cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
0
Helpful
6
Replies

Accessing local users via API based on email address

bperciac
Level 5
Level 5

Interesting dilemma.

This particular use case is a web-based form that takes input from a guest, including the email address of their sponsor.  it will look up that email address against the internal users in ISE, and if it finds a match, it will generate the guest account, and assign it to the sponsor based on the email match.

I need to create a local user in ISE, and that user's internal email address is internal only (in this case, "employee@demo.local").  Since this is not a valid TLD, during the creation of the local account, it complains, and does not allow me to enter this email account.

In order to bypass this, I created a custom attribute, InternalEmail, and entered the "employee@demo.local" string there, hoping to use that as a condition to search for, instead of the email address field (which is now invalid, since it will not allow the .local TLD).  Unfortunately, I am getting messages from ISE that custom attributes cannot be used as filter conditions in API calls.

{

    "ERSResponse": {

        "operation": "GET-getAll-internaluser",

        "messages": [

            {

                "title": "The filter field 'customAttributes' is not supported",

                "type": "ERROR",

                "code": "Query string validation exception"

            }

        ],

        "link": {

            "rel": "related",

            "href": "https://[REDACTED]/ers/config/internaluser?filter=customAttributes.InternalEmail.CONTAINS.em",

            "type": "application/xml"

        }

    }

}

Based on what I need to do, any particular recommendations on how to get around this?

Thanks!

Bob

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

That is expected. For Get-All of Internal User, only these fields can be filtered:

[firstName, lastName, identityGroup, name, description, email, enabled]

I supposed demo.local is what you are using in the lab but you should be able to setup your mail server to accept emails from some non-local domains.

View solution in original post

6 Replies 6

Nidhi
Cisco Employee
Cisco Employee

Checking with SME jakunst

Jason Kunst
Cisco Employee
Cisco Employee

Bob please share the api call

Likely this is not going to work with custom attribute but will check with developers

Also have you checked using a different email address? Perhaps you can check with a dCloud demo spun up and use its services?

Jason,

The API call is:

https://[REDACTED]/ers/config/internaluser?filter=customAttributes.InternalEmail.CONTAINS.em

(the InternalEmail field is where I put "employee@demo.local" email address)


The issue lies in the fact that the input field of the Internal User email field validates the email, and limits the extensions.  Since I need to use a different domain extension, i need to store that information somewhere, and it appears as though customAttributes cannot be used in searches.


Here is the actual user information:


{

    "InternalUser": {

        "id": "5e83a381-d727-4d0d-babe-8e41a2595cf4",

        "name": "employee",

        "enabled": true,

        "email": "employee@demo.com",

        "password": "*******",

        "changePassword": false,

        "identityGroups": "a1740510-8c01-11e6-996c-525400b48521",

        "expiryDateEnabled": false,

        "enablePassword": "*******",

        "customAttributes": {

            "InternalEmail": "emplyee@demo.local"

        },

        "passwordIDStore": "DEMO_AD_DOMAIN",

        "link": {

            "rel": "self",

            "href": "https://[REDACTED]:9060/ers/config/internaluser/5e83a381-d727-4d0d-babe-8e41a2595cf4",

            "type": "application/xml"

        }

    }

}


Any help is appreciated!


Thanks,


Bob


hslai
Cisco Employee
Cisco Employee

That is expected. For Get-All of Internal User, only these fields can be filtered:

[firstName, lastName, identityGroup, name, description, email, enabled]

I supposed demo.local is what you are using in the lab but you should be able to setup your mail server to accept emails from some non-local domains.

Is there a different call I can use that will give me access to customAttributes as well? Also, is it possible to get all guest user details, including password, for printing?

Thanks!

When you create account you should be able to grab this

Check out the tips here

https://communities.cisco.com/docs/DOC-71891

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: