apm sso saml-sp-connectorΒΆ

apm sso saml-sp-connector(1)			  BIG-IP TMSH Manual			 apm sso saml-sp-connector(1)

NAME
       saml-sp-connector - Specify saml sp connector configuration.

MODULE
       apm sso

SYNTAX
       Configure a saml-sp-connector within the sso module using the syntax shown in the following sections.

   CREATE/MODIFY
	create saml-sp-connector [name]
	modify saml-sp-connector [name]
	  options:
	    app-service [[string] | none]
	    assertion-consumer-services [ {
	       binding	   [http-artifact | http-post | paos]
	       index	   [0 - 65535]
	       is-default  [true | false]
	       uri	   [string]

	    } ]
	    description [[string] | none]
	    encryption-type [aes128 | aes192 | aes256]
	    entity-id [string]
	    import-metadata [ string | none ]
	    is-authn-request-signed [ true | false ]
	    location-specific [ true | false ]
	    metadata-cert [[string] | none]
	    multi-domain-location [[string] | none ]
	    relay-state [[string] | none]
	    signature-type [rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512]
	    single-logout-binding
	    single-logout-response-uri [string]
	    single-logout-uri [string]
	    sp-certificate [[string] | none]
	    sp-location [external | internal | internal-multi-domain ]
	    sp-name-qualifier [[string] | none]
	    want-assertion-encrypted [ true | false ]
	    want-assertion-signed [ true | false ]
	    want-response-signed [ true | false ]

	edit saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list saml-sp-connector
	list saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	show running-config saml-sp-connector
	show running-config saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    app-service
	    non-default-properties
	    one-line
	    partition

   DELETE
	delete saml-sp-connector [name]

DESCRIPTION
       You can use the saml-sp-connector component to create and manage saml sp connectors

EXAMPLES
       create saml-sp-connector my_saml_sp_connector { entity-id "https://companyx.sp.com/sp" assertion-consumer-
       services { { uri "https://companyx.sp.com/acs/" is-default true } } want-assertion-signed true want-response-
       signed true want-assertion-encrypted true encryption-type aes256 is-authn-request-signed false sp-certificate
       default.crt }
	    Creates a SAML sp-connector named my_saml_sp_connector with security options to encrypt and sign the
	    assertion as well as SAML response.

       create saml-sp-connector my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}
	    Creates a SAML sp-connector named my_saml_sp_connector1 from metadata file "/shared/tmp/sp_metadata.xml"

       create saml-sp-connector my_internal_sp_connector { entity-id "https://internal.sp.com" assertion-consumer-
       services { { uri "https://internal.sp.com/acs" is-default true } } sp-certificate default.crt sp-location
       internal }
	    Creates a SAML sp-connector named my_internal_sp_connector which is load balanced by the same virtual
	    server as this BIG-IP as IdP [identity provider].

       list saml-sp-connector
	    Displays a list of SAML sp connectors.

       delete saml-sp-connector my_saml_sp_connector
	    Deletes the my_saml_sp_connector SAML sp connector.

OPTIONS
       app-service
	    Specifies the name of the application service to which the object belongs. The default value is none.
	    Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
	    modify or delete the object. Only the application service can modify or delete the object.

       assertion-consumer-services
	    List of assertion consumer services (ACS) used by external SP. Each ACS entry contains attributes
	    'binding', 'index', 'is-default', and 'url'. Each ACS must contain a valid URL, and a unique 'index'. One
	    ACS entry must be set as default.

       assertion-consumer-binding
	    This attribute is DEPRECATED. Use assertion-consumer-services instead.

       assertion-consumer-uri
	    This attribute is DEPRECATED. Use assertion-consumer-services instead.

       description
	    Specifies a unique description for saml sp connector. The default is none.

       encryption-type
	    Specifies the type of encryption BIG-IP as IdP should use to encrypt the assertion. Default is aes128.

       entity-id
	    Specifies a unique ID to identify SP pointed by sp connector.

       import-metadata
	    Specifies the metadata file to be used to create sp connector object.  For example: create saml-sp-
	    connector my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}

       is-authn-request-signed
	    Specifies whether SP signs authentication requests while sending them to BIG-IP as IdP.  The default
	    value for this is false.

       location-specific
	    Objects of this class might have location specific attribute(s). Admin can indicate if object is location
	    specific by setting it to true.

       metadata-cert
	    Specifies the certificate to be used to verify the signature of metadata imported from a file.

       multi-domain-location
	    Specifies the scheme, hostname, and (optionally) port of the virtual server on this BIG-IP behind which
	    this SP is located, e.g. "https://application.f5.com". This configuration is required only when sp-
	    location attribute is configured as 'internal-multi-domain'

       relay-state
	    Specifies the value sent to the SP by BIG-IP as IdP as part of the response. This value is only used if
	    the SP did not send RelayState as part of the authentication request.

       signature-type
	    Signature algorithms to be used for digital signing of SAML messages. Default value is rsa-sha1.

       single-logout-binding
	    This attribute is reserved for future functionality.

       single-logout-response-uri
	    A URI where this BIG-IP as IdP will send single logout (SLO) responses.

       single-logout-uri
	    A URI where this BIG-IP as IdP will send single logout (SLO) requests.

       sp-certificate
	    Specifies SP certificate used by BIG-IP as IdP to verify the signature of authentication request.

       sp-location
	    Specifies the location of SP from network topology viewpoint.  Default value external should be used with
	    SAML WebSSO profile. This value indicates that SP is located externally from BIG-IP perspective, and
	    therefore SP is reachable directly by the user-agent.  internal - indicates that configured SP is located
	    behind the virtual server that hosts BIG-IP IdP, and therefore SP is not reachable directly by the
	    client.  internal-multi-domain - indicates that BIG-IP is configured for multi-domain SSO, and therefore
	    SP is located behind different virtual server of this BIG-IP.

       sp-name-qualifier
	    Optionally qualifies an identifier with the name of a service provider or affiliation of providers.

       want-assertion-encrypted
	    Specifies whether SP requires encrypted assertions. The default value for this attribute is false

       want-assertion-signed
	    Specifies whether SP requires signed assertions. The default value for this attribute is true

       want-response-signed
	    Specifies whether SP requires signed SAML responses. The default value for this attribute is false

SEE ALSO
COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or
       mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
       other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights reserved.

BIG-IP						      2018-01-10			 apm sso saml-sp-connector(1)