apm aaa saml
apm aaa saml(1) BIG-IP TMSH Manual apm aaa saml(1)
NAME
saml - Specify a SAML server configuration used for authentication.
MODULE
apm aaa
SYNTAX
Configure the saml component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
app-service [[string] | none]
assertion-consumer-binding [http-artifact | http-post]
attribute-consuming-services [add | delete | modify | none | replace-all-with] {
[name] {
attribute-consuming-service-index [integer]
}
}
auth-context-class-list [[string] | none]
auth-context-comparison-method [ better | exact | maximum | minimum ]
auth-context-methods {
[string]
}
default-attribute-consuming-service [[string] | none]
description [[string] | none]
entity-id [string]
force-authn [true | false]
export-metadata [ no-signing | with-signing ]
idp-connectors [add | delete | modify | none | replace-all-with] {
[name] {
idp-matching-source [[string] | none]
idp-matching-value [[string] | none]
}
}
is-authn-request-signed [true | false]
location-specific [true | false]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [[string] | none]
name-id-policy-allow-create [true | false]
name-id-policy-format [[string] | none]
name-id-policy-sp-name-qualifier [[string] | none]
provider-name [[string] | none]
relay-state [[string] | none]
sp-certificate [[string] | none]
sp-host [[string] | none]
sp-scheme [http | https]
sp-signkey [[string] | none]
want-assertion-encrypted [true | false]
want-assertion-signed [true | false]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage saml aaa servers.
EXAMPLES
create saml my_saml_server { entity-id "https://spvs1.mycompany.com/id" want-assertion-signed true want-assertion-encrypted
false is-authn-request-signed true sp-certificate my_company.crt sp-signkey my_company.key}
Creates a SAML authentication server named my_saml_server with certificate my_company.crt and key my_company.key and
security options requiring signed assertion and want to send signed authentication request.
list saml
Displays a list of aaa saml servers.
delete saml my_saml_server
Deletes the my_saml_server aaa saml server.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
assertion-consumer-binding
Specifies method this BIG-IP as SP uses to receive assertions. Default value is http-post.
attribute-consuming-services
Add one or more attribute consuming services to this SP service. Each attribute consuming service is mapped to a
unique attribute-consuming-service-index. The attribute consuming services added for this SP will be part of the
metadata for the SP that can be exported and shared with IdP.
For example:
The following command associates two attribute consuming services to an SP and maps the first service to index 1 and
the second service to index 2.
modify saml my_saml_server attribute-consuming-services add { my_atcs1 { attribute-consuming-service-index 1 } my_atcs2 { attribute-consuming-service-index 2 } }
auth-context-class-list
Specifies an ordered list of authentication context classes. The BIG-IP as SP uses this list to validate the
authentication context (in the assertion from the IdP) against locally configured context methods (auth-context-
methods) using the specified comparison method (auth-context-comparison-method).
This property is required if you use a comparison method (auth-context-comparison-method) other than the default
('exact'). You can specify any auth-context-class-list list that you have configured on the BIG-IP system. Or, you can
specify the predefined auth-context-class-list list (authentication_contexts_list) that the BIG-IP system provides.
auth-context-comparison-method
Specifies the comparison method that the IdP must use to evaluate the requested context classes auth-context-methods,
one of "exact", "minimum", "maximum", or "better". The default is exact. If non-default comparison method is
configured, all context classes from auth-context-methods must be present in the configured priority list of classes
auth-context-class-list.
auth-context-methods
Specifies a list of authentication context classes that this BIG-IP as SP will request from an IdP. As a response, the
IdP must return an assertion containing one of the requested authentication contexts. Each value can be a session
variable if the comparison method is set to 'exact', which is the default value.
default-attribute-consuming-service
Specifies one of the attribute consuming services associated with this SP as default service. The metadata for the SP
will flag specified service as default.
description
Specifies a unique description for the server. The default is none.
entity-id
Specifies a unique identifier for BIG-IP as SP. Typically 'entity-id' is a URI that points to the BIG-IP virtual
server that is going to act as SAML SP. In case 'entity-id' is not a valid URL, the sp-host attribute is required.
Examples of valid configuration include "https://mycompany-sp", "sp:my:company", and "sp.my.company.com".
force-authn
If enabled, this BIG-IP as SP requests the IdP to authenticate the principal directly rather than rely on a previous
security context.
export-metadata
You can simplify SAML configuration using metadata files. When you use BIG-IP as an SP, you can export metadata for an
SP to a file. Then you can use the file to configure SP metadata on an IdP system by importing the file or using the
information in the file to configure the SP. You can choose to sign metadata while exporting it for better security.
For example:
1. Exporting metadata with signing. This requires metadata-cert and metadata-signkey files.
modify saml aaa_obj {export-metadata with-signing metadata-file /shared/sp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml aaa_obj {export-metadata no-signing metadata-file /shared/sp_metadata.xml}
idp-connectors
Add one or more IdP connectors to this SP service. BIG-IP SP redirect users to associated IdPs for authentication. If
more IdP connectors associated with the SP, BIG-IP SP selects one of the IdP based on the specified selection
criteria.
For example:
1. The following command associates one IdP connect to an SP
modify saml my_saml_server idp-connectors add { my_idp_connector1 }
2. Following associates multiple IdP connectors to SP with selection criteria based on landing URI. If the landing URI
is /google, the user is sent to IdP as specified by my_idp_connector_google_app and if the landing URI is /salesforce,
the user is sent to IdP as specified by my_idp_connector_for_salesforce.
modify saml my_saml_server idp-connectors add { my_idp_connector_google_app { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/*google" } my_idp_connector_for_salesforce { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/salesforce"}}
is-authn-request-signed
This property specifies whether the SP signs authentication requests while sending them to the IdP. Set it to true if
this BIG-IP SP should sign authentication requests. The default value for this is false.
location-specific
Objects of this class might have location specific attributes. Admin can indicate if object is location specific by
setting it to true.
metadata-cert
Specifies the certificate with public key of the key pair used in signing the metadata. See export-metadata for more
information on metadata export functionality. This is the certificate to be included in signed metadata when we
export metadata. This might or might not be SP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata for more information on metadata export
functionality.
metadata-signkey
Specifies the key that is used to sign SP's metadata. See export-metadata for more information on metadata export
functionality.
name-id-policy-allow-create
A Boolean value used to indicate whether external IdP is allowed, when processing requests from this BIG-IP as SP, to
create a new identifier to represent the principal. Default value is false
name-id-policy-format
A URI reference representing the classification of string-based identifier information. For example, if a Service
Provider (SP) initiates SSO by sending an AuthnRequest to the IDP with format
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", then the IdP response should contain subject identity in
email format. This attribute can be a session variable.
name-id-policy-sp-name-qualifier
Optionally specifies that the assertion subject's identifier be returned in the namespace of an SP other than the
requester, or in the namespace of a SAML affiliation group of SPs. This attribute can be a session variable.
relay-state
Specifies the value where the BIG-IP as SP redirects users after they are successfully authenticated and have been
allowed by access policy. When BIG-IP receives the relay state from the IdP in addition to assertion, then it uses the
value received from IdP to redirect the user to after authentication. Otherwise, BIG-IP uses the value from this
configuration.
provider-name
Optionally specifies the human-readable name of this SAML SP for use by the identity provider.
sp-certificate
BIG-IP includes this certificate in the SAML SP metadata that you export. After the SAML SP metadata is imported on
the IdP, the IdP can use this certificate to verify signed authentication request and to encrypt assertion.
sp-host
Hostname of this BIG-IP as SP. This attribute is required when "entity-id" is not a valid URL.
sp-scheme
Scheme used by this BIG-IP as SP. This attribute is only used when sp-host is not empty. Default value is https.
sp-signkey
This specifies the private key used to sign authentication requests if "is-authn-request-signed property" is set to
true or to decrypt assertions when "want-assertion-encrypted" is set to true.
want-assertion-encrypted
This property specifies whether SP requires encrypted assertions. Set it to true if this BIG-IP SP requires encrypted
assertions from the SAML IdP. The default value for this is false.
want-assertion-signed
This property specifies whether SP requires signed assertions. Set it to true if this BIG-IP SP requires signed
assertions from the SAML IdP. The default value for this is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016, 2017. All rights reserved.
BIG-IP 2017-04-25 apm aaa saml(1)