apm sso saml-sp-connectorΒΆ

apm sso saml-sp-connector(1)				BIG-IP TMSH Manual			      apm sso saml-sp-connector(1)

NAME
       saml-sp-connector - Specify saml sp connector configuration.

MODULE
       apm sso

SYNTAX
       Configure a saml-sp-connector within the sso module using the syntax shown in the following sections.

   CREATE/MODIFY
	create saml-sp-connector [name]
	modify saml-sp-connector [name]
	  options:
	    app-service [[string] | none]
	    assertion-consumer-services [ {
	       binding	   [http-artifact | http-post | paos]
	       index	   [0 - 65535]
	       is-default  [true | false]
	       uri	   [string]

	    } ]
	    description [[string] | none]
	    encryption-type [aes128 | aes192 | aes256]
	    entity-id [string]
	    import-metadata [ string | none ]
	    is-authn-request-signed [ true | false ]
	    location-specific [ true | false ]
	    metadata-cert [[string] | none]
	    multi-domain-location [[string] | none ]
	    relay-state [[string] | none]
	    signature-type [rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512]
	    single-logout-binding
	    single-logout-response-uri [string]
	    single-logout-uri [string]
	    sp-certificate [[string] | none]
	    sp-location [external | internal | internal-multi-domain ]
	    sp-name-qualifier [[string] | none]
	    want-assertion-encrypted [ true | false ]
	    want-assertion-signed [ true | false ]
	    want-response-signed [ true | false ]

	edit saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list saml-sp-connector
	list saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	show running-config saml-sp-connector
	show running-config saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    app-service
	    non-default-properties
	    one-line
	    partition

   DELETE
	delete saml-sp-connector [name]

DESCRIPTION
       You can use the saml-sp-connector component to create and manage saml sp connectors

EXAMPLES
       create saml-sp-connector my_saml_sp_connector { entity-id "https://companyx.sp.com/sp" assertion-consumer-services { { uri
       "https://companyx.sp.com/acs/" is-default true } } want-assertion-signed true want-response-signed true want-assertion-
       encrypted true encryption-type aes256 is-authn-request-signed false sp-certificate default.crt }
	    Creates a SAML sp-connector named my_saml_sp_connector with security options to encrypt and sign the assertion as well
	    as SAML response.

       create saml-sp-connector my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}
	    Creates a SAML sp-connector named my_saml_sp_connector1 from metadata file "/shared/tmp/sp_metadata.xml"

       create saml-sp-connector my_internal_sp_connector { entity-id "https://internal.sp.com" assertion-consumer-services { { uri
       "https://internal.sp.com/acs" is-default true } } sp-certificate default.crt sp-location internal }
	    Creates a SAML sp-connector named my_internal_sp_connector which is load balanced by the same virtual server as this
	    BIG-IP as IdP [identity provider].

       list saml-sp-connector
	    Displays a list of SAML sp connectors.

       delete saml-sp-connector my_saml_sp_connector
	    Deletes the my_saml_sp_connector SAML sp connector.

OPTIONS
       app-service
	    Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
	    strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
	    object. Only the application service can modify or delete the object.

       assertion-consumer-services
	    List of assertion consumer services (ACS) used by external SP. Each ACS entry contains attributes 'binding', 'index',
	    'is-default', and 'url'. Each ACS must contain a valid URL, and a unique 'index'. One ACS entry must be set as
	    default.

       assertion-consumer-binding
	    This attribute is DEPRECATED. Use assertion-consumer-services instead.

       assertion-consumer-uri
	    This attribute is DEPRECATED. Use assertion-consumer-services instead.

       description
	    Specifies a unique description for saml sp connector. The default is none.

       encryption-type
	    Specifies the type of encryption BIG-IP as IdP should use to encrypt the assertion. Default is aes128.

       entity-id
	    Specifies a unique ID to identify SP pointed by sp connector.

       import-metadata
	    Specifies the metadata file to be used to create sp connector object.  For example: create saml-sp-connector
	    my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}

       is-authn-request-signed
	    Specifies whether SP signs authentication requests while sending them to BIG-IP as IdP.  The default value for this is
	    false.

       location-specific
	    Objects of this class might have location specific attribute(s). Admin can indicate if object is location specific by
	    setting it to true.

       metadata-cert
	    Specifies the certificate to be used to verify the signature of metadata imported from a file.

       multi-domain-location
	    Specifies the scheme, hostname, and (optionally) port of the virtual server on this BIG-IP behind which this SP is
	    located, e.g. "https://application.f5.com". This configuration is required only when sp-location attribute is
	    configured as 'internal-multi-domain'

       relay-state
	    Specifies the value sent to the SP by BIG-IP as IdP as part of the response. This value is only used if the SP did not
	    send RelayState as part of the authentication request.

       signature-type
	    Signature algorithms to be used for digital signing of SAML messages. Default value is rsa-sha1.

       single-logout-binding
	    This attribute is reserved for future functionality.

       single-logout-response-uri
	    A URI where this BIG-IP as IdP will send single logout (SLO) responses.

       single-logout-uri
	    A URI where this BIG-IP as IdP will send single logout (SLO) requests.

       sp-certificate
	    Specifies SP certificate used by BIG-IP as IdP to verify the signature of authentication request.

       sp-location
	    Specifies the location of SP from network topology viewpoint.  Default value external should be used with SAML WebSSO
	    profile. This value indicates that SP is located externally from BIG-IP perspective, and therefore SP is reachable
	    directly by the user-agent.  internal - indicates that configured SP is located behind the virtual server that hosts
	    BIG-IP IdP, and therefore SP is not reachable directly by the client.  internal-multi-domain - indicates that BIG-IP
	    is configured for multi-domain SSO, and therefore SP is located behind different virtual server of this BIG-IP.

       sp-name-qualifier
	    Optionally qualifies an identifier with the name of a service provider or affiliation of providers.

       want-assertion-encrypted
	    Specifies whether SP requires encrypted assertions. The default value for this attribute is false

       want-assertion-signed
	    Specifies whether SP requires signed assertions. The default value for this attribute is true

       want-response-signed
	    Specifies whether SP requires signed SAML responses. The default value for this attribute is false

SEE ALSO
COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
       photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
       use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights reserved.

BIG-IP							    2018-01-10				      apm sso saml-sp-connector(1)