RCMS requests and responses

RCMS messages

HTTP header and endpoint details

Issue and redeem requests use HTTP-POST. The header is made up of two components:

  • Authorisation - this includes the type which is RCMS Token and the API key provided during integration.
  • Content-Type - this must be Content-Type: application/json and include a valid character encoding value natively supported by Java (UTF-8, UTF-16BE, UTF-16LE, or UTF-16).

The ITE endpoint is https://ws.ite.realme.govt.nz/rcms/v1 and the production endpoint is https://ws.realme.govt.nz/rcms/v1.

 Opaque token issue request

A plain text example of an opaque token request is below:

{
 
"validFor":3600,
 
"use":"urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Authenticated",
 
"consent":"urn:oasis:names:tc:SAML:2.0:consent:current-explicit",
 
"target":"https://example-agency.govt.nz/agency/application",
 
"token":"eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiNzQifQ.YBvz7QFUS6ah_bvqfcn9sd1VuMUVUr188kFuNOhyqfgTSZ0qtafKag.9SyMfM9u-UenxF58qN4TdQ.KXDNsFO6OXUWX-82BSOGQ0R74vAVVDFa2QWiGboGkK8JWOQuGIgdSaIKh_4mbIpyo5rKS_uyDhwQ1X_uTVYJO8NGMVav3jGPf2nf812QGpM9WgFqqPOqyU8KaLVTQKLMDBGsq4g9-5uPEpk63X1dkHP0JYiWBkqZCrxJhSsWJWAHgcppStNnfzzP7TzFvzqAKnJr4RnrIEPqAxjKHrGFADz8qY1TAOt-NWgwLFIM8oNTwEbu14PQ2TwOvBULUBq57C98ytKXQwnnoyrmb29GrXDgWRh6lmawx1jPFZRWg3-YmtP1b8FSA_qBE4WIdSL4nv09NQyjCFTNdz9O7tikMBxyvFZXkX8U3YeFkUq8S1_44NtzA83Y0TBDBzWJeeO-it_4RFqdQMX2Plwni9LdZkJGpMf11O2WcL2ItUyvmMtOlDr2b6dPaq6pu5qIeQHi3wuQKQtJpfp1sz1vSi_KoqblaoIpJOeE_i0D6aoEExToy0oLHd0SR7RwP3j-gJOjeuH8pxJWKngONIS4o_mDZ1bjYeNcwAPV7_RuymOSvS7vjMx94mT3H8BaWrxfoo6IyU0egZGP2nSPatpeBHcmKP1EW8ba0VChEPRvywQYeYfTLDN3rg_HYsOD8doty80h2xUispRPZh43IQ0FGzyVGMdQJlX4ntNmXCyzk_iUX0bu_v8nWG-qJTeXvARXiGfCPk3cF5SmLShcfpeOXWIU85NVaBa4Wn6Zu0aF1KOqxnyKlooEI_zZ0BrwNFrv_wVlu31AGkQcLsApPIP22ZltfOrzNUc3DV6uxV4EPJsnXDnkUNXhj66f0CzWuS8LosU-aa9-TddoJ5soo5AebSN7KRdD7b2gZpwryzwTy0kZSMrTt2FgKphwwp0F55HzxiMTG6YpbNP7ePf3ItS_erBZrNU0qVoWDnHVo_982NjgfGxzu2eh_-FQLOtkdG3jtdR4d_E5zzWgvGtP3lKo2Cvzsu6-_z12gGDXxQLuOEwUdU8eufKlg1LMveSosA7ogm8nKYMr1zNjptDHbAGwfrNVhmL_L1diKc75dy9ZG3MST6o.rWd10TOX3V5a-HROFs4NiA"
}

The allowed values for these parameters are as follows:

  • target - the entityID of the target agency (mandatory)
  • consent - indicates that consent has been given by the agency customer (mandatory), with these allowed values:
urn:oasis:names:tc:SAML:2.0:consent:current-explicit
urn:oasis:names:tc:SAML:2.0:consent:current-implicit
urn:oasis:names:tc:SAML:2.0:consent:prior
urn:oasis:names:tc:SAML:2.0:consent:inapplicable
  • use - this specifies the required opaque token type (mandatory)
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Authenticated
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Delayed
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Seamless
  • Logon attributes token - encrypted LAT token provided by RealMe (mandatory); or chained redeem token
  • validFor - period of validity in seconds (mandatory); this will be constrained to the duration of the authentication session.
Opaque token response

The opaque token response is provided in the following format where target is the same entityID provided in the request; the encrypted opaque token itself that includes the source agency FLT; token creation timestamp; and, token expiry timestamp.

{
"target": "http://agency2.govt.nz/service2",
"token": “vvv.xxx.yyy.zzz”,
"created": 1475440055,
"expires": 1475440157
{
 
"expires":1536128105,
 
"created":1536124511,
 
"target":"https://example-agency.govt.nz/agency/application",
 
"token":"eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiNzQifQ.oJDmIzVdwCXx9E5rRuvBoCdwIlDxOdFK3v77TmFa6ukVYliQnCjsng.wzy5ywexLcVnmNtGrN-9rQ.Un8iBXhaf92m52iOg6ddJfv7PFi4DpCSL9Uye_B04p5oUSQBmKQJEZaohdw3rdxJYnK7zTGNbM4D1z8FbQNGQaEuvEZaTEFKKWwr69Dldzt3Y_7HLnU3jI8PIS6xOtS8-sy8AW6X6xHOoUPzPbLGSYHfNSWB3kdJiBna_gl2abhHMjo5udkbnn7tfO-fJGtUI3toFKAyL0-yBdAyG8MXTtgNWQMe03SDi04TsF-Q7zs6wFCEYdGDTwvOofxf-0VPpASLblOYeoUVKyFjSEUF8EXTOuWAQg5v8mvxMWF0Ni_Wde_kw7Qk9nMHevPtjIYerR58T0ELEOMCyuCGzvlHsPXPw0iZ7KVicEzxng9Tyzij3Kexmdd2z8RZ_GddubWC5fiT8amI5uzJRnTkoKd2Z9SLGULUB0noStcCIz6dbVLpkDfKmgq6SWyWkQmjQ9iu1ylsUJtrfy9F2HF0s9QgCYL7eHFLRvnwzUtwW0UwqBlskLiI1iQa0IlRenjDpXVb3S9Kew9wfEphzjaeYuOJ2Xl0RSIDbTIum2E3ijdkUpNUYdxf4rE-KeuC61d1eIqLK2NNRfD2iXgnIB8rDz4yLlOi3-m7th_iC3ye_BQoE3Hec2StRASppOBw5MJdbYSEiGyO1W3ChwiC6DWfo4UJEBgi7bmjrHbANJGqrdo3KoXcTEbl_KXeSKB33OOdpqSMVrmoeyW-uvTFCZr5zMz-q0l1Ru5HqJJZywV5yTD9yvrCy_uN3QsE-AqUvk41kcGtGqlUhAe7-yxt4xfag8NE065iHdgIqHxMCt4E2GodT1VJqhp1Q-ohu7z2OX2AmA2KOG6HU0EIEFUREcjwuGOwFSWWypVqeAYbo_Cb1lQMyyE.dRzVdGRjt3_HaSlIZ9ScYA"
}
 Redeem token request

A plain text example of an opaque token request is below:

{
 
"allowCreate":true,
 
"token":"eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiNzQifQ.oJDmIzVdwCXx9E5rRuvBoCdwIlDxOdFK3v77TmFa6ukVYliQnCjsng.wzy5ywexLcVnmNtGrN-9rQ.Un8iBXhaf92m52iOg6ddJfv7PFi4DpCSL9Uye_B04p5oUSQBmKQJEZaohdw3rdxJYnK7zTGNbM4D1z8FbQNGQaEuvEZaTEFKKWwr69Dldzt3Y_7HLnU3jI8PIS6xOtS8-sy8AW6X6xHOoUPzPbLGSYHfNSWB3kdJiBna_gl2abhHMjo5udkbnn7tfO-fJGtUI3toFKAyL0-yBdAyG8MXTtgNWQMe03SDi04TsF-Q7zs6wFCEYdGDTwvOofxf-0VPpASLblOYeoUVKyFjSEUF8EXTOuWAQg5v8mvxMWF0Ni_Wde_kw7Qk9nMHevPtjIYerR58T0ELEOMCyuCGzvlHsPXPw0iZ7KVicEzxng9Tyzij3Kexmdd2z8RZ_GddubWC5fiT8amI5uzJRnTkoKd2Z9SLGULUB0noStcCIz6dbVLpkDfKmgq6SWyWkQmjQ9iu1ylsUJtrfy9F2HF0s9QgCYL7eHFLRvnwzUtwW0UwqBlskLiI1iQa0IlRenjDpXVb3S9Kew9wfEphzjaeYuOJ2Xl0RSIDbTIum2E3ijdkUpNUYdxf4rE-KeuC61d1eIqLK2NNRfD2iXgnIB8rDz4yLlOi3-m7th_iC3ye_BQoE3Hec2StRASppOBw5MJdbYSEiGyO1W3ChwiC6DWfo4UJEBgi7bmjrHbANJGqrdo3KoXcTEbl_KXeSKB33OOdpqSMVrmoeyW-uvTFCZr5zMz-q0l1Ru5HqJJZywV5yTD9yvrCy_uN3QsE-AqUvk41kcGtGqlUhAe7-yxt4xfag8NE065iHdgIqHxMCt4E2GodT1VJqhp1Q-ohu7z2OX2AmA2KOG6HU0EIEFUREcjwuGOwFSWWypVqeAYbo_Cb1lQMyyE.dRzVdGRjt3_HaSlIZ9ScYA"
}

The opaque token is the one provided by the source agency as described in the issue request.

allowCreate is a Boolean true/false value that indicates if a new FLT can be created for the user (mandatory). For the Assert then log in use case this value should be true. In other use cases such as extended login, false may be appropriate if the response requires the customer to be already registered with the online service.

Redeem token response

A plain text example of an opaque token response is below:

{
 
"expires":1537259390,
 
"strength":"urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength",
 
"created":1537256200,
 
"use":"urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Authenticated",
 
"flt":"WLGC4F7E17E451F4970816F2C7F038FAEB0",
 
"token":"eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiNzQifQ.yzmmuTS8TJDZNsAeePmy2yX8wCkTEWnroYLHosvuJXiytH54Ym88vA.nGNpJjre3N2nBf2-ffqZYA.EiwEAQOQC2HZ3L2Nf8LUJtfMgO5WsbX3rGKLuBOBoMcaxKbHGOxZam_zUMJ5eeYq0X9cGH6gTWahGK50R_eStKaFpwXNEvYR8PydxA0mRXGxfL9oqZEY_W3MaAeXVizfdu3vLy45A8nVed7HZWo8UYSZDBkl3U2OfHbytozXGVveKy6KJeVBg40jUE1WaGy53KUF6zwoJA7PFkS8LlkTIPwpmiQg3Utdj6S_8Tqa7HCzzIuc3rk2SeLJtAxfwB3JHgipr_QJYY_1z5o-gEbTlhLQFaiPcXRyo2aHlN89oTCsAa6Li3suftNh_YmuwEhxU0_5aH0n1xp7BTtdGW2nMaVZJh1cdUdnuss1teSyoXYrpA9tBNpnEs-_VLzMtaJTi0JunhV6hdG_R302ohzr71MzU92cIkU4bwtHDGLbnH9qzIW43kpRKe3LUETSB414j_7tSGiyXOMCi6XAo9ZW8vI-Ci9QXWujJshzBRbOraZaC1k6m12P1QdYDRaqkE4cx1hEtWbKRJYMkgT-pahR9Zg7VvvOvJXsqvGLk5mePfUez-Cjh9lMCcrmB7Dt141uSM1RIURKTQazNOjA9R0vr5pTlDz7od5sZNGWbQWePYIpDJwHh0V5AB5nciweJOFl15H-HgwDhhjxACsDBCRabTRmGZf_FzVLGwVWkiYeHtjb5o8MJZdFo6v6AuE393BqX7-AsMphVqxx-IbecSZ_kcbCq-FcYXSpG9Wf6DWfkYc.cZhUa5R6ae70fuO3a5Nt-Q",
 
"cid":https://example-agency.govt.nz/agency/application
}

The possible values are as follows:

  • flt - the users FLT at the target agency, either newly created or a previously registered customer
  • token - the encrypted redeem token (RT) which can be used in the same was as LAT
  • created - timestamp for the RT creation
  • expires - timestamp for the RT expiry
  • strength - the authentication that was completed at the source agency (same values as login service request)
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength 
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength 
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Token:SID 
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Mobile:SMS
  • use - the same values that were provided in the original issue request continue to apply to the RT
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Authenticated
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Delayed
urn:nzl:govt:ict:stds:authn:deployment:igovt:gls:iCMS:1_0:SAMLV2.0:Seamless
  • cid - the entityID of the source agency

 Full details on the RCMS APIs can be found in this OpenAPI/Swagger file [ZIP, 4.7 KB].

Subscribe