apm sso saml-sp-connector
apm sso saml-sp-connector(1) BIG-IP TMSH Manual apm sso saml-sp-connector(1)
NAME
saml-sp-connector - Specify saml sp connector configuration.
MODULE
apm sso
SYNTAX
Configure a saml-sp-connector within the sso module using the syntax
shown in the following sections.
CREATE/MODIFY
create saml-sp-connector [name]
modify saml-sp-connector [name]
options:
app-service [[string] | none]
assertion-consumer-services [ {
binding [http-artifact | http-post | paos]
index [0 - 65535]
is-default [true | false]
uri [string]
} ]
description [[string] | none]
encryption-type [aes128 | aes192 | aes256]
entity-id [string]
import-metadata [ string | none ]
is-authn-request-signed [ true | false ]
location-specific [ true | false ]
metadata-cert [[string] | none]
multi-domain-location [[string] | none ]
relay-state [[string] | none]
signature-type [rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512]
single-logout-binding
single-logout-response-uri [string]
single-logout-uri [string]
sp-certificate [[string] | none]
sp-location [external | internal | internal-multi-domain ]
sp-name-qualifier [[string] | none]
want-assertion-encrypted [ true | false ]
want-assertion-signed [ true | false ]
want-response-signed [ true | false ]
edit saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml-sp-connector
list saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml-sp-connector
show running-config saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml-sp-connector [name]
DESCRIPTION
You can use the saml-sp-connector component to create and manage saml
sp connectors
EXAMPLES
create saml-sp-connector my_saml_sp_connector { entity-id
"https://companyx.sp.com/sp" assertion-consumer-services { { uri
"https://companyx.sp.com/acs/" is-default true } } want-assertion-
signed true want-response-signed true want-assertion-encrypted true
encryption-type aes256 is-authn-request-signed false sp-certificate
default.crt }
Creates a SAML sp-connector named my_saml_sp_connector with
security options to encrypt and sign the assertion as well as SAML
response.
create saml-sp-connector my_saml_sp_connector1 { import-metadata
/shared/tmp/sp_metadata.xml}
Creates a SAML sp-connector named my_saml_sp_connector1 from
metadata file "/shared/tmp/sp_metadata.xml"
create saml-sp-connector my_internal_sp_connector { entity-id
"https://internal.sp.com" assertion-consumer-services { { uri
"https://internal.sp.com/acs" is-default true } } sp-certificate
default.crt sp-location internal }
Creates a SAML sp-connector named my_internal_sp_connector which
is load balanced by the same virtual server as this BIG-IP as IdP
[identity provider].
list saml-sp-connector
Displays a list of SAML sp connectors.
delete saml-sp-connector my_saml_sp_connector
Deletes the my_saml_sp_connector SAML sp connector.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
assertion-consumer-services
List of assertion consumer services (ACS) used by external SP.
Each ACS entry contains attributes 'binding', 'index',
'is-default', and 'url'. Each ACS must contain a valid URL, and a
unique 'index'. One ACS entry must be set as default.
assertion-consumer-binding
This attribute is DEPRECATED. Use assertion-consumer-services
instead.
assertion-consumer-uri
This attribute is DEPRECATED. Use assertion-consumer-services
instead.
description
Specifies a unique description for saml sp connector. The default
is none.
encryption-type
Specifies the type of encryption BIG-IP as IdP should use to
encrypt the assertion. Default is aes128.
entity-id
Specifies a unique ID to identify SP pointed by sp connector.
import-metadata
Specifies the metadata file to be used to create sp connector
object. For example: create saml-sp-connector
my_saml_sp_connector1 { import-metadata
/shared/tmp/sp_metadata.xml}
is-authn-request-signed
Specifies whether SP signs authentication requests while sending
them to BIG-IP as IdP. The default value for this is false.
location-specific
Objects of this class might have location specific attribute(s).
Admin can indicate if object is location specific by setting it to
true.
metadata-cert
Specifies the certificate to be used to verify the signature of
metadata imported from a file.
multi-domain-location
Specifies the scheme, hostname, and (optionally) port of the
virtual server on this BIG-IP behind which this SP is located,
e.g. "https://application.f5.com". This configuration is required
only when sp-location attribute is configured as
'internal-multi-domain'
relay-state
Specifies the value sent to the SP by BIG-IP as IdP as part of the
response. This value is only used if the SP did not send
RelayState as part of the authentication request.
signature-type
Signature algorithms to be used for digital signing of SAML
messages. Default value is rsa-sha1.
single-logout-binding
This attribute is reserved for future functionality.
single-logout-response-uri
A URI where this BIG-IP as IdP will send single logout (SLO)
responses.
single-logout-uri
A URI where this BIG-IP as IdP will send single logout (SLO)
requests.
sp-certificate
Specifies SP certificate used by BIG-IP as IdP to verify the
signature of authentication request.
sp-location
Specifies the location of SP from network topology viewpoint.
Default value external should be used with SAML WebSSO profile.
This value indicates that SP is located externally from BIG-IP
perspective, and therefore SP is reachable directly by the user-
agent. internal - indicates that configured SP is located behind
the virtual server that hosts BIG-IP IdP, and therefore SP is not
reachable directly by the client. internal-multi-domain -
indicates that BIG-IP is configured for multi-domain SSO, and
therefore SP is located behind different virtual server of this
BIG-IP.
sp-name-qualifier
Optionally qualifies an identifier with the name of a service
provider or affiliation of providers.
want-assertion-encrypted
Specifies whether SP requires encrypted assertions. The default
value for this attribute is false
want-assertion-signed
Specifies whether SP requires signed assertions. The default value
for this attribute is true
want-response-signed
Specifies whether SP requires signed SAML responses. The default
value for this attribute is false
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights
reserved.
BIG-IP 2018-01-10 apm sso saml-sp-connector(1)