Saml2Module

Realm Operations

Resource path:

/realm-config/authentication/modules/authSaml

Resource version: 1.0

create

Usage

am> create Saml2Module --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginChain" : {
      "title" : "Linking Authentication Chain",
      "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authnContextClassRef" : {
      "title" : "Authentication Context Class Reference",
      "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sloRelay" : {
      "title" : "Single Logout URL",
      "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "forceAuthn" : {
      "title" : "Force IdP Authentication",
      "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "metaAlias" : {
      "title" : "SP MetaAlias",
      "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "allowCreate" : {
      "title" : "Allow IdP to Create NameID",
      "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "nameIdFormat" : {
      "title" : "NameID Format",
      "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "entityName" : {
      "title" : "IdP Entity ID",
      "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authComparison" : {
      "title" : "Comparison Type",
      "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sloEnabled" : {
      "title" : "Single Logout Enabled",
      "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the  <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "binding" : {
      "title" : "Response Binding",
      "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "isPassive" : {
      "title" : "Passive Authentication",
      "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authnContextDeclRef" : {
      "title" : "Authentication Context Declaration Reference",
      "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "reqBinding" : {
      "title" : "Request Binding",
      "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

delete

Usage

am> delete Saml2Module --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action Saml2Module --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action Saml2Module --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action Saml2Module --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query Saml2Module --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read Saml2Module --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update Saml2Module --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginChain" : {
      "title" : "Linking Authentication Chain",
      "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authnContextClassRef" : {
      "title" : "Authentication Context Class Reference",
      "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sloRelay" : {
      "title" : "Single Logout URL",
      "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "forceAuthn" : {
      "title" : "Force IdP Authentication",
      "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "metaAlias" : {
      "title" : "SP MetaAlias",
      "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "allowCreate" : {
      "title" : "Allow IdP to Create NameID",
      "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "nameIdFormat" : {
      "title" : "NameID Format",
      "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "entityName" : {
      "title" : "IdP Entity ID",
      "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authComparison" : {
      "title" : "Comparison Type",
      "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sloEnabled" : {
      "title" : "Single Logout Enabled",
      "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the  <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "binding" : {
      "title" : "Response Binding",
      "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "isPassive" : {
      "title" : "Passive Authentication",
      "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authnContextDeclRef" : {
      "title" : "Authentication Context Declaration Reference",
      "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "reqBinding" : {
      "title" : "Request Binding",
      "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

Global Operations

Resource path:

/global-config/authentication/modules/authSaml

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action Saml2Module --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action Saml2Module --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action Saml2Module --global --actionName nextdescendents

read

Usage

am> read Saml2Module --global

update

Usage

am> update Saml2Module --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "isPassive" : {
          "title" : "Passive Authentication",
          "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "allowCreate" : {
          "title" : "Allow IdP to Create NameID",
          "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "metaAlias" : {
          "title" : "SP MetaAlias",
          "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "reqBinding" : {
          "title" : "Request Binding",
          "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authnContextDeclRef" : {
          "title" : "Authentication Context Declaration Reference",
          "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sloEnabled" : {
          "title" : "Single Logout Enabled",
          "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the  <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "forceAuthn" : {
          "title" : "Force IdP Authentication",
          "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "entityName" : {
          "title" : "IdP Entity ID",
          "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "nameIdFormat" : {
          "title" : "NameID Format",
          "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "binding" : {
          "title" : "Response Binding",
          "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sloRelay" : {
          "title" : "Single Logout URL",
          "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "loginChain" : {
          "title" : "Linking Authentication Chain",
          "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authComparison" : {
          "title" : "Comparison Type",
          "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authnContextClassRef" : {
          "title" : "Authentication Context Class Reference",
          "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}