Documentation Suite v12.4

Submit Search

POST PAM Providers

The POST /PamProviders method creates a new PAM provider. This method returns HTTP 200 OK on a success with details for the new provider.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/pam/modify/

/pam/modify/#/ (where # is a reference to a specific PAM provider ID)

Permissions for PAM providers and certificate stores can be set at either the global or PAM provider level. See PAM Permissions for more information about global vs PAM provider permissions.

This method has two available versions. Keyfactor recommends using the newer method when possible. For more information about versioning, see Versioning.

Version 2

Version 1

Version 2 of the POST /PamProviders method has been redesigned to remove references to PAM associations with areas and containers.

Table 522: POST PamProviders v2 Input Parameters

Name In Description

Name

Body

Required. A string indicating the name of the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

Important: The name you give to your PAM provider in Keyfactor Command must match the name of the PAM provider as referenced in the manifest.json file (see Installing Custom PAM Provider Extensions).

Provider Type

Body

Required. An object containing details about the provider type for the provider. Only the provider type ID is needed on input. Show provider type details.

Value	Description
Id	Required. A string indicating the Keyfactor Command reference GUID for the provider type.

Provider Type Param Values

Body

Required^*. An array of objects containing the values for the provider types specified by ProviderTypeParam. Values are only required in this field if the Remote parameter is set to false. Show provider type parameter value details.

Value

Description

Value

Required. A string indicating the value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

Instance Id

An integer indicating the Keyfactor Command reference ID for the provider. If you are attaching to something with an integer Id, this will be used.

This is considered deprecated and may be removed in a future release.

Instance Guid

A string indicating the Keyfactor Command reference GUID for the provider. If you are attaching to something with a GUID ID, this will be used.

This is considered deprecated and may be removed in a future release.

Provider Type Param

An object indicating parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show provider type parameters.

Value	Description
Id	Required. An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
Display Name	A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.
Instance Level	A Boolean that sets whether the parameter is used to define the underlying PAM provider (False) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (True). See example, above.

Example: When creating a new PAM provider for Delinea local to Keyfactor Command, your POST body might look like:

Copy

{
   "name": "PAMProviders.Delinea.PAMProvider",
   "providerType": {
      "id": "bd1762ce-3ea5-41fb-bfb4-1b6de6393fa3"
   },
   "providerTypeParamValues": [
      {
         "providerTypeParam": {
            "Id": 19
         },
         "Value": "https://MyDelineaURL"
      },
      {
         "providerTypeParam": {
            "Id": 20
         },
         "Value": "MyDelineaServiceAccountUser"
      },
      {
         "providerTypeParam": {
            "Id": 21
         },
         "Value": "MySuperSecretPasswordtoAccessDelinea"
      }
   ]
}

Remote Body A Boolean indicating whether the PAM provider is local to the Keyfactor Command server (false) or local to the orchestrator (true). The default is false.

Table 523: POST PamProviders v2 Response Data

Name Description

Id An integer indicating the Keyfactor Command reference ID for the PAM provider. This ID is automatically set by Keyfactor Command.

Name

A string indicating the name of the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

Provider Type

An object containing details about the provider type for the provider. Show provider type details.

Value

Description

A string indicating the Keyfactor Command reference GUID for the provider type.

Name

A string indicating the name of the provider type.

Provider Type Params

An array of objects indicating parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider records and records using PAM providers. Show provider type parameters.

Value

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type.

Name

A string indicating the internal name for the PAM provider type parameter.

Display Name A string indicating the display name for the PAM provider type parameter. For provider types with an InstanceLevel of False, this name appears on the PAM provider dialog when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the dialog when a user creates a new record using the PAM provider (e.g. a new certificate store using PAM for authentication).

Data Type

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

Instance Level

A Boolean that sets whether the parameter is used to define the underlying PAM provider (False) or a field that needs to be set to a value when configuring a record (e.g. a certificate store) to use the PAM provider (True).

Example: For Delinea when defining a PAM provider, you configure two Delinea-specific fields:

Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g. https://websrvr38.keyexample.com/SecretServer).
Secret Server Username: The name of the user that will be used to connect to SecretServer.
Secret Server Password: The password of the user that will be used to connect to SecretServer.

Because these fields are configured on the PAM provider definition, they appear as InstanceLevel=False like so:

Copy

{
   "Name": "Host",
   "DisplayName":"Secret Server URL", 
   "InstanceLevel":false,
   "DataType": "string"
},
{
   "Name":"Username",
   "DisplayName":"Secret Server Username", 
   "InstanceLevel":false,
   "DataType": "secret"
},
{
   "Name":"Password",
   "DisplayName":"Secret Server Password", 
   "InstanceLevel":false,
   "DataType": "secret"
}

When you configure a certificate store to use Delinea as a credential provider, you enter the name of the secret field in Delinea referencing the protected object and you enter the ID of the projected object containing the username or password used to access the certificate store. Because these fields are configured on the certificate store level, they appear as InstanceLevel=True like so:

Copy

{
   "Name":"SecretId",
   "DisplayName":"Secret Server Secret ID", 
   "InstanceLevel":true,
   "DataType": "string"
},
{
   "Name":"SecretFieldName",
   "DisplayName":"Secret Field Name", 
   "InstanceLevel":true,
   "DataType": "string"
}

In both cases, the values for the fields (e.g. the actual name of the object in Delinea where the password is stored) are stored in the ProviderTypeParamValues array.

Provider Type

An object containing details for the provider type. Show provider type details.

Value	Description
Id	A string indicating the Keyfactor Command reference GUID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type.
Provider Type Params	An array of objects indicating parameters that the provider type uses for data input in Keyfactor Command when creating new records.

Provider Type Param Values

An array of objects containing the values for the provider types specified by ProviderTypeParam. . Show provider type parameter value details.

Value

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Value

A string indicating the value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

Instance Id

An integer indicating the Keyfactor Command reference ID for the provider. If you are attaching to something with an integer Id, this will be used.

This is considered deprecated and may be removed in a future release.

Instance Guid

A string indicating the Keyfactor Command reference GUID for the provider. If you are attaching to something with a GUID ID, this will be used.

This is considered deprecated and may be removed in a future release.

Provider Type Param

An object indicating parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show provider type parameters.

Value	Description
Id	An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
Display Name	A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.
Instance Level	A Boolean that sets whether the parameter is used to define the underlying PAM provider (False) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (True). See example, above.

Remote A Boolean indicating whether the PAM provider is local to the Keyfactor Command server (false) or local to the orchestrator (true). The default is false.

Version 1 of the POST /PamProviders method includes the same capabilities as version 2 except it includes references to the deprecated parameters related to the area of Keyfactor Command to which the PAM provider applies.

Table 524: POST PamProviders v1 Input Parameters

Name In Description

Name

Body

Required. A string indicating the name of the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

Provider Type

Body

Required. An object containing details about the provider type for the provider. Only the provider type ID is needed on input. Show provider type details.

Value	Description
Id	Required. A string indicating the Keyfactor Command reference GUID for the provider type.

Provider Type Param Values

Body

Value

Description

Value

Required. A string indicating the value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

Instance Id

An integer indicating the Keyfactor Command reference ID for the provider. If you are attaching to something with an integer Id, this will be used.

This is considered deprecated and may be removed in a future release.

Instance Guid

A string indicating the Keyfactor Command reference GUID for the provider. If you are attaching to something with a GUID ID, this will be used.

This is considered deprecated and may be removed in a future release.

Provider Type Param

An object indicating parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show provider type parameters.

Value	Description
Id	Required. An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
Display Name	A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.
Instance Level	A Boolean that sets whether the parameter is used to define the underlying PAM provider (False) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (True). See example, above.

Example: When creating a new PAM provider for Delinea local to Keyfactor Command, your POST body might look like:

Copy

{
   "name": "PAMProviders.Delinea.PAMProvider",
   "providerType": {
      "id": "bd1762ce-3ea5-41fb-bfb4-1b6de6393fa3"
   },
   "providerTypeParamValues": [
      {
         "providerTypeParam": {
            "Id": 19
         },
         "Value": "https://MyDelineaURL"
      },
      {
         "providerTypeParam": {
            "Id": 20
         },
         "Value": "MyDelineaServiceAccountUser"
      },
      {
         "providerTypeParam": {
            "Id": 21
         },
         "Value": "MySuperSecretPasswordtoAccessDelinea"
      }
   ]
}

Remote Body A Boolean indicating whether the PAM provider is local to the Keyfactor Command server (false) or local to the orchestrator (true). The default is false.

Table 525: POST PamProviders v2 Response Data

Name Description

Id An integer indicating the Keyfactor Command reference ID for the PAM provider. This ID is automatically set by Keyfactor Command.

Name

A string indicating the name of the PAM provider. This name is used to identify the PAM provider throughout Keyfactor Command.

Area

An integer indicating the area of Keyfactor Command the provider is used for.

This is considered deprecated and may be removed in a future release.

Provider Type

An object containing details about the provider type for the provider. Show provider type details.

Value

Description

A string indicating the Keyfactor Command reference GUID for the provider type.

Name

A string indicating the name of the provider type.

Provider Type Params

Value

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type.

Name

A string indicating the internal name for the PAM provider type parameter.

Data Type

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

Instance Level

Example: For Delinea when defining a PAM provider, you configure two Delinea-specific fields:

Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g. https://websrvr38.keyexample.com/SecretServer).
Secret Server Username: The name of the user that will be used to connect to SecretServer.
Secret Server Password: The password of the user that will be used to connect to SecretServer.

Because these fields are configured on the PAM provider definition, they appear as InstanceLevel=False like so:

Copy

{
   "Name": "Host",
   "DisplayName":"Secret Server URL", 
   "InstanceLevel":false,
   "DataType": "string"
},
{
   "Name":"Username",
   "DisplayName":"Secret Server Username", 
   "InstanceLevel":false,
   "DataType": "secret"
},
{
   "Name":"Password",
   "DisplayName":"Secret Server Password", 
   "InstanceLevel":false,
   "DataType": "secret"
}

Copy

{
   "Name":"SecretId",
   "DisplayName":"Secret Server Secret ID", 
   "InstanceLevel":true,
   "DataType": "string"
},
{
   "Name":"SecretFieldName",
   "DisplayName":"Secret Field Name", 
   "InstanceLevel":true,
   "DataType": "string"
}

In both cases, the values for the fields (e.g. the actual name of the object in Delinea where the password is stored) are stored in the ProviderTypeParamValues array.

Provider Type

An object containing details for the provider type. Show provider type details.

Value	Description
Id	A string indicating the Keyfactor Command reference GUID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type.
Provider Type Params	An array of objects indicating parameters that the provider type uses for data input in Keyfactor Command when creating new records.

Provider Type Param Values

An array of objects containing the values for the provider types specified by ProviderTypeParam. . Show provider type parameter value details.

Value

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Value

A string indicating the value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

Instance Id

An integer indicating the Keyfactor Command reference ID for the provider. If you are attaching to something with an integer Id, this will be used.

This is considered deprecated and may be removed in a future release.

Instance Guid

A string indicating the Keyfactor Command reference GUID for the provider. If you are attaching to something with a GUID ID, this will be used.

This is considered deprecated and may be removed in a future release.

Provider Type Param

An object indicating parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show provider type parameters.

Value	Description
Id	An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
Display Name	A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.
Instance Level	A Boolean that sets whether the parameter is used to define the underlying PAM provider (False) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (True). See example, above.

Remote A Boolean indicating whether the PAM provider is local to the Keyfactor Command server (false) or local to the orchestrator (true). The default is false.

Secure Area Id

An integer indicating the Keyfactor Command reference ID for the certificate store container the PAM provider is associated with, if any.

This is considered deprecated and may be removed in a future release.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version v12.4

On this page: