TestIdentityProvider - AWS Transfer Family

TestIdentityProvider

If the IdentityProviderType of a file transfer protocol-enabled server is AWS_DIRECTORY_SERVICE or API_Gateway, tests whether your identity provider is set up successfully. We highly recommend that you call this operation to test your authentication method as soon as you create your server. By doing so, you can troubleshoot issues with the identity provider integration to ensure that your users can successfully use the service.

The ServerId and UserName parameters are required. The ServerProtocol, SourceIp, and UserPassword are all optional.

Note the following:

  • You cannot use TestIdentityProvider if the IdentityProviderType of your server is SERVICE_MANAGED.

  • TestIdentityProvider does not work with keys: it only accepts passwords.

  • TestIdentityProvider can test the password operation for a custom Identity Provider that handles keys and passwords.

  • If you provide any incorrect values for any parameters, the Response field is empty.

  • If you provide a server ID for a server that uses service-managed users, you get an error:

    An error occurred (InvalidRequestException) when calling the TestIdentityProvider operation: s-server-ID not configured for external auth

  • If you enter a Server ID for the --server-id parameter that does not identify an actual Transfer server, you receive the following error:

    An error occurred (ResourceNotFoundException) when calling the TestIdentityProvider operation: Unknown server.

    It is possible your sever is in a different region. You can specify a region by adding the following: --region region-code, such as --region us-east-2 to specify a server in US East (Ohio).

Request Syntax

{ "ServerId": "string", "ServerProtocol": "string", "SourceIp": "string", "UserName": "string", "UserPassword": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

ServerId

A system-assigned identifier for a specific server. That server's user authentication method is tested with a user name and password.

Type: String

Length Constraints: Fixed length of 19.

Pattern: s-([0-9a-f]{17})

Required: Yes

ServerProtocol

The type of file transfer protocol to be tested.

The available protocols are:

  • Secure Shell (SSH) File Transfer Protocol (SFTP)

  • File Transfer Protocol Secure (FTPS)

  • File Transfer Protocol (FTP)

  • Applicability Statement 2 (AS2)

Type: String

Valid Values: SFTP | FTP | FTPS | AS2

Required: No

SourceIp

The source IP address of the account to be tested.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 32.

Pattern: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

Required: No

UserName

The name of the account to be tested.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: [\w][\w@.-]{2,99}

Required: Yes

UserPassword

The password of the account to be tested.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 1024.

Required: No

Response Syntax

{ "Message": "string", "Response": "string", "StatusCode": number, "Url": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Message

A message that indicates whether the test was successful or not.

Note

If an empty string is returned, the most likely cause is that the authentication failed due to an incorrect username or password.

Type: String

Response

The response that is returned from your API Gateway or your Lambda function.

Type: String

StatusCode

The HTTP status code that is the response from your API Gateway or your Lambda function.

Type: Integer

Url

The endpoint of the service used to authenticate a user.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 255.

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500

InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400

ResourceNotFoundException

This exception is thrown when a resource is not found by the AWSTransfer Family service.

HTTP Status Code: 400

ServiceUnavailableException

The request has failed because the AWSTransfer Family service is not available.

HTTP Status Code: 500

Examples

Example

The following request returns a message from an identity provider that a user name and password combination is a valid identity to use with AWS Transfer Family.

Sample Request

{ "ServerID": "s-01234567890abcdef", "UserName": "my_user", "UserPassword": "MyPassword-1" }

Example

The following response shows a sample response for a successful test.

Sample Response

"Response":" {\"homeDirectory\":\"/mybucket001\",\"homeDirectoryDetails\":null,\"homeDirectoryType\":\"PATH\",\"posixProfile\":null, \"publicKeys\":\"[ssh-rsa-key]\",\"role\":\"arn:aws:iam::123456789012:role/my_role\",\"policy\":null,\"username\":\"transferuser002\", \"identityProviderType\":null,\"userConfigMessage\":null)"} "StatusCode": "200", "Message": ""

Example

The following response indicates that the specified user belongs to more than one group that has access.

"Response":"", "StatusCode":200, "Message":"More than one associated access found for user's groups."

Example

If you have created and configured a custom identity provider by using an API Gateway, you can enter the following command to test your user:

aws transfer test-identity-provider --server-id s-0123456789abcdefg --user-name myuser

where s-0123456789abcdefg is your transfer server, and myuser is the username for your custom user.

If the command succeeds, your response is similar to the following, where:

  • AWS account ID is 012345678901

  • User role is user-role-api-gateway

  • Home directory is myuser-bucket

  • Public key is public-key

  • Invocation URL is invocation-URL

{ "Response": "{\"Role\": \"arn:aws:iam::012345678901:role/user-role-api-gateway\",\"HomeDirectory\": \"/myuser-bucket\",\"PublicKeys\": \"[public-key]\"}", "StatusCode": 200, "Message": "", "Url": "https://invocation-URL/servers/s-0123456789abcdefg/users/myuser/config" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: