Product Documentation

Modifying a Credential - modifyRequest

Apr 22, 2011

Use the modifyRequest operation to change a previously provisioned credential. If the application definition associated with the changed credential is a member of a password sharing group, then all of the credentials associated with members of that group are updated to use the new password.


<modifyRequest requestID='client-generated-ID'> 
<ctxs:authentication-token xmlns:ctxs=''> 
   <psoID ID='credential-GUID'> 
      <containerID ID='userFQDN'/> 
   <modification modificationMode='replace'> 
      <ctxs:credential xmlns:ctxs=''> 
      <ctxs:name>New Credential Name</ctxs:name> 


requestID (mandatory) This is the client-generated ID that associates the return values with this request.
ctxs:authentication-token The authentication-token element is mandatory, but is not used at this time.
psoID (mandatory) The credential ID is a GUID (created by the Single Sign-on system and stored in your central store). It must match the value returned by the lookupRequest and is used to locate the credential being modified.
containerID (mandatory) The containerID provides the FQDN of the user who owns the credential.
modification (mandatory) modificationMode (optional)

add: To add credentials. This produces the same result as an addRequest. If modificationMode is add, the restrictions on the psoID and data elements are the same as for the addRequest. The psoID must only specify a container (as in deleteRequest) and the data must contain a credential element (as in addRequest).

replace: To replace a field value, put the new value inside the tag.

delete: To clear a field value. The contents of the data element are ignored.

data (mandatory) Data is the description of the data being modified. This is the credential element and may include any child elements of the credential and application elements.
credential (mandatory) The credential element is used to describe a single secondary credential. The name and description children of the credential element are optional. If not provided, the plug-in uses the name and description from the application definition. See ctx:credential for more information.
name The name is the application definition name as it appears in your Single Sign-on component of AppCenter.
application (mandatory) The application element is used both to describe an application definition and to describe details of a credential. The application element must correspond to one previously obtained from a lookupApplicationsRequest operation. See ctxs:application for more information. If an id child of an application is provided, it must match the value stored in the credential.
group Default values are provided if the group element is not part of the add request. This element describes the relationship between the new credential and existing credentials associated with the group. See the information about Group Element Attributes.
fields (mandatory) Each child element of fields listed in the lookupResponse operation must be included in the addRequest operation or an error is returned.
userID (mandatory) userID provides the user's account for this credential.
password (mandatory) Password provides the user's password associated with this credential.
custom-field Custom fields provide the custom values for this credential. Single Sign-on supports two custom fields in addition to the user name and password fields.
psoID (mandatory) The psoID is a unique identifier for each end user; PSOID is the user's FQDN and is used to specify the container for the credential being modified.

Syntax for Return Values - modifyResponse

<modifyResponse status='success'requestID='client-generated-ID'> 

Parameters for Return Values

status (mandatory) Possible values: Success, Failure, Pending
requestID (mandatory) This is the client-generated ID that associates these return values with the associated request.


The modifyRequest can be used to request that a disassociated credential join the group by setting the attribute join='true' (see addRequest). The group element is subject to the same constraints and has the same effect as described under addRequest.

Note that any of the ctxs:fields sub-elements defined for the application may be included in a modifyRequest. The available fields are listed in the lookupResponse.

Group Element Attributes

Join value Use-new-password value Effect
False True The new credential is disassociated from the existing credentials in the group. There is no effect on the existing group.
True False The new credential is joined to the existing group. The password of the new credential is set to the password shared by the existing group members. If there are no existing group members, the password value is used.
True True The new credential is joined to the existing group. The password included in the command is used for the new credential and also assigned to all of the existing group members.

The credential GUID returned as the psoID in the response is the same one that will be listed in the lookupResponse operation and may also be used to identify this secondary credential in a modifyRequest or deleteRequest operations.