apm sso saml
apm sso saml(1) BIG-IP TMSH Manual apm sso saml(1)
NAME
saml - Specify SAML SSO configuration.
MODULE
apm sso
SYNTAX
Configure the saml within the sso module using the syntax shown in the following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
apm-log-config [[string] | none]
app-service [[string] | none]
artifact-resolution-service-name [name | none]
assertion-validity [integer]
attributes [none | {
{
name [[string] | none],
name-format [ basic | unspecified | uri ],
multi-values {
[string]
},
encrypt [true | false],
encryption-type [aes128 | aes192 | aes256]
}
} ]
auth-context-method [string | none]
description [[string] | none]
encrypt-subject [true | false]
encryption-type-subject [aes128 | aes192 | aes256]
entity-id [string]
export-metadata [no-signing | with-signing]
idp-certificate [string | none]
idp-certificate-session-var [string | none]
idp-host [string | none]
idp-scheme [http | https]
idp-signkey [string | none]
idp-signkey-session-var [string | none]
key-transport-algorithm [ rsa-oaep | rsa-v1.5 ]
location-specific [true | false]
log-level [alert | crit | debug | emerg | err | info | notice | warn]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [string | none]
name-qualifier [[string] | none]
saml-profiles [add | delete | modify | none | replace-all-with] {
[ecp | web-browser-sso]
}
sp-connectors [add | delete | modify | none | replace-all-with] {
[string]
}
subject-type [email-address | kerberos | transient | win-domain-qualified-name | entity | persistent | unspecified | x509-subject]
subject-value [ string | none ]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage SAML SSO objects.
EXAMPLES
create saml my_saml_sso_obj { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address subject-value
test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add { google_apps salesforce }}
Creates a SAML SSO object named my_saml_sso_obj with SP connectors "google_apps" and "salesforce"
create saml my_saml_sso_obj1 { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address subject-value
test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add { google_apps sp_salesforce }
attributes {{name "group" multi-values { "PD" "Admin" }} {name "title" multi-values { "engineer1" }}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes "group" and "title".
list saml
Displays list of SAML SSO objects.
delete saml my_saml_sso_obj
Deletes the my_saml_sso_obj SAML SSO object.
OPTIONS
apm-log-config
Specifies log-setting object to associate with this saml. If this value is empty, logging framework uses log-setting
configuration associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
assertion-validity
Specifies assertion validity period in seconds.
artifact-resolution-service-name
Specifies the artifact resolution service to be used by this BIG-IP as IdP to receive artifacts and resolve them for
assertions.
attributes
Specifies list of attributes as part of assertion. Both attribute name and values can be session variables. Property
'value' is DEPRECATED; "multi-values" must be used instead. "name-format" can be used to optionally specify format of
the attribute name.
create saml my_saml_sso_obj1 { entity-id "https://myidpvs.big-ip.com/idp" subject-type email-address subject-value
test@mycompany.com idp-certificate default.crt idp-signkey default.key sp-connectors add { google_apps sp_salesforce }
attributes {{name "group" multi-values { "%{session.ldap.last.attr.primarygroup}"}} {name "name" multi-values {
"firstName" "lastName" } name-format basic}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes "group" and "name".
auth-context-method
Specifies an authentication context method used by this BIG-IP as IdP when creating assertions. This attribute can be
a session variable.
description
Specifies a unique description for SAML SSO object. The default is none.
encrypt-subject
Set to true if assertion 'Subject' must be encrypted. Default value is false.
encryption-type-subject
Encryption algorithm used to encrypt 'Subject' element in assertion. Default value is aes128.
entity-id
Specifies unique identifier for BIG-IP as IdP. Typically, 'entity-id' is a URI that points to the BIG-IP virtual
server that is going to act as a SAML IdP. In case 'entity-id' is not a valid URL, the idp-host attribute is required.
Examples of valid configuration include "https://mycompany-idp", "idp:my:company", and "idp.my.company.com"
export-metadata
You can simplify SAML configuration using metadata files. When you use APM as an IdP, you can export metadata for IdP.
You can save metadata to a file and give it to the SP to enable SP to import SP's SAML configuration or enable SP to
use information from the metadata file to configure the IdP. You can choose to sign metadata while exporting it for
better security.
For example:
1. Exporting metadata with signing. This requires metadata-signkey and metadata-cert files.
modify saml my_saml_sso_obj {export-metadata with-signing metadata-file /shared/idp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml my_saml_sso_obj {export-metadata no-signing metadata-file /shared/idp_metadata.xml}
idp-certificate
BIG-IP includes this certificate in the SAML IdP metadata that you export. After the SAML IdP metadata is imported on
the SP, the SP can use this certificate to verify the signature of assertion sent by this BIG-IP as IdP.
idp-certificate-session-var
Specifies the certificate this BIG-IP as IdP will use to sign SAML messages including SAML assertion. This attribute
must be specified in session variable format. This attribute is mutually exclusive with .
idp-host
Hostname of this BIG-IP as IdP. This attribute is required when "entity-id" is not a valid URL.
idp-scheme
Scheme used by this BIG-IP as IdP. This attribute is only used when idp-host is not empty. Default value is https.
idp-signkey
Specifies the private key used for signing assertion by BIG-IP as IdP.
idp-signkey-session-var
Specifies the signing key this BIG-IP as IdP will use to sign SAML messages including SAML assertion. This attribute
must be specified in session variable format. This attribute is mutually exclusive with .
key-transport-algorithm
Specifies the key transport algorithm to be used for encrypted attributes, subject-value, or assertion. Default and
recommended value is rsa-oaep. rsa-v1.5 is NOT RECOMMENDED due to security risks associated with the algorithm, and
should NOT be used except for compatibility with older applications.
location-specific
Objects of this class might have location specific attribute(s). Admin can indicate if object is location specific by
setting it to true.
log-level
log-level is deprecated. Instead use apm-log-config to customize log-setting.
metadata-cert
Specifies the certificate with public key of the key pair used in signing the metadata. See export-metadata for more
information on metadata export functionality. This is the certificate to include in signed metadata when we export
metadata. This might or might not be IdP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata for more information on metadata export
functionality.
metadata-signkey
This specifies the key that is used to sign IdP's metadata. See export-metadata for more information on metadata
export functionality.
name-qualifier
Specifies the security or administrative domain of the IdP (this BIG-IP system). This value usually matches IdP Entity
ID.
saml-profiles
List of SAML profiles enabled on this BIG-IP as IdP. Default value is web-browser-sso.
sp-connectors
Specifies list of SP connectors associated with this SAML SSO object. When this SSO object is assigned to SAML
resource then only one entry is allowed for SP connectors. If SAML SSO object is assigned to access profile then you
can add multiple SAML SP connectors.
subject-type
Specifies type of the subject to be used while creating SAML assertion.
subject-value
Specifies the value of the subject to be included inside SAML assertion. This can be a session variable. For example:
%{session.last.logonname}, %{session.ad.last.attr.userEmail}
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights reserved.
BIG-IP 2017-11-29 apm sso saml(1)