apm aaa saml
apm aaa saml(1) BIG-IP TMSH Manual apm aaa saml(1)
NAME
saml - Specify a SAML server configuration used for authentication.
MODULE
apm aaa
SYNTAX
Configure the saml component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create saml [name]
modify saml [name]
options:
app-service [[string] | none]
assertion-consumer-binding [http-artifact | http-post]
attribute-consuming-services [add | delete | modify | none | replace-all-with] {
[name] {
attribute-consuming-service-index [integer]
}
}
auth-context-class-list [[string] | none]
auth-context-comparison-method [ better | exact | maximum | minimum ]
auth-context-methods {
[string]
}
default-attribute-consuming-service [[string] | none]
description [[string] | none]
entity-id [string]
force-authn [true | false]
export-metadata [ no-signing | with-signing ]
idp-connectors [add | delete | modify | none | replace-all-with] {
[name] {
idp-matching-source [[string] | none]
idp-matching-value [[string] | none]
}
}
is-authn-request-signed [true | false]
location-specific [true | false]
metadata-cert [[string] | none]
metadata-file [[string] | none]
metadata-signkey [[string] | none]
name-id-policy-allow-create [true | false]
name-id-policy-format [[string] | none]
name-id-policy-sp-name-qualifier [[string] | none]
provider-name [[string] | none]
relay-state [[string] | none]
sp-certificate [[string] | none]
sp-host [[string] | none]
sp-scheme [http | https]
sp-signkey [[string] | none]
want-assertion-encrypted [true | false]
want-assertion-signed [true | false]
edit saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml
list saml [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml
show running-config saml [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml [name]
DESCRIPTION
You can use the saml component to create and manage saml aaa servers.
EXAMPLES
create saml my_saml_server { entity-id "https://spvs1.mycompany.com/id" want-assertion-signed true want-
assertion-encrypted false is-authn-request-signed true sp-certificate my_company.crt sp-signkey
my_company.key}
Creates a SAML authentication server named my_saml_server with certificate my_company.crt and key
my_company.key and security options requiring signed assertion and want to send signed authentication
request.
list saml
Displays a list of aaa saml servers.
delete saml my_saml_server
Deletes the my_saml_server aaa saml server.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
assertion-consumer-binding
Specifies method this BIG-IP as SP uses to receive assertions. Default value is http-post.
attribute-consuming-services
Add one or more attribute consuming services to this SP service. Each attribute consuming service is
mapped to a unique attribute-consuming-service-index. The attribute consuming services added for this SP
will be part of the metadata for the SP that can be exported and shared with IdP.
For example:
The following command associates two attribute consuming services to an SP and maps the first service to
index 1 and the second service to index 2.
modify saml my_saml_server attribute-consuming-services add { my_atcs1 { attribute-consuming-service-index 1 } my_atcs2 { attribute-consuming-service-index 2 } }
auth-context-class-list
Specifies an ordered list of authentication context classes. The BIG-IP as SP uses this list to validate
the authentication context (in the assertion from the IdP) against locally configured context methods
(auth-context-methods) using the specified comparison method (auth-context-comparison-method).
This property is required if you use a comparison method (auth-context-comparison-method) other than the
default ('exact'). You can specify any auth-context-class-list list that you have configured on the BIG-
IP system. Or, you can specify the predefined auth-context-class-list list (authentication_contexts_list)
that the BIG-IP system provides.
auth-context-comparison-method
Specifies the comparison method that the IdP must use to evaluate the requested context classes auth-
context-methods, one of "exact", "minimum", "maximum", or "better". The default is exact. If non-default
comparison method is configured, all context classes from auth-context-methods must be present in the
configured priority list of classes auth-context-class-list.
auth-context-methods
Specifies a list of authentication context classes that this BIG-IP as SP will request from an IdP. As a
response, the IdP must return an assertion containing one of the requested authentication contexts. Each
value can be a session variable if the comparison method is set to 'exact', which is the default value.
default-attribute-consuming-service
Specifies one of the attribute consuming services associated with this SP as default service. The
metadata for the SP will flag specified service as default.
description
Specifies a unique description for the server. The default is none.
entity-id
Specifies a unique identifier for BIG-IP as SP. Typically 'entity-id' is a URI that points to the BIG-IP
virtual server that is going to act as SAML SP. In case 'entity-id' is not a valid URL, the sp-host
attribute is required. Examples of valid configuration include "https://mycompany-sp", "sp:my:company",
and "sp.my.company.com".
force-authn
If enabled, this BIG-IP as SP requests the IdP to authenticate the principal directly rather than rely on
a previous security context.
export-metadata
You can simplify SAML configuration using metadata files. When you use BIG-IP as an SP, you can export
metadata for an SP to a file. Then you can use the file to configure SP metadata on an IdP system by
importing the file or using the information in the file to configure the SP. You can choose to sign
metadata while exporting it for better security.
For example:
1. Exporting metadata with signing. This requires metadata-cert and metadata-signkey files.
modify saml aaa_obj {export-metadata with-signing metadata-file /shared/sp_signed_metadata.xml metadata-cert default.crt metadata-signkey default.key}
2. Exporting metadata with no signing.
modify saml aaa_obj {export-metadata no-signing metadata-file /shared/sp_metadata.xml}
idp-connectors
Add one or more IdP connectors to this SP service. BIG-IP SP redirect users to associated IdPs for
authentication. If more IdP connectors associated with the SP, BIG-IP SP selects one of the IdP based on
the specified selection criteria.
For example:
1. The following command associates one IdP connect to an SP
modify saml my_saml_server idp-connectors add { my_idp_connector1 }
2. Following associates multiple IdP connectors to SP with selection criteria based on landing URI. If
the landing URI is /google, the user is sent to IdP as specified by my_idp_connector_google_app and if
the landing URI is /salesforce, the user is sent to IdP as specified by my_idp_connector_for_salesforce.
modify saml my_saml_server idp-connectors add { my_idp_connector_google_app { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/*google" } my_idp_connector_for_salesforce { idp-matching-source "%{session.server.landinguri}" idp-matching-value "/salesforce"}}
is-authn-request-signed
This property specifies whether the SP signs authentication requests while sending them to the IdP. Set
it to true if this BIG-IP SP should sign authentication requests. The default value for this is false.
location-specific
Objects of this class might have location specific attributes. Admin can indicate if object is location
specific by setting it to true.
metadata-cert
Specifies the certificate with public key of the key pair used in signing the metadata. See export-
metadata for more information on metadata export functionality. This is the certificate to be included
in signed metadata when we export metadata. This might or might not be SP certificate.
metadata-file
Specifies the file to which metadata is saved. See export-metadata for more information on metadata
export functionality.
metadata-signkey
Specifies the key that is used to sign SP's metadata. See export-metadata for more information on
metadata export functionality.
name-id-policy-allow-create
A Boolean value used to indicate whether external IdP is allowed, when processing requests from this BIG-
IP as SP, to create a new identifier to represent the principal. Default value is false
name-id-policy-format
A URI reference representing the classification of string-based identifier information. For example, if a
Service Provider (SP) initiates SSO by sending an AuthnRequest to the IDP with format
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", then the IdP response should contain subject
identity in email format. This attribute can be a session variable.
name-id-policy-sp-name-qualifier
Optionally specifies that the assertion subject's identifier be returned in the namespace of an SP other
than the requester, or in the namespace of a SAML affiliation group of SPs. This attribute can be a
session variable.
relay-state
Specifies the value where the BIG-IP as SP redirects users after they are successfully authenticated and
have been allowed by access policy. When BIG-IP receives the relay state from the IdP in addition to
assertion, then it uses the value received from IdP to redirect the user to after authentication.
Otherwise, BIG-IP uses the value from this configuration.
provider-name
Optionally specifies the human-readable name of this SAML SP for use by the identity provider.
sp-certificate
BIG-IP includes this certificate in the SAML SP metadata that you export. After the SAML SP metadata is
imported on the IdP, the IdP can use this certificate to verify signed authentication request and to
encrypt assertion.
sp-host
Hostname of this BIG-IP as SP. This attribute is required when "entity-id" is not a valid URL.
sp-scheme
Scheme used by this BIG-IP as SP. This attribute is only used when sp-host is not empty. Default value is
https.
sp-signkey
This specifies the private key used to sign authentication requests if "is-authn-request-signed property"
is set to true or to decrypt assertions when "want-assertion-encrypted" is set to true.
want-assertion-encrypted
This property specifies whether SP requires encrypted assertions. Set it to true if this BIG-IP SP
requires encrypted assertions from the SAML IdP. The default value for this is false.
want-assertion-signed
This property specifies whether SP requires signed assertions. Set it to true if this BIG-IP SP requires
signed assertions from the SAML IdP. The default value for this is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016, 2017. All rights reserved.
BIG-IP 2017-04-25 apm aaa saml(1)