Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Code42 Support

Use the Code42 API to set SAML attributes


You can integrate any SAML 2.0-compliant identity provider with Code42. By default, you map an identity provider's username and email attributes to Code42.

For added security and flexibility, you can use Code42 APIs to set the SAML 2.0 context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. See the SAML attributes section below for the list of SAML authentication attributes whose mapping you can customize.

This article describes how to use the following Code42 API resources to customize mapping SAML authentication attributes: 

  • View the current SAML settings: identity-provider-saml-settings/IdentityProviderSamlSettings_View
  • Update the SAML settings: identity-provider-saml-settings/IdentityProviderSamlSettings_Update


Test SAML settings changes
Changes you make to SAML settings using the procedures in this article are made directly to the authentication provider settings in Code42. Ensure you verify that they work properly in a test organization first before using the SAML settings in production.

View current SAML settings

View the current SAML settings for an authentication provider in Code42 using the identity-provider-saml-settings/IdentityProviderSamlSettings_View  API resource.

In the following example: 

  • Replace <AuthToken> with the authentication token you obtained in the Authentication section.
  • Replace with the URL of your Code42 cloud instance.
  • Replace <AuthProviderID> with the ID you obtained as described in Authentication provider ID.
curl -vvv -X GET -H "Authorization: v3_user_token <AuthToken>" '<AuthProviderID>'

An excerpt of an example successful response:


For information on the returned values, see the SAML attributes section.

Default SAML settings

When you create a new authentication provider in Code42, the default SAML request configuration settings are:

  • authnContextClassReference: Password
  • authnContextComparison: EXACT
  • requestAuthnDigestMethod:
  • requestAuthnSignatureMethod: 

For information on these settings, see the SAML attributes section. 

Update the SAML settings

Update the SAML settings for an authentication provider in Code42 using the identity-provider-saml-settings/IdentityProviderSamlSettings_Update  API resource.

In the following example: 

  • Replace <AuthToken> with the authentication token you obtained in the Authentication section.
  • Replace with the URL of your Code42 cloud instance.
  • Replace <AuthProviderID> with the ID you obtained as described in the Authentication provider ID section.
  • Provide values for these parameters as described in the SAML attributes section:
    • authnContextComparison
    • authnContextClassRef
    • requestAuthnDigestMethod
    • requestAuthnSignatureMethod
curl -vvv -X POST -H "Authorization: v3_user_token <AuthToken>" -H 'Content-Type: application/json' -d 
    "settings": {
        "uid": "<AuthProviderID>",
        "authnContextClassRef": [
        "authnContextComparison": "MAXIMUM",
        "requestAuthnDigestMethod": "",
        "requestAuthnSignatureMethod": ""

Identity provider SAML settings API structure and syntax


For more information about the Code42 API documentation viewer, see Code42 API documentation viewers. For more information about Code42 API syntax, see Code42 API syntax and usage.


This API resource requires an authentication token in the header of all requests. To obtain an authentication token, use your Code42 administrator credentials to submit a GET request to:

  • United States: 
    • If you sign in to the Code42 console at, use:
    • If you sign in to the Code42 console at, use:
    • If you sign in to the Code42 console for the Code42 federal environment at, use:
  • Ireland: If you sign in to the Code42 console at, use:

For example:

curl -X GET -u "username" -H "Accept: application/json" ""

If your organization uses two-factor authentication for local users, you must also include a totp-auth header value containing the Time-based One-Time Password (TOTP) supplied by the Google Authenticator mobile app. The example below includes a TOTP value of 424242.

curl -X GET -u "username" -H "totp-auth: 424242" "Accept: application/json" ""

A successful request returns an authentication token. For example:

    "v3_user_token": "eyJjdHkiO_bxYJOOn28y...5HGtGHgJzHVCE8zfy1qRBf_rhchA"
Token considerations
  • Use this authentication token in your requests.
  • Authentication tokens expire after 30 minutes.
  • You must have credentials for a Code42 user with the Customer Cloud Admin role.
  • The authentication example above only applies to users who authenticate locally with Code42. Single sign-on (SSO) users must also complete SAML authentication with their SSO provider. If you need assistance with this process, contact your SSO provider.

Authentication provider ID

The identity provider SAML settings API requires that you provide the unique ID of the identity management authentication provider. To obtain the ID, select the authentication provider in the Code42 console and copy the ID from the address bar.

  1. Sign in to the Code42 console.
  2. Navigate to Administration > Settings > Identity Management.
  3. Select an authentication provider.
    The provider's unique ID displays at the end of the URL in the browser address bar.
  4. Copy the provider's ID to provide in commands to view or update the provider's SAML settings.
    Authentication provider unique ID

SAML attributes

Use the following parameters to update the SAML settings used by the Code42 authentication provider:

The following code example uses these parameters:

curl -vvv -X POST -H "Authorization: v3_user_token <AuthToken>" -H 'Content-Type: application/json' -d 
    "settings": {
        "uid": "<AuthProviderID>",
        "authnContextClassRef": [
        "authnContextComparison": "MAXIMUM",
        "requestAuthnDigestMethod": "",
        "requestAuthnSignatureMethod": ""


This parameter sets the context class reference to authenticate users. This parameter is optional and can be omitted from the command call.

You can use any of the SAML 2.0 authentication context classes to authenticate users. The Authentication Context Class Reference values listed in the table below are the most commonly used in the SAML 2.0 specification. (Because some identity providers have created their own authentication classes which aren't listed in the SAML 2.0 specification, such as for multi-factor authentication, you can still specify any valid authentication class reference as long as it has a correctly formatted URN.)

The value supplied to the parameter should have one of the following prefixes:

  • urn:oasis:names:tc:SAML:2.0:ac:classes (SAML 2.0) or
  • urn:oasis:names:tc:SAML:1.2:ac:classes (SAML 1.2)

For more information about SAML 2.0 authentication context classes, see the SAML 2.0 specification.  

Valid values Description
InternetProtocol Provide an IP address.
InternetProtocolPassword Provide an IP address in addition to a username/password combination.
Kerberos Use a password to acquire a Kerberos ticket.
MobileOneFactorUnregistered Authenticate mobile devices without requiring explicit end-user interaction.
MobileTwoFactorUnregistered Authenticate mobile devices with two-factor based authentication.
MobileOneFactorContract Authenticate mobile devices through contract customer registration and single factor authentication.
MobileTwoFactorContract Authenticate mobile devices through contract customer registration and two-factor authentication.
Password (Default) Provide a password over an unprotected HTTP session.
PasswordProtectedTransport Provide a password over a protected HTTPS session.
PreviousSession Authenticate using a previously-used authentication context.
X509 Use a digital signature where the key was validated as part of an X.509 PKI.
PGP Use a digital signature where the key was validated as part of a PGP PKI.
SPKI Use a digital signature where the key was validated via an SPKI.
XMLDSig Use a digital signature according to the XML Digital Signature specification.
Smartcard Authenticate using a smartcard.
SmartcardPKI Authenticate using a smartcard with enclosed private key and a PIN.
SoftwarePKI Authenticate with an X.509 certificate stored in software.
Telephony Authenticate using a telephone number.
NomadTelephony Authenticate using a roaming telephone number such as a phone card.
PersonalTelephony Authenticate using a telephone number and a user suffix.
AuthenticatedTelephony Authenticate using a telephone number, a user suffix, and a password.
SecureRemotePassword Provide a Secure Remote Password.
TLSClient Provide a client certificate secured with the SSL/TLS protocol.
TimeSyncToken Provide a time synchronization token.
Unspecified Authenticate by using unspecified means. The server does not expect a particular authentication method. Instead the server will attempt to authenticate the user via its configured authn options. 


This parameter specifies the comparison method used to evaluate the requested context class (AuthnContextClassRef). This parameter must be populated with any of the supported values (EXACT, MINIMUM, MAXIMUM, BETTER). This parameter is optional and can be omitted from the command call.

For more information about the AuthnContextComparison method, see the SAML 2.0 specification.

Valid values Description
EXACT (Default) Must be the exact match of at least one of the authentication contexts specified.
MINIMUM Must be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
MAXIMUM Must be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
BETTER Must be stronger (as deemed by the responder) than any one of the authentication contexts specified.
Not Specified Uses the default value EXACT.


This digest algorithm performs a checksum of the contents of the SAML request to ensure it was not edited in transit. 

For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description SHA-1 digest algorithm (Default) SHA-256 digest algorithm SHA-384 digest algorithm SHA-512 digest algorithm


This parameter is a cryptographic signature algorithm for the checksum of the contents of the SAML request. The signature algorithm should match the digest algorithm with a variety of pre-pended private key generation indicators.

For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description RSA-SHA1 signature algorithm (Default) RSA-SHA256 signature algorithm RSA-SHA384 signature algorithm RSA-SHA512 signature algorithm
  • Was this article helpful?