Access Simplified Workflow¶
Overview¶
The Access Simplified Workflow API can create and run objects, policies and virtual servers for a Access Simplified Workflow use-case with SAML SP as the type. Use the Access Simplified Workflow Container API to retrieve details for all the workflow containers and lists of objects associated with workflows..
REST Endpoint: /mgmt/cm/access/workflow/access-workflow¶
Requests¶
POST /mgmt/cm/access/workflow/access-workflow¶
You can send a POST request to the workflow/access-workflow endpoint to create and run an access simplified workflow with SAML SP as type.
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| samlSPRequest | object | True | Request object for Access Simplified Workflow with SAML SP as Type |
| name | string | True | Name of workflow. For example: “test_samlsp_1” |
| type | string | True | Type of workflow. For example: “samlSP” |
| accessDeviceGroup | string | True | Access Device Group Name. For example: “default-access-group” |
| samlSPService | object | True | The samlSPService object is described in the Schemas section. |
| accessProfile | object | False | The accessProfile object is described in the Schemas section. |
| virtualServers | array | False | An array of virtual servers and properties |
| items | object | False | The virtualServer object is described in the Schemas section. |
| singleSignOn | object | False | The single signSignOn object is described in the Schemas section. |
| endpointCheck | object | False | The endpointCheck object is described in the Schemas section. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| samlSPResponse | object | Response object for Access Simplified Workflow with SAML SP as Type |
| name | string | Name of workflow. For example: “test_samlsp_1” |
| type | string | Type of workflow. For example: “samlSP” |
| accessDeviceGroup | string | Access Device Group Name. For example: “default-access-group” |
| samlSPService | object | The samlSPService object is described in the Schemas section. |
| accessProfile | object | The accessProfileSettings object is described in the Schemas section. |
| virtualServers | array | An array of virtual servers and properties |
| items | object | The virtualServer object is described in the Schemas section. |
| singleSignOn | object | The singleSignOn object is described in the Schemas section. |
Permissions¶
| Role | Allow |
|---|---|
| Admin | Yes |
Examples¶
POST to create and run an Access Simplified Workflow¶
The following example sends a POST request to create and run an access simplified workflow.
POST https://<BIG-IQ>/mgmt/cm/access/workflow/access-workflow
The JSON in the body of the POST can look similar to the following example.
{
"name": "test_samlsp_1",
"type": "samlSP",
"accessDeviceGroup": "default-access-group",
"samlSPService": {
"entityId": "https://www.f5.com",
"spScheme": "https",
"spHost": "www.google.com",
"relayState": "/test/test1",
"assertionConsumerBinding": "http-post",
"isAuthnRequestSigned": "false",
"spSignkey": "/Common/default.key",
"spCertificate": "/Common/default.crt",
"wantAssertionSigned": "true",
"wantAssertionEncrypted": "false",
"spDecryptionKey": "/Common/default.key",
"spDecryptionCert": "/Common/default.crt",
"authContextComparisonMethod": "exact",
"authContextClassList": {
"classes": [{
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"name": "authClass1",
"link": "https://localhost/mgmt/cm/access/working-config/apm/saml/auth-context-class-list/9376bd72-069f-35c3-b3e9-47cc9e16f8f4"
}],
"name": "authContextClass1",
"description": "External IdP Connector 1"
},
"authContextMethods": [
"urn:oasis:names:tc:SAML:2.0:ac:classe:PasswordProtectedTransport"
],
"attributeConsumingServices": [{
"service": {
"serviceName": "attrConsService1",
"serviceDescription": "Attribute consuming service 1",
"attributesReference": [{
"attributeName": "attrConsServiceAttr1",
"friendlyName": "Attribute consuming service 1",
"isRequired": false,
"nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"name": "attrConsServiceAttr1"
}],
"isDefault": true,
"name": "attrConsService1",
"link": "https://localhost/mgmt/cm/access/working-config/apm/saml/attribute-consuming-service/d2c2dfb4-b19b-3d6f-b9bf-bff752d60fb2"
}
}],
"forceAuthn": "false",
"nameIdPolicyAllowCreate": "true",
"nameIdPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:federated",
"nameIdPolicySpNameQualifier": "SAMLService1",
"providerName": "SAML Service 1",
"idpConnectors": [{
"idpMatchingSource": "%{session.logon.last.domain}",
"idpMatchingValue": "test_saml_idp_1",
"connector": {
"entityId": "https://www.f5.com",
"nameQualifier": "https://www.f5.com",
"ssoBinding": "http-post",
"ssoUri": "https://www.f5.com/saml/idp/profile/redirectpost/sso",
"artifactResolutionServiceUrl": "https://www.f5.com",
"artifactResolutionServiceAddr": "10.1.2.3",
"artifactResolutionServicePort": "80",
"signArtifactResolutionRq": "false",
"serversslProfileName": "/Common/serverssl",
"basicAuthUsername": "testUser",
"basicAuthPassword": "testPassword",
"identityLocation": "subject",
"identityLocationAttribute": "name",
"wantAuthnRequestSigned": "false",
"signatureType": "rsa-sha1",
"idpCertificate": "/Common/default.crt",
"wantDetachedSignature": "false",
"singleLogoutUri": "https://www.f5.com/saml/idp/profile/logout/sso",
"singleLogoutResponseUri": "https://www.f5.com/saml/idp/login",
"singleLogoutBinding": "http-post",
"locationSpecific": "false",
"name": "idpConnector1",
"description": "External IdP Connector 1",
"link": "https://localhost/mgmt/cm/access/working-config/apm/aaa/saml-idp-connector/a68175ee-0b5f-3fea-9902-372b638e5781"
}
}],
"locationSpecific": "false",
"name": "samlService1",
"description": "Local SP service 1"
},
"accessProfile": {
"accessPolicyTimeout": 300,
"inactivityTimeout": 900,
"maxSessionTimeout": 604800,
"minFailureDelay": 2,
"maxFailureDelay": 5,
"maxConcurrentSessions": 0,
"maxConcurrentUsers": 0,
"maxInprogressSessions": 128,
"restrictToSingleClientIp": "false",
"useHttp_503OnError": "false",
"acceptLanguages": [
"en"
],
"defaultLanguage": "en"
},
"virtualServers": [{
"targetDevice": "bigip-1.lab.fp.f5net.com",
"destinationIpAddress": "1.1.1.1",
"port": 443,
"mask": "255.255.255.255",
"clientsideSsl": "/Common/clientssl",
"serversideSsl": "/Common/serverssl",
"poolServer": {
"loadBalancingMode": "round-robin",
"members": [{
"port": 443,
"priorityGroup": 0,
"ipAddress": "1.1.1.1"
}],
"monitors": {
"diameter": [
"/Common/diameter"
],
"dns": [
"/Common/dns"
],
"external": [
"/Common/external"
],
"firepass": [
"/Common/firepass"
],
"ftp": [
"/Common/ftp"
],
"gatewayIcmp": [
"/Common/gateway_icmp"
],
"http": [
"/Common/http"
],
"https": [
"/Common/https"
],
"icmp": [
"/Common/icmp"
],
"moduleScore": [
"/Common/module_scope"
],
"mqtt": [
"/Common/mqtt"
],
"mssql": [
"/Common/msssql"
],
"mysql": [
"/Common/mysql"
],
"nntp": [
"/Common/nntp"
],
"none": [
"/Common/test"
],
"oracle": [
"/Common/oracle"
],
"pop3": [
"/Common/pop3"
],
"postgresql": [
"/Common/postgresql"
],
"radius": [
"/Common/radius"
],
"radiusAccount": [
"/Common/radius_accounting"
],
"realServer": [
"/Common/real_server"
],
"sasp": [
"/Common/sasp"
],
"scripted": [
"/Common/scripted"
],
"sip": [
"/Common/sip"
],
"smb": [
"/Common/smb"
],
"snmpDca": [
"/Common/snmp_dca"
],
"snmpDcaBase": [
"/Common/snmp_dca_base"
],
"soap": [
"/Common/soap"
],
"tcp": [
"/Common/tcp"
],
"tcpEcho": [
"/Common/tcp_echo"
],
"tcpHalfOpen": [
"/Common/tcp_half_open"
],
"udp": [
"/Common/udp"
],
"virtualLocation": [
"/Common/virtual_location"
],
"wap": [
"/Common/wap"
],
"wmi": [
"/Common/wmi"
]
}
}
}],
"singleSignOn": {
"enabled": "false",
"type": "httpHeaders",
"kerberos": {
"accountName": "kerberos1",
"accountPassword": "password1",
"headers": [{
"hname": "header1",
"hvalue": "value1",
"name": "header1"
}],
"kdc": "10.1.2.3",
"realm": "kerberos.example.com",
"sendAuthorization": "always",
"spnPattern": "",
"ticketLifetime": 600,
"upnSupport": "false",
"usernameSource": "session.sso.token.last.username",
"userRealmSource": "session.logon.last.domain",
"name": "kerberos1",
"description": "Kerberos SSO 1",
"link": "https://10.192.229.84/mgmt/cm/access/working-config/apm/sso/kerberos/f004791e-8945-3151-b9e5-fc2b5ff8e7cd"
},
"httpHeaders": [{
"headerOperation": "header-replace",
"headerName": "Authorization",
"headerValue": "%{session.saml.last.identity}",
"name": "header1"
}]
},
"endpointCheck": {
"clientOS": {
"windows": {
"windows7": "false",
"windows10": "false",
"windows8_1": "false",
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"windowsRT": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"linux": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"macOS": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"iOS": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"android": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"windowsPhone": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
},
"chromeOS": {
"antivirus": {
"dbAge": 0,
"lastScan": 0,
"productId": 0,
"vendorId": 0
},
"firewall": {
"productId": 0,
"vendorId": 0
},
"machineCertAuth": {
"storeName": "MY",
"caProfileName": "/Common/certificateauthority",
"storeLocation": "machine",
"saveCert": "false",
"subjectMatchFqdn": "false",
"allowElevation": "true",
"subjectAltName": "www.example.com",
"issuer": "DN=Example",
"serialNumber": "00C6C0348A16F8ABA90000000050F67B66"
}
}
}
}
}
Response¶
HTTP/1.1 200 OK
The JSON in the body of the response to the POST can look similar to the body of the request.
Schemas¶
The JSON schemas for configuration objects used by this API follow. The configuration settings can be included in the properties field of these objects.
samlSPService¶
Configuration of the local SP service
| Name | Type | Required | Description |
|---|---|---|---|
| entityId | string | True | FQDN of the SP virtual server. For example: ‘https://www.f5.com’ |
| spScheme | string | False | SP host scheme. The default value is “http”. Possible values: “http”, “https” and “any”. |
| spHost | string | False | Host |
| relayState | object | False | Relay State. The path to the resource behind BIG-IQ. Once the IdP finishes authenticating, it sends the Relay State to the SP, which then redirects the user to the source path. For example: “/test/test1”. |
| assertionConsumerBinding | object | False | Assertion Consumer Service Binding description. Select POST to configure the SAML SP assertion to send messages using POST binding. Select Artifact to configure the SAML SP assertion to send messages using artifact binding. The default value is “http-post”. Possible enum values: “http-post”, “http-redirect”, “http-artifact”, “soap”, “paos” and “unknown”. |
| isAuthnRequestSigned | string | False | Sign Authentication Request. Should the SAML service provider sign authentication requests. The default value is “false”. Possible values: “true” or “false”. |
| spSignkey | string | False | Message Signing Private Key. SAML SP message signing private key. For example: “/Common/default.key”. x-crossObjectValidator: sys/file/ssl-key x-requiredValidator: isAuthnRequestSigned |
| spCertificate | string | False | Message Signing Certificate. SAML SP message signing certificate. For example: “/Common/default.crt”. x-crossObjectValidator: sys/file/ssl-cert x-requiredValidator: isAuthnRequestSigned |
| wantAssertionSigned | string | False | Want Signed Assertion. Should the SAML service provider require signed assertions from the IdP. The default value is “true”. Possible enum values: “true” or “false”. |
| wantAssertionEncrypted | string | False | Want Encrypted Assertion. Should the SAML service provider require encrypted assertions fromthe IdP. The default value is “false”. Possible enum values: “true” or “false”. |
| spDecryptionKey | string | False | Assertion Decryption Private Key. Specifies the private key that the SAML SP uses to decrypt encrypted assertions from the IdP. For example: “/Common/default.key”. x-crossObjectValidator: sys/file/ssl-key x-requiredValidator: wantAssertionEncrypted |
| authContextComparisonMethod | string | False | Authentication Context Comparison Method. Compares the authentication context to the authentication class of the user session. Possible enum values: “exact”, “minimum”, “better” or “maximum”. |
| authContextClassList | object | False | The authContextClassList object is described in the Schemas section. |
| authContextMethods | array | False | Requested Authentication Context. Specifies the authentication methods in SAML authentication requests. |
| items | string | False | For example: ‘urn:oasis:names:tc:SAML:2.0:ac:classe:PasswordProtectedTransport’ |
| attributeConsumingServices | array | False | Attribute Consuming Services. Specifies the list of attribute consuming services the SP service provider. |
| items | string | False | The attributeConsumingServices object is described in the Schemas section. |
| forceAuthn | string | False | Force Authentication. Forces users to authenticate again even when they have an SSO session at the identity provider. The default value is “true”. Possible enum values: “true” or “false”. |
| nameIdPolicyAllowCreate | string | False | Allow Name-Identifier Creation. Allows the external IdP, when processing requests from this BIG-IP system as SP, to create a new identifier to represent the principal. The default value is “true”. Possible enum values: “true” or “false”. |
| nameIdPolicyFormat | string | False | Name-Identifier Policy Format. Specifies the type of identifier information to use by selecting a URI reference from the Name-Identifier Policy Format list. For example: ‘urn:oasis:names:tc:SAML:2.0:nameid-format:federated’. |
| nameIdPolicySpNameQualifier | string | False | SP Name-Identifier Qualifier. Specifies the assertion subject’s identifier be returned in the namespace of an SP other than the requester, or in the namespace of a SAML affiliation group of SPs. For example: “SAMLService1”. |
| providerName | string | False | Provider Name. Specifies the name of the SP service provider. For example: “SAML Service 1”. |
| idpConnectors | array | False | IdP Connectors. Specifies the list of IdP connectors the SP service provider. |
| items | string | False | The idpConnectors object is described in the Schemas section. |
| locationSpecific | string | False | Location Specific. The default value is “false”. Possible enum values: “true” or “false”. |
| name | string | False | Name. Optional name of the SAML SP Service. Name is auto-generated from name of workflow if not provided. For example: “samlService1”. |
| description | string | False | Description of the SAML SP Service. For example: “Local SP service 1”. |
accessProfile¶
Access profile settings
| Name | Type | Required | Description |
|---|---|---|---|
| accessPolicyTimeout | number | False | Access Policy Timeout. Specifies the timeout in seconds that a user, who has executed a per-session policy, must complete the policy before the timeout expires. The default value is 300. |
| inactivityTimeout | number | False | Inactivity Timeout. Specifies the inactivity timeout for the connection, in seconds. The default value is 900. |
| maxSessionTimeout | number | False | Maximum Session Timeout. Specifies the maximum lifetime of one session, in seconds. The default value is 604800. |
| minFailureDelay | number | False | Minimum Authentication Failure Delay. Specifies the minimum number of seconds to delay before displaying an error after authentication failure. The default value is 2. |
| maxFailureDelay | number | False | Maximum Authentication Failure Delay. Specifies the maximum number of seconds of delay before displaying an error after authentication failure. The default value is 5. |
| maxConcurrentSessions | number | False | Max Sessions Per User. Specifies the number of sessions that a user can have active. 0 means no limit to the number of sessions that a user can have active. 1-1000 means the limit is enforced. Any number above 1000 will fail the configuration. The default value is 0. |
| maxConcurrentUsers | number | False | Max Concurrent Users. Specifies the number of sessions per access profile. The default value is 0 which represents unlimited sessions. The default value is 0. |
| maxInprogressSessions | number | False | Max In Progress Sessions Per Client IP. Specifies the maximum number of sessions that can be in progress for a client IP address. The default value is 128. |
| restrictToSingleClientIp | string | False | Restrict to Single Client IP. Specifies whether to limit a session to a single IP address. The default value is “false”. Possible values: “true” or “false”. |
| useHttp_503OnError | string | False | Use HTTP Status 503 for Error Pages. Specifies whether to have APM send HTTP response code 503 for error pages to clients. The default value is “false”. Possible values: “true” or “false”. |
| acceptLanguages | array | False | Languages. List of accepted languages. The default value is “en”. |
| items | string | False | List of accepted languages. The default value is “en”. |
| defaultLanguage | string | False | Default Language. The default value is “en”. |
virtualServer¶
Configuration of a virtual server
| Name | Type | Required | Description |
|---|---|---|---|
| targetDevice | string | True | Target Device Name. For example: ‘bigip-1.lab.fp.f5net.com’ |
| destinationIpAddress | string | True | Destination Address. For example: “1.1.1.1”. |
| port | string | True | Destination Port. For example: “443”. |
| mask | string | False | Destination Mask. The default value is “255.255.255.255”. |
| clientsideSsl | string | False | Client SSL Profile. For example: “/Common/clientssl”. |
| serversideSsl | string | False | Server SSL Profile. For example: “/Common/serverssl”. |
| poolServer | string | False | The poolServer object is described in the Schemas section. |
singleSignOn¶
Single sign-on settings
| Name | Type | Required | Description |
|---|---|---|---|
| enabled | string | False | Single Sign-On Settings. The default value is “false”. Possible values: “true” or “false”. |
| type | string | False | Possible enum values: “httpHeaders” or “kerberos”. |
| kerberos | string | False | The kerberos objects is described in the Schemas section. |
| httpHeaders | array | False | An array of httpHeaders objects |
| items | string | False | The httpHeaders object is described in the Schemas section. |
endpointCheck¶
Configuration of endpoint checks
| Name | Type | Required | Description |
|---|---|---|---|
| clientOS | object | False | The clientOS object is described in the Schemas section. |
attributeConsumingService¶
Configuration of the attribute consuming service
| Name | Type | Required | Description |
|---|---|---|---|
| serviceName | string | True | Service Name. Specifies the name of the attribute consuming service. For example: “attrConsService1”. |
| serviceDescription | string | False | Service Description. Specifies the descriptive text for the attribute consuming service. For example: “Attribute consuming service 1”. |
| attributesReference | array | False | SAML Attributes. Specifies the list of SAML attributes for the attribute consuming service. |
| items | string | False | The attributeConsumingServiceAttribute object is described in the Schemas section. |
| isDefault | boolean | False | Default Attribute Consuming Service. Whether the attribute consuming service is default for SP service. The default value is true. Possible values are true or false. |
| name | string | False | Optional name of the attribute consuming service. Name is auto-generated from name of workflow if not provided. For example: attrConsService1 |
| link | string | False | Link. URL of the existing attribute consuming service. For example: “https://localhost/mgmt/cm/access/working-config/apm/saml/attribute-consuming-service/d2c2dfb4-b19b-3d6f-b9bf-bff752d60fb2” |
authContextClassList¶
A configuration of an authentication context classes
| Name | Type | Required | Description |
|---|---|---|---|
| classes | array | False | Ordered List of Authentication Classes. Specifies the ordered list of authentication classes. |
| items | string | False | The authContextClassListClass object is described in the Schemas section. |
| name | string | False | Name. Optional name of the authentication context class list. Name is auto-generated from name of workflow if not provided. For example: “authContextClass1”. x-uniqueValidator: apm/saml/auth-context-class-list.name |
| description | string | False | Description. Description of the authentication context class. For example: “External IdP Connector 1”. |
attributeConsumingServices¶
Configuration of the local SP Service to the attribute consuming service
| Name | Type | Required | Description |
|---|---|---|---|
| service | object | False | The attributeConsumingService object is described in the Schemas section. |
idpConnectors¶
Configuration of the local SP service to the external IdP connector
| Name | Type | Required | Description |
|---|---|---|---|
| idpMatchingSource | object | False | IdP matching source entity ID. For example: ‘%{session.logon.last.domain}’ |
| idpMatchingValue | object | False | Matching Value. IdP matching value for the entity ID. |
| connector | object | False | The idpConnector object is described in the Schemas section. |
poolServer¶
Pool properties
| Name | Type | Required | Description |
|---|---|---|---|
| loadBalancingMode | object | False | Load Balancing Method |
| enum | string | False | Possible values: “dynamic-ratio-member”, “least-connections-member”, “observed-node”, “ratio-least-connections-node”, “round-robin”, “dynamic-ratio-node”, “least-connections-node”, “predictive-member”, “ratio-member”, “weighted-least-connections-member”, “fastest-app-response”, “least-sessions”, “predictive-node”, “ratio-node”, “weighted-least-connections-node”, “fastest-node”, “observed-member”, “ratio-least-connections-member”, or “ratio-session”. The default value is “round-robin”. |
| members | array | False | Pool members. |
| items | string | False | The poolMember object is described in the Schemas section. |
| monitors | object | False | Monitors. The monitor object is described in the Schemas section. |
kerberos¶
Configuration of kerberos single sign-on settings
| Name | Type | Required | Description |
|---|---|---|---|
| accountName | string | False | Account Name. The name of the Active Directory account configured for delegation. This account must be configured in the server’s Kerberos realm (AD Domain). For example: “kerberos1”. |
| accountPassword | string | False | Account Password. The password for the delegation account specified in the previous field. For example: “password1”. |
| headers | array | False | An array of the single sign-on headers and properties. |
| items | object | False | An array of the single sign-on headers and properties. |
| properties | object | False | An array of the single sign-on headers and properties. |
| hname | string | False | Header Name. For example: “header1” |
| hvalue | string | False | Header Value. For example: “value1” |
| name | string | False | Name of header. For example: “header1” |
| kdc | string | False | KDC. IP Address or host name of the Kerberos Key Distribution Center (KDC) for the server’s realm. This is normally an Active Directory domain controller. If you leave this empty, the KDC must be discoverable through DNS. For example: ‘10.1.2.3’. |
| realm | string | False | Kerberos Realm. The realm of application servers. For example: “kerberos.example.com”. |
| sendAuthorization | string | False | Send Authorization. To specify when to submit a Kerberos ticket to the application server. Always- The Authorization header with a Kerberos ticket is inserted into every HTTP request whether it requires authentication or not. On 401 Status Code- The system first forwards the user’s HTTP request to the web server without inserting a new Authorization header (but any browser’s Authorization header will be deleted). Possible enum values: “always”, “401”, or “cache”. The default value is “always”. |
| spnPattern | string | False | SPN Pattern. Optional field to modify how the Service Principal Name (SPN) for the servers is constructed. Leave this field empty unless you need a non-standard SPN format. To make modifications, you can create entries from the following choices. HTTP/%h@REALM with REALM replaced by the actual realm name as specified in the Kerberos Realm field. The %h option takes the hostname from the HTTP request Host header. HTTP/%s@REALM with REALM replaced by the actual realm name as specified in the Kerberos Realm field. The %s option takes the hostname discovered through reverse DNS lookup using the server IP address. The default value is ‘’. |
| ticketLifetime | number | False | Ticket Lifetime. The lifetime of Kerberos tickets obtained for the user in minutes. The value represents the maximum ticket lifetime, and the actual lifetime may be less by up to 1 hour. The default value is 600. |
| upnSupport | string | False | UPN Support. Whether the UPN suffix support for Kerberos SSO when integrating into Microsoft Active Directory infrastructure is enabled or not. Possible values: “true” and “false”. The default value is “false”. |
| usernameSource | string | False | Username Source. User name to cache for single sign-on. The default value is “session.sso.token.last.username”. |
| userRealmSource | string | False | User Realm Source. Session variable that contains the user’s realm. The default value is “session.logon.last.domain”. |
| name | string | False | Name. Name of the Kerberos SSO. For example: “kerberos1”. |
| description | string | False | Description. Description of the Kerberos SSO. For example: “Kerberos SSO 1”. |
| link | string | False | Link. URL of the existing Kerberos SSO. For example: “https://10.192.229.84/mgmt/cm/access/working-config/apm/sso/kerberos/f004791e-8945-3151-b9e5-fc2b5ff8e7cd”. |
httpHeaders¶
HTTP headers single sign-on settings
| Name | Type | Required | Description |
|---|---|---|---|
| headerOperation | string | False | Header Operation. Possible enum values: “header-insert”, “header-append”, “header-replace”, and “header-remove”. The default value is “header-replace”. |
| headerName | string | False | Header Name. The default value is “Authorization”. |
| headerValue | string | False | Header Value. The default value is ‘%{session.saml.last.identity}’. |
| name | string | False | Name. For example: “header1”. |
clientOS¶
Configuration of client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| windows | object | False | The windows object is described in the Schemas section. |
| windowsRT | object | False | The windowsRT object is described in the Schemas section. |
| linux | object | False | The linux object is described in the Schemas section. |
| macOS | object | False | The macOS object is described in the Schemas section. |
| iOS | object | False | The iOS object is described in the Schemas section. |
| android | object | False | The android object is described in the Schemas section. |
| windowsPhone | object | False | The windowsPhone object is described in the Schemas section. |
| chromeOS | object | False | The chromeOS object is described in the Schemas section. |
windows¶
Windows client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| windows7 | string | False | Client OS is Windows 7. Possible values: “true” or “false”. The default value is “false”. |
| windows10 | string | False | Client OS is Windows 10. Possible values: “true” or “false”. The default value is “false”. |
| windows8_1 | string | False | Client OS is Windows 8.1. Possible values: “true” or “false”. The default value is “false”. |
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
windowsRT¶
Windows RT client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
linux¶
Linux client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
macOS¶
MacOS client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
iOS¶
iOS client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
android¶
Android client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
windowsPhone¶
Windows Phone client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
chromeOS¶
ChromeOS client OS properties
| Name | Type | Required | Description |
|---|---|---|---|
| antivirus | object | False | The antivirus object is described in the Schemas section. |
| firewall | object | False | The firewall object is described in the Schemas section. |
| machineCertAuth | object | False | The machineCertAuth object is described in the Schemas section. |
antivirus¶
Configuration of antivirus software present on the client OS
| Name | Type | Required | Description |
|---|---|---|---|
| dbAge | number | False | Database Age of Antivirus in days. If the database is older than this number of days, it is not accepted and the endpoint does not pass this check. The default value is 0. |
| lastScan | number | False | Last Scanned Age in days. If the last scan was more than this number of days, it is not accepted and the endpoint does not pass this check. The default value is 0. |
| productId | number | False | Product ID of Antivirus. The default value is 0. |
| vendorId | number | False | Vendor ID of Antivirus. The default value is 0. |
firewall¶
Configuration of firewall software present on the client OS
| Name | Type | Required | Description |
|---|---|---|---|
| productId | number | False | Product ID of Firewall. The default value is 0. |
| vendorId | number | False | Vendor ID of Firewall. The default value is 0. |
machineCertAuth¶
Configuration of machine certificate authentication of the client OS
| Name | Type | Required | Description |
|---|---|---|---|
| storeName | string | False | The Machine Certificate Authentication property to determine Certificate Store Name. The certificate store name on the client device that the access policy will use to locate the certificate. The default is MY and is the default windows store where certificates are imported on client devices. You can change this field to inspect certificates located in custom stores. The default value is “MY”. |
| caProfileName | string | False | Certificate Authority Profile Name. The Machine Certificate Authentication property to determine the Certificate Authority (CA) profile to use. The default value is ‘/Common/certificateauthority’. |
| storeLocation | string | False | Store Location. The Machine Certificate Authentication property to determine the Certificate Store Location to look in for certificates. Options include LocalMachine or CurrentUser. The possible enum values: “machine” or “user”. The default value is “machine”. |
| saveCert | string | False | Enable Saving Certificate. The Machine Certificate Authentication property to enable saving certificate in session variable. The possible enum values: “true” or “false”. The default value is “false”. |
| subjectMatchFqdn | string | False | Enable Saving Matching FQDN. The Machine Certificate Authentication property to enable matching of Subject SN with FQDN. The possible enum values: “true” or “false”. The default value is “false”. |
| allowElevation | string | False | Enable User Account Control Right Elevation Prompts. The Machine Certificate Authentication property to enable User Account Control right elevation prompts. The possible enum values: “true” or “false”. The default value is “true”. |
| subjectAltName | string | False | Subject Alternative Name Attribute. The Machine Certificate Authentication property to specify the content extracted from the Subject Alternative Name attribute, using a specified regular expression, must match the computer’s FQDN. For example: “www.example.com”. |
| issuer | string | False | Issuer. The Machine Certificate Authentication property to specify the content from the Issuer field matches the pattern specified by the regular expression. A regular expression is used to match the issuer’s content against a specified pattern. For example: “DN=Example”. |
| serialNumber | string | False | Serial Number. The Machine Certificate Authentication property to specify the Access device that specifies a serial number that must be an exact match for the certificate serial. The hex string must be specified in the same order as it is displayed by OpenSSL and Windows certificate tools. For example: “00C6C0348A16F8ABA90000000050F67B66”. |
poolMember¶
Configuration of a pool member
| Name | Type | Required | Description |
|---|---|---|---|
| port | number | False | Port. The default value is 443. |
| priorityGroup | number | False | Priority Group. The default value is 0. |
| ipAddress | string | False | IP Address. For example: “1.1.1.1”. |
monitor¶
Configuration of a monitor
| Name | Type | Required | Description |
|---|---|---|---|
| diameter | array | False | Diameter Monitor |
| items | string | False | For example: “/Common/diameter”. |
| dns | array | False | DNS Monitor |
| items | string | False | For example: “/Common/dns”. |
| external | array | False | External Monitor |
| items | string | False | For example: “/Common/external”. |
| firepass | array | False | Firepass Monitor |
| items | string | False | For example: “/Common/firepass”. |
| ftp | array | False | FTP Monitor |
| items | string | False | For example: “/Common/ftp”. |
| gatewayIcmp | array | False | Gateway Icmp Monitor |
| items | string | False | For example: “/Common/gatewayIcmp”. |
| http | object | False | HTTP Monitor |
| items | array | False | For example: “/Common/http”. |
| https | array | False | HTTPS Monitor |
| items | string | False | For example: “/Common/https”. |
| icmp | array | False | ICMP Monitor |
| items | string | False | For example: “/Common/icmp”. |
| moduleScore | array | False | Module Score Monitor |
| items | string | False | For example: “/Common/module_score”. |
| mqtt | array | False | MQTT Monitor |
| items | string | False | For example: “/Common/mqtt”. |
| mssql | array | False | MSSQL Monitor |
| items | string | False | For example: “/Common/mssql”. |
| mysql | array | False | MySQL Monitor |
| items | string | False | For example: “/Common/mysql”. |
| nntp | array | False | NNTP Monitor |
| items | string | False | For example: “/Common/nntp”. |
| none | array | False | No Monitor Specified |
| items | string | False | For example: “/Common/none”. |
| oracle | array | False | Oracle Monitor |
| items | string | False | For example: “/Common/oracle”. |
| pop3 | array | False | POP3 Monitor |
| items | string | False | For example: “/Common/pop3”. |
| postgresql | array | False | PostGRESQL Monitor |
| items | string | False | For example: “/Common/postgresql”. |
| radius | array | False | RADIUS Monitor |
| items | string | False | For example: “/Common/radius”. |
| radiusAccount | object | array | RADIUS Accounting Monitor |
| items | string | False | For example: “/Common/radius_accounting”. |
| realServer | array | False | Real Server Monitor |
| items | string | False | For example: “/Common/real_server”. |
| sasp | array | False | SASP Monitor |
| items | string | False | For example: “/Common/sasp”. |
| scripted | array | False | Scripted Monitor |
| items | string | False | For example: “/Common/scripted”. |
| sip | array | False | SIP Monitor |
| items | string | False | For example: “/Common/sip”. |
| smb | array | False | SMB Monitor |
| items | string | False | For example: “/Common/smb”. |
| snmpDca | array | False | SNMP DCA Monitor |
| items | string | False | For example: “/Common/snmp_dca”. |
| snmpDcaBase | array | False | snmpDcaBase Monitor |
| items | string | False | For example: “/Common/snmp_dca_base”. |
| soap | array | False | SOAP Monitor |
| items | string | False | For example: “/Common/soap”. |
| tcp | array | False | TCP Monitor |
| items | string | False | For example: “/Common/tcp”. |
| tcpEcho | array | False | TCP Echo Monitor |
| items | string | False | For example: “/Common/tcp_echo”. |
| tcpHalfOpen | array | False | TCP Half Open Monitor |
| items | string | False | For example: “/Common/tcp_half_open”. |
| udp | array | False | UDP Monitor |
| items | string | False | For example: “/Common/udp”. |
| virtualLocation | array | False | Virtual Location Monitor |
| items | string | False | For example: “/Common/virtual_location”. |
| wap | array | False | WAP Monitor |
| items | string | False | For example: “/Common/wap”. |
| wmi | array | False | WMI Monitor |
| items | string | False | For example: “/Common/wmi”. |
idpConnector¶
Configuration of an external IdP Connector
| Name | Type | Required | Description |
|---|---|---|---|
| entityId | string | True | IdP Entity ID. A unique identifier for this SAML Identity Provider. Usually, this is a unique URI, representing the IdP. For example: “https://www.f5.com” |
| nameQualifier | string | False | Name Qualifier. The security or administrative domain of the Identity Provider. This value usually matches IdP Entity ID. For example: “https://www.f5.com” |
| ssoBinding | string | False | Single Sign On Service Binding. Specifies how Access Policy Manager is to send an authentication request to the SAML Identity Provider. For example: “http-post” |
| ssoUri | string | True | Single Sign On Service URL. Specifies the URL where BIG-IQ redirects the user for authentication when the user initiates connection through the service provider. If the identity provider (IdP) is also a BIG-IP system (in a federation of BIG-IP systems), you can use this URL, https://IP-Address/saml/idp/profile/redirectpost/sso and substitute the IP address or FQDN of the BIG-IP as IdP virtual server for IP-Address. The expression pattern: ^(http|ftp|https)://[w-_]+(.[w-_]+)+([w-.,@?^=%&:/~+#]*[w-@?^=%&/~+#])?$ For example: “https://www.f5.com/saml/idp/profile/redirectpost/sso” |
| artifactResolutionServiceUrl | string | False | Location URL. Specifies the URL of the artifact resolution service. The expression pattern: “^(http|https)://[a-zA-Z0-9]+(?:[a-zA-Z0-9._~!%+,;=:/@-]*)$” For example: “https://www.f5.com”. |
| artifactResolutionServiceAddr | string | False | IP Address. Specifies the IP address of the artifact resolution service. The expression pattern: “^((25[0-5]|2[0-4]d|[01]?dd?).(25[0-5]|2[0-4]d|[01]?dd?).(25[0-5]|2[0-4]d|[01]?dd?).(25[0-5]|2[0-4]d|[01]?dd?)/([1-9]|1[0-9]|2[0-9]|3[0-2])|((([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}((b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b).){3}(b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b))|(([0-9A-Fa-f]{1,4}:){0,5}:((b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b).){3}(b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b))|(::([0-9A-Fa-f]{1,4}:){0,5}((b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b).){3}(b((25[0-5])|(1d{2})|(2[0-4]d)|(d{1,2}))b))|([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})|(::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){1,7}:))/([1-9]|[0-9][0-9]|1[0-1][0-9]|12[0-8]))$” For example: “10.1.2.3”. |
| artifactResolutionServicePort | string | False | Port. Specifies the port number of the artifact resolution service. The expression pattern: “^-?([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$”. For example: “80”. |
| signArtifactResolutionRq | string | False | Sign Artifact Resolution Request. Specifies if artifact resolution messages from an SP are signed. Possible enum values: “false” and “true”. The default value is “false”. |
| serversslProfileName | string | False | Server SSL Profile. Specifies the name of the Server SSL profile. For example: “/Common/serverssl”. The default value is “”. x-crossObjectValidator: ltm/profile/server-ssl |
| basicAuthUsername | string | False | Username. Specifies the username for the artifact resolution service request. For example: “testUser”. |
| basicAuthPassword | string | False | Password. Specifies the password for the artifact resolution service request. For example: “testPassword”. |
| identityLocation | string | False | Identity Location. Specifies where to find the user ID or name: in the Subject element of the assertion or in one of the Attributes in the attribute statement. Possible enum values: “subject” and “attribute”. The default value is “subject”. |
| identityLocationAttribute | string | False | Sign Artifact Resolution Request. Specifies the name of the attribute where the user ID or name can be found. For example: “name”. |
| wantAuthnRequestSigned | string | False | Authentication Request sent by this device to IdP. Specifies whether the IdP expects signed authentication requests. Possible enum values: “rsa-sha1”, “rsa-sha256”, “rsa-sha384”, and “rsa-sha512”. The default value is “rsa-sha1”. |
| idpCertificate | string | False | IdP’s Assertion Verification Certificate. Specifies the IdP certificate that, with public key, a service provider uses to validate a signed assertion. For example: “/Common/default.crt”. |
| wantDetachedSignature | string | False | Detach signature when using redirect binding. Specifies whether to detach signature when using redirect binding. Possible enum values: “false” and “true”. The default value is “false”. |
| singleLogoutUri | string | False | Single Logout Request URL. Specifies the URL at the SAML Identity Provider (IdP) where BIG-IQ can send the logout request when a service provider initiates a logout. The expression pattern: “^(http|ftp|https)://[w-_]+(.[w-_]+)+([w-.,@?^=%&:/~+#]*[w-@?^=%&/~+#])?$” For example: “https://www.f5.com/saml/idp/profile/logout/sso”. |
| singleLogoutResponseUri | string | False | Single Logout Response URL. Specifies the URL at the SAML Identity Provider (IdP) where BIG-IQ can send the logout response when the IdP initiates the logout request. The expression pattern: “^(http|ftp|https)://[w-_]+(.[w-_]+)+([w-.,@?^=%&:/~+#]*[w-@?^=%&/~+#])?$” For example: “https://www.f5.com/saml/idp/login”. |
| singleLogoutBinding | string | False | Single Logout Binding. Specifies the method that Access Policy Manager uses to send logout requests and responses to the SAML Identity Provider. Possible enum values: “http-post” and “http-redirect”. The default value is “http-post”. |
| locationSpecific | string | False | Location Specific. Possible enum values: “false” and “true”. The default value is “false”. |
| name | string | False | Optional name of the IdP connector. Name is auto-generated from name of workflow if not provided. For example: “idpConnector1”. |
| description | string | False | Description of the IdP connector. For example: “External IdP Connector”. |
| link | string | False | URL of the existing IdP connector. For example: “https://localhost/mgmt/cm/access/working-config/apm/aaa/saml-idp-connector/a68175ee-0b5f-3fea-9902-372b638e5781” |