TestIdentityProvider - AWS Transfer Family

TestIdentityProvider

If the IdentityProviderType of a file transfer protocol-enabled server is AWS_DIRECTORY_SERVICE or API_Gateway, tests whether your identity provider is set up successfully. We highly recommend that you call this operation to test your authentication method as soon as you create your server. By doing so, you can troubleshoot issues with the identity provider integration to ensure that your users can successfully use the service.

The ServerId and UserName parameters are required. The ServerProtocol, SourceIp, and UserPassword are all optional.

Note

You cannot use TestIdentityProvider if the IdentityProviderType of your server is SERVICE_MANAGED.

  • If you provide any incorrect values for any parameters, the Response field is empty.

  • If you provide a server ID for a server that uses service-managed users, you get an error:

    An error occurred (InvalidRequestException) when calling the TestIdentityProvider operation: s-server-ID not configured for external auth

  • If you enter a Server ID for the --server-id parameter that does not identify an actual Transfer server, you receive the following error:

    An error occurred (ResourceNotFoundException) when calling the TestIdentityProvider operation: Unknown server

Request Syntax

{ "ServerId": "string", "ServerProtocol": "string", "SourceIp": "string", "UserName": "string", "UserPassword": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

ServerId

A system-assigned identifier for a specific server. That server's user authentication method is tested with a user name and password.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

ServerProtocol

The type of file transfer protocol to be tested.

The available protocols are:

  • Secure Shell (SSH) File Transfer Protocol (SFTP)

  • File Transfer Protocol Secure (FTPS)

  • File Transfer Protocol (FTP)

Type: String

Valid Values: SFTP | FTP | FTPS

Required: No

SourceIp

The source IP address of the user account to be tested.

Type: String

Length Constraints: Maximum length of 32.

Pattern: ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$

Required: No

UserName

The name of the user account to be tested.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

UserPassword

The password of the user account to be tested.

Type: String

Length Constraints: Maximum length of 1024.

Required: No

Response Syntax

{ "Message": "string", "Response": "string", "StatusCode": number, "Url": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Message

A message that indicates whether the test was successful or not.

Note

If an empty string is returned, the most likely cause is that the authentication failed due to an incorrect username or password.

Type: String

Response

The response that is returned from your API Gateway.

Type: String

StatusCode

The HTTP status code that is the response from your API Gateway.

Type: Integer

Url

The endpoint of the service used to authenticate a user.

Type: String

Length Constraints: Maximum length of 255.

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalServiceError

This exception is thrown when an error occurs in the AWSTransfer Family service.

HTTP Status Code: 500

InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400

ResourceNotFoundException

This exception is thrown when a resource is not found by the AWSTransfer Family service.

HTTP Status Code: 400

ServiceUnavailableException

The request has failed because the AWSTransfer Family service is not available.

HTTP Status Code: 500

Examples

Example

The following request returns a message from an identity provider that a user name and password combination is a valid identity to use with AWS Transfer Family.

Sample Request

{ "ServerID": "s-01234567890abcdef", "UserName": "my_user", "UserPassword": "MyPassword-1" }

Example

The following response shows a sample response for a successful test.

Sample Response

"Response":" {\"homeDirectory\":\"/mybucket001\",\"homeDirectoryDetails\":null,\"homeDirectoryType\":\"PATH\",\"posixProfile\":null, \"publicKeys\":\"[ssh-rsa-key]\",\"role\":\"arn:aws:iam::123456789012:role/my_role\",\"policy\":null,\"username\":\"transferuser002\", \"identityProviderType\":null,\"userConfigMessage\":null)"} "StatusCode": "200", "Message": ""

Example

The following response indicates that the specified user belongs to more than one group that has access.

"Response":"", "StatusCode":200, "Message":"More than one associated access found for user's groups."

Example

If you have created and configured a custom identity provider by using an API Gateway, you can enter the following command to test your user:

aws transfer test-identity-provider --server-id s-0123456789abcdefg --user-name myuser

where s-0123456789abcdefg is your transfer server, and myuser is the username for your custom user.

If the command succeeds, your response is similar to the following, where:

  • AWS account ID is 012345678901

  • User role is user-role-api-gateway

  • Home directory is myuser-bucket

  • Public key is public-key

  • Invokation URL is invocation-URL

{ "Response": "{\"Role\": \"arn:aws:iam::012345678901:role/user-role-api-gateway\",\"HomeDirectory\": \"/myuser-bucket\",\"PublicKeys\": \"[public-key]\"}", "StatusCode": 200, "Message": "", "Url": "https://invocation-URL/servers/s-0123456789abcdefg/users/myuser/config" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: