apm sso saml
apm sso saml(1) BIG-IP TMSH Manual apm sso saml(1)
NAME
saml - Specify SAML SSO configuration.
MODULE
apm sso
SYNTAX
Configure the saml within the sso module using the syntax shown in the
following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
apm-log-config [[string] | none]
app-service [[string] | none]
artifact-resolution-service-name [name | none]
assertion-validity [integer]
attributes [none | {
{
name [[string] | none],
multi-values {
[string]
},
encrypt [true | false],
encryption-type [aes128 | aes192 | aes256]
}
} ]
auth-context-method [string | none]
description [[string] | none]
encrypt-subject [true | false]
encryption-type-subject [aes128 | aes192 | aes256]
entity-id [string]
export-metadata [no-signing | with-signing]
idp-certificate [string | none]
idp-host [string | none]
idp-scheme [http | https]
idp-signkey [string | none]
key-transport-algorithm [ rsa-oaep | rsa-v1.5 ]
location-specific [true | false]
log-level [alert | crit | debug | emerg | err | info | notice | warn]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [string | none]
saml-profiles [add | delete | modify | none | replace-all-with] {
[ecp | web-browser-sso]
}
sp-connectors [add | delete | modify | none | replace-all-with] {
[string]
}
subject-type [email-address | kerberos | transient | win-domain-qualified-name | entity | persistent | unspecified | x509-subject]
subject-value [ string | none ]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage SAML SSO objects.
EXAMPLES
create saml my_saml_sso_obj { entity-id
"https://myidpvs.big-ip.com/idp" subject-type email-address subject-
value test@mycompany.com idp-certificate default.crt idp-signkey
default.key sp-connectors add { google_apps salesforce }}
Creates a SAML SSO object named my_saml_sso_obj with SP connectors
"google_apps" and "salesforce"
create saml my_saml_sso_obj1 { entity-id
"https://myidpvs.big-ip.com/idp" subject-type email-address subject-
value test@mycompany.com idp-certificate default.crt idp-signkey
default.key sp-connectors add { google_apps sp_salesforce } attributes
{{name "group" multi-values { "PD" "Admin" }} {name "title" multi-
values { "engineer1" }}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes
"group" and "title".
list saml
Displays list of SAML SSO objects.
delete saml my_saml_sso_obj
Deletes the my_saml_sso_obj SAML SSO object.
OPTIONS
apm-log-config
Specifies log-setting object to associate with this saml. If this
value is empty, logging framework uses log-setting configuration
associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
assertion-validity
Specifies assertion validity period in seconds.
artifact-resolution-service-name
Specifies the artifact resolution service to be used by this BIG-
IP as IdP to receive artifacts and resolve them for assertions.
attributes
Specifies list of attributes as part of assertion. Both attribute
name and values can be session variables. Property 'value' is
DEPRECATED; "multi-values" must be used instead.
create saml my_saml_sso_obj1 { entity-id
"https://myidpvs.big-ip.com/idp" subject-type email-address
subject-value test@mycompany.com idp-certificate default.crt idp-
signkey default.key sp-connectors add { google_apps sp_salesforce
} attributes {{name "group" multi-values {
"%{session.ldap.last.attr.primarygroup}"}} {name "name" multi-
values { "firstName" "lastName" }}} }
Creates a SAML SSO object named my_saml_sso_obj1 with attributes
"group" and "name".
auth-context-method
Specifies an authentication context method used by this BIG-IP as
IdP when creating assertions. This attribute can be a session
variable.
description
Specifies a unique description for SAML SSO object. The default is
none.
encrypt-subject
Set to true if assertion 'Subject' must be encrypted. Default
value is false.
encryption-type-subject
Encryption algorithm used to encrypt 'Subject' element in
assertion. Default value is aes128.
entity-id
Specifies unique identifier for BIG-IP as IdP. Typically,
'entity-id' is a URI that points to the BIG-IP virtual server that
is going to act as a SAML IdP. In case 'entity-id' is not a valid
URL, the idp-host attribute is required. Examples of valid
configuration include "https://mycompany-idp", "idp:my:company",
and "idp.my.company.com"
export-metadata
You can simplify SAML configuration using metadata files. When you
use APM as an IdP, you can export metadata for IdP. You can save
metadata to a file and give it to the SP to enable SP to import
SP's SAML configuration or enable SP to use information from the
metadata file to configure the IdP. You can choose to sign
metadata while exporting it for better security.
For example:
1. Exporting metadata with signing. This requires metadata-signkey
and metadata-cert files.
modify saml my_saml_sso_obj {export-metadata with-signing metadata-file /shared/idp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml my_saml_sso_obj {export-metadata no-signing metadata-file /shared/idp_metadata.xml}
idp-certificate
BIG-IP includes this certificate in the SAML IdP metadata that you
export. After the SAML IdP metadata is imported on the SP, the SP
can use this certificate to verify the signature of assertion sent
by this BIG-IP as IdP.
idp-host
Hostname of this BIG-IP as IdP. This attribute is required when
"entity-id" is not a valid URL.
idp-scheme
Scheme used by this BIG-IP as IdP. This attribute is only used
when idp-host is not empty. Default value is https.
idp-signkey
Specifies the private key used for signing assertion by BIG-IP as
IdP.
key-transport-algorithm
Specifies the key transport algorithm to be used for encrypted
attributes, subject-value, or assertion. Default and recommended
value is rsa-oaep. rsa-v1.5 is NOT RECOMMENDED due to security
risks associated with the algorithm, and should NOT be used except
for compatibility with older applications.
location-specific
Objects of this class might have location specific attribute(s).
Admin can indicate if object is location specific by setting it to
true.
log-level
log-level is deprecated. Instead use apm-log-config to customize
log-setting.
metadata-cert
Specifies the certificate with public key of the key pair used in
signing the metadata. See export-metadata for more information on
metadata export functionality. This is the certificate to include
in signed metadata when we export metadata. This might or might
not be IdP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata
for more information on metadata export functionality.
metadata-signkey
This specifies the key that is used to sign IdP's metadata. See
export-metadata for more information on metadata export
functionality.
saml-profiles
List of SAML profiles enabled on this BIG-IP as IdP. Default value
is web-browser-sso.
sp-connectors
Specifies list of SP connectors associated with this SAML SSO
object. When this SSO object is assigned to SAML resource then
only one entry is allowed for SP connectors. If SAML SSO object is
assigned to access profile then you can add multiple SAML SP
connectors.
subject-type
Specifies type of the subject to be used while creating SAML
assertion.
subject-value
Specifies the value of the subject to be included inside SAML
assertion. This can be a session variable. For example:
%{session.last.logonname}, %{session.ad.last.attr.userEmail}
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights
reserved.
BIG-IP 2016-09-28 apm sso saml(1)