apm sso saml-sp-connector
apm sso saml-sp-connector(1) BIG-IP TMSH Manual apm sso saml-sp-connector(1)
NAME
saml-sp-connector - Specify saml sp connector configuration.
MODULE
apm sso
SYNTAX
Configure a saml-sp-connector within the sso module using the syntax shown in the following sections.
CREATE/MODIFY
create saml-sp-connector [name]
modify saml-sp-connector [name]
options:
app-service [[string] | none]
assertion-consumer-services [ {
binding [http-artifact | http-post | paos]
index [0 - 65535]
is-default [true | false]
uri [string]
} ]
description [[string] | none]
encryption-type [aes128 | aes192 | aes256]
entity-id [string]
import-metadata [ string | none ]
is-authn-request-signed [ true | false ]
location-specific [ true | false ]
metadata-cert [[string] | none]
multi-domain-location [[string] | none ]
relay-state [[string] | none]
signature-type [rsa-sha1 | rsa-sha256 | rsa-sha384 | rsa-sha512]
single-logout-binding
single-logout-response-uri [string]
single-logout-uri [string]
sp-certificate [[string] | none]
sp-location [external | internal | internal-multi-domain ]
sp-name-qualifier [[string] | none]
want-assertion-encrypted [ true | false ]
want-assertion-signed [ true | false ]
want-response-signed [ true | false ]
edit saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list saml-sp-connector
list saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
show running-config saml-sp-connector
show running-config saml-sp-connector [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete saml-sp-connector [name]
DESCRIPTION
You can use the saml-sp-connector component to create and manage saml sp connectors
EXAMPLES
create saml-sp-connector my_saml_sp_connector { entity-id "https://companyx.sp.com/sp" assertion-consumer-
services { { uri "https://companyx.sp.com/acs/" is-default true } } want-assertion-signed true want-response-
signed true want-assertion-encrypted true encryption-type aes256 is-authn-request-signed false sp-certificate
default.crt }
Creates a SAML sp-connector named my_saml_sp_connector with security options to encrypt and sign the
assertion as well as SAML response.
create saml-sp-connector my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}
Creates a SAML sp-connector named my_saml_sp_connector1 from metadata file "/shared/tmp/sp_metadata.xml"
create saml-sp-connector my_internal_sp_connector { entity-id "https://internal.sp.com" assertion-consumer-
services { { uri "https://internal.sp.com/acs" is-default true } } sp-certificate default.crt sp-location
internal }
Creates a SAML sp-connector named my_internal_sp_connector which is load balanced by the same virtual
server as this BIG-IP as IdP [identity provider].
list saml-sp-connector
Displays a list of SAML sp connectors.
delete saml-sp-connector my_saml_sp_connector
Deletes the my_saml_sp_connector SAML sp connector.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
assertion-consumer-services
List of assertion consumer services (ACS) used by external SP. Each ACS entry contains attributes
'binding', 'index', 'is-default', and 'url'. Each ACS must contain a valid URL, and a unique 'index'. One
ACS entry must be set as default.
assertion-consumer-binding
This attribute is DEPRECATED. Use assertion-consumer-services instead.
assertion-consumer-uri
This attribute is DEPRECATED. Use assertion-consumer-services instead.
description
Specifies a unique description for saml sp connector. The default is none.
encryption-type
Specifies the type of encryption BIG-IP as IdP should use to encrypt the assertion. Default is aes128.
entity-id
Specifies a unique ID to identify SP pointed by sp connector.
import-metadata
Specifies the metadata file to be used to create sp connector object. For example: create saml-sp-
connector my_saml_sp_connector1 { import-metadata /shared/tmp/sp_metadata.xml}
is-authn-request-signed
Specifies whether SP signs authentication requests while sending them to BIG-IP as IdP. The default
value for this is false.
location-specific
Objects of this class might have location specific attribute(s). Admin can indicate if object is location
specific by setting it to true.
metadata-cert
Specifies the certificate to be used to verify the signature of metadata imported from a file.
multi-domain-location
Specifies the scheme, hostname, and (optionally) port of the virtual server on this BIG-IP behind which
this SP is located, e.g. "https://application.f5.com". This configuration is required only when sp-
location attribute is configured as 'internal-multi-domain'
relay-state
Specifies the value sent to the SP by BIG-IP as IdP as part of the response. This value is only used if
the SP did not send RelayState as part of the authentication request.
signature-type
Signature algorithms to be used for digital signing of SAML messages. Default value is rsa-sha1.
single-logout-binding
This attribute is reserved for future functionality.
single-logout-response-uri
A URI where this BIG-IP as IdP will send single logout (SLO) responses.
single-logout-uri
A URI where this BIG-IP as IdP will send single logout (SLO) requests.
sp-certificate
Specifies SP certificate used by BIG-IP as IdP to verify the signature of authentication request.
sp-location
Specifies the location of SP from network topology viewpoint. Default value external should be used with
SAML WebSSO profile. This value indicates that SP is located externally from BIG-IP perspective, and
therefore SP is reachable directly by the user-agent. internal - indicates that configured SP is located
behind the virtual server that hosts BIG-IP IdP, and therefore SP is not reachable directly by the
client. internal-multi-domain - indicates that BIG-IP is configured for multi-domain SSO, and therefore
SP is located behind different virtual server of this BIG-IP.
sp-name-qualifier
Optionally qualifies an identifier with the name of a service provider or affiliation of providers.
want-assertion-encrypted
Specifies whether SP requires encrypted assertions. The default value for this attribute is false
want-assertion-signed
Specifies whether SP requires signed assertions. The default value for this attribute is true
want-response-signed
Specifies whether SP requires signed SAML responses. The default value for this attribute is false
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights reserved.
BIG-IP 2018-01-10 apm sso saml-sp-connector(1)