Hi, Christopher. >We would like to automate with APIor script SP trustrelationshps. There is no API currently which can do this. Feel free to submit a feature request at Github if you have an idea of how it could be implemented, web UI's API is planned to be revised in the near future. For now your best option is to create it via direct writes to LDAP database. You could study composition of TR entries there, experimenting how different web UI settings are represented in them, to start with. Another thing to consider would be whether you actually want to stick to SAML that badly. In case it's possible to adopt OIDC in your setup, you would have Dynamic Registration mechanics at your displosal right out-of-the box, so no need for writing and maintaining complex external tools. >Looking at the 3.1.1 docs, it talks about generating IDs and includes a “tRelationship” type If you are referring to [this](https://gluu.org/docs/ce/api-guide/api/), it's about generating inums, a unique id each entry in Gluu's LDAP tree is assigned. You'll also need it to assemble a TR's configuration entry.

oxTrust API's for all features are coming in version 3.2, but that doesn't help you now. So as Alex suggests, LDAP is your best option. The LDAP entries for a Trust Relationship are pretty simple. If it's SAML, remember you must also wait for oxTrust to re-render the Shibboleth XML config files.

Thank you Aliaksandr and Michael for the replies. With LDAP being the best current option, I tried looking at our existing Trust Relationship entries. Their DNs are in the format: inum=@!AACC.20ED.4FA1.F8D7!0002!B069.FE45!0006!XXXX.XXXX,ou=trustRelationships,inum=@!AACC.20ED.4FA1.F8D7!0002!B069.FE45,ou=appliances,o=gluu ...with XXXX.XXXX being unique hex values for each TR. I am guessing the prefix of ‘!0006’ refers to the API’s prefix for SAML Trust Relationship object seen in the docs. For the XXXX.XXXX bit, am I supposed to make up a unique string here? Also, do you have any idea on the timing for 3.2’s release? Thanks again.

Hi Michael. I was able to add an TR entry through LDAP, but it didn’t seem to get updated by Gluu (ie: the corresponding metadata.xml file is not created, and there is no validation_success or gluuEntityID) *until* I go into the GUI and click on “Update” for the TR. Then the file gets created, it validates and updates the LDAP entry. Note: I am setting the LDAP entry with “gluuStatus: active” when creating the object (and the GUI did honor that). Am I missing a step or piece of data perhaps?

You may be right. This is not preferable, but I think we could give you a shell script to call the update :)

On further discussion, it looks like I'm wrong. The quick fix would take some time. This kind of work-around is only available to supported customers. In version 3.2 of the Gluu Server oxTrust will be exposing API's for everything, so it should clear the problem.

I feel that if there was a way (from the keyboard) to tell the Gluu server to schedule validations of the TRs, that might help. Setting gluuValidationStatus to ‘validation’ or ‘validation_success’ didn’t seem to do the trick. I briefly saw the GUI show ‘Validation Scheduled’.

Other then updating the TR's in oxTrust, I can't think of any way.

The only thing that comes to mind is perhaps try to restart the `identity` service in the container? Seems like validation needs to be triggered somehow. If this won't help, then I'm afraid it's as Michael says and would require dev team involvement, what is usually reserved to customers only.