assignment.
Delete IP ACL from assignment	Delete IP ACL added to assignment.
Get assignment account list	Get the list of accounts added to organization.
Check existence of user created policy	Check for the existence of User Created policy in target account.

IP ACL

The following describes the IP ACL-related APIs.

API	Description
Get IP ACL list	Get IP ACL list.
Get IP ACL	Get details of a single IP ACL.
Create IP ACL	Create IP ACL.
Edit IP ACL	Edit IP ACL information.
Delete IP ACL list	Bulk delete IP ACLs of one or more.
Delete IP ACL	Delete IP ACL.
Check IP ACL name	Check validity and duplication of IP ACL name.
Get IP ACL assignment list	Get the list of assignments added to IP ACL.
Add assignment to IP ACL	Add assignment to IP ACL.
Delete assignment of IP ACL	Delete assignment from IP ACL.

Ncloud Single Sign-On related resources

NAVER Cloud Platform provides a variety of related resources to help users better understand Ncloud Single Sign-On APIs.

Ncloud Single Sign-On API guide
- Create signature: how to create a signature to add to the request header
- API Gateway User Guide: how to issue the API key to be added to the request header
- Sub Account User Guide: how to issue the access key to be added to the request header
- Common Ncloud response status codes: information on common response status codes of NAVER Cloud Platform used by the Ncloud Single Sign-On service
Ncloud Single Sign-On service guide
- Ncloud Single Sign-On User Guide: how to use Ncloud Single Sign-On from the NAVER Cloud Platform console
- Ncloud use environment guide: guide for VPC and Classic environments and support availability
- Introduction to pricing, characteristics, and detailed features: summary of pricing system, characteristics, and detailed features of Ncloud Single Sign-On
- Latest service news: the latest news on Ncloud Single Sign-On service
- FAQ: frequently asked questions from the Ncloud Single Sign-On service users
- Contact us: Send direct inquiries for unresolved questions that aren't answered by the API guide