apm aaa saml
apm aaa saml(1) BIG-IP TMSH Manual apm aaa saml(1)
NAME
saml - Specify a SAML server configuration used for authentication.
MODULE
apm aaa
SYNTAX
Configure the saml component within the aaa module using the syntax
shown in the following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
app-service [[string] | none]
assertion-consumer-binding [http-artifact | http-post]
auth-context-class-list [[string] | none]
auth-context-comparison-method [ better | exact | maximum | minimum ]
auth-context-methods {
[string]
}
description [[string] | none]
entity-id [string]
force-authn [true | false]
export-metadata [ no-signing | with-signing ]
idp-connectors [add | delete | modify | none | replace-all-with] {
[name] {
idp-matching-source [[string] | none]
idp-matching-value [[string] | none]
}
}
is-authn-request-signed [true | false]
location-specific [true | false]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [[string] | none]
name-id-policy-allow-create [true | false]
name-id-policy-format [[string] | none]
name-id-policy-sp-name-qualifier [[string] | none]
relay-state [[string] | none]
sp-certificate [[string] | none]
sp-host [[string] | none]
sp-scheme [http | https]
sp-signkey [[string] | none]
want-assertion-encrypted [true | false]
want-assertion-signed [true | false]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage saml aaa servers.
EXAMPLES
create saml my_saml_server { entity-id "https://spvs1.mycompany.com/id"
want-assertion-signed true want-assertion-encrypted false is-authn-
request-signed true sp-certificate my_company.crt sp-signkey
my_company.key}
Creates a SAML authentication server named my_saml_server with
certificate my_company.crt and key my_company.key and security
options requiring signed assertion and want to send signed
authentication request.
list saml
Displays a list of aaa saml servers.
delete saml my_saml_server
Deletes the my_saml_server aaa saml server.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
assertion-consumer-binding
Specifies method this BIG-IP as SP uses to receive assertions.
Default value is http-post.
auth-context-class-list
Specifies an ordered list of authentication context classes. The
BIG-IP as SP uses this list to validate the authentication context
(in the assertion from the IdP) against locally configured context
methods (auth-context-methods) using the specified comparison
method (auth-context-comparison-method).
This property is required if you use a comparison method (auth-
context-comparison-method) other than the default ('exact'). You
can specify any auth-context-class-list list that you have
configured on the BIG-IP system. Or, you can specify the
predefined auth-context-class-list list
(authentication_contexts_list) that the BIG-IP system provides.
auth-context-comparison-method
Specifies the comparison method that the IdP must use to evaluate
the requested context classes auth-context-methods, one of
"exact", "minimum", "maximum", or "better". The default is exact.
If non-default comparison method is configured, all context
classes from auth-context-methods must be present in the
configured priority list of classes auth-context-class-list.
auth-context-methods
Specifies a list of authentication context classes that this BIG-
IP as SP will request from an IdP. As a response, the IdP must
return an assertion containing one of the requested authentication
contexts. Each value can be a session variable if the comparison
method is set to 'exact', which is the default value.
description
Specifies a unique description for the server. The default is
none.
entity-id
Specifies a unique identifier for BIG-IP as SP. Typically
'entity-id' is a URI that points to the BIG-IP virtual server that
is going to act as SAML SP. In case 'entity-id' is not a valid
URL, the sp-host attribute is required. Examples of valid
configuration include "https://mycompany-sp", "sp:my:company", and
"sp.my.company.com".
force-authn
If enabled, this BIG-IP as SP requests the IdP to authenticate the
principal directly rather than rely on a previous security
context.
export-metadata
You can simplify SAML configuration using metadata files. When you
use BIG-IP as an SP, you can export metadata for an SP to a file.
Then you can use the file to configure SP metadata on an IdP
system by importing the file or using the information in the file
to configure the SP. You can choose to sign metadata while
exporting it for better security.
For example:
1. Exporting metadata with signing. This requires metadata-cert
and metadata-signkey files.
modify saml aaa_obj {export-metadata with-signing metadata-file /shared/sp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml aaa_obj {export-metadata no-signing metadata-file /shared/sp_metadata.xml}
idp-connectors
Add one or more IdP connectors to this SP service. BIG-IP SP
redirect users to associated IdPs for authentication. If more IdP
connectors associated with the SP, BIG-IP SP selects one of the
IdP based on the specified selection criteria.
For example:
1. The following command associates one IdP connect to an SP
modify saml my_saml_server idp-connectors add { my_idp_connector1 }
2. Following associates multiple IdP connectors to SP with
selection criteria based on landing URI. If the landing URI is
/google, the user is sent to IdP as specified by
my_idp_connector_google_app and if the landing URI is /salesforce,
the user is sent to IdP as specified by
my_idp_connector_for_salesforce.
modify saml my_saml_server idp-connectors add { my_idp_connector_google_app { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/*google" } my_idp_connector_for_salesforce { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/salesforce"}}
is-authn-request-signed
This property specifies whether the SP signs authentication
requests while sending them to the IdP. Set it to true if this
BIG-IP SP should sign authentication requests. The default value
for this is false.
location-specific
Objects of this class might have location specific attributes.
Admin can indicate if object is location specific by setting it to
true.
metadata-cert
Specifies the certificate with public key of the key pair used in
signing the metadata. See export-metadata for more information on
metadata export functionality. This is the certificate to be
included in signed metadata when we export metadata. This might or
might not be SP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata
for more information on metadata export functionality.
metadata-signkey
Specifies the key that is used to sign SP's metadata. See export-
metadata for more information on metadata export functionality.
name-id-policy-allow-create
A Boolean value used to indicate whether external IdP is allowed,
when processing requests from this BIG-IP as SP, to create a new
identifier to represent the principal. Default value is false
name-id-policy-format
A URI reference representing the classification of string-based
identifier information. For example, if a Service Provider (SP)
initiates SSO by sending an AuthnRequest to the IDP with format
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", then the
IdP response should contain subject identity in email format. This
attribute can be a session variable.
name-id-policy-sp-name-qualifier
Optionally specifies that the assertion subject's identifier be
returned in the namespace of an SP other than the requester, or in
the namespace of a SAML affiliation group of SPs. This attribute
can be a session variable.
relay-state
Specifies the value where the BIG-IP as SP redirects users after
they are successfully authenticated and have been allowed by
access policy. When BIG-IP receives the relay state from the IdP
in addition to assertion, then it uses the value received from IdP
to redirect the user to after authentication. Otherwise, BIG-IP
uses the value from this configuration.
sp-certificate
BIG-IP includes this certificate in the SAML SP metadata that you
export. After the SAML SP metadata is imported on the IdP, the IdP
can use this certificate to verify signed authentication request
and to encrypt assertion.
sp-host
Hostname of this BIG-IP as SP. This attribute is required when
"entity-id" is not a valid URL.
sp-scheme
Scheme used by this BIG-IP as SP. This attribute is only used when
sp-host is not empty. Default value is https.
sp-signkey
This specifies the private key used to sign authentication
requests if "is-authn-request-signed property" is set to true or
to decrypt assertions when "want-assertion-encrypted" is set to
true.
want-assertion-encrypted
This property specifies whether SP requires encrypted assertions.
Set it to true if this BIG-IP SP requires encrypted assertions
from the SAML IdP. The default value for this is false.
want-assertion-signed
This property specifies whether SP requires signed assertions. Set
it to true if this BIG-IP SP requires signed assertions from the
SAML IdP. The default value for this is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 apm aaa saml(1)