Saml2Module
Realm Operations
Resource path:
/realm-config/authentication/modules/authSaml
Resource version: 1.0
create
Usage
am> create Saml2Module --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authnContextDeclRef" : { "title" : "Authentication Context Declaration Reference", "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "sloEnabled" : { "title" : "Single Logout Enabled", "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "sloRelay" : { "title" : "Single Logout URL", "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "isPassive" : { "title" : "Passive Authentication", "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "allowCreate" : { "title" : "Allow IdP to Create NameID", "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authnContextClassRef" : { "title" : "Authentication Context Class Reference", "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "reqBinding" : { "title" : "Request Binding", "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "loginChain" : { "title" : "Linking Authentication Chain", "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "metaAlias" : { "title" : "SP MetaAlias", "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "forceAuthn" : { "title" : "Force IdP Authentication", "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "binding" : { "title" : "Response Binding", "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "nameIdFormat" : { "title" : "NameID Format", "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "authComparison" : { "title" : "Comparison Type", "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "entityName" : { "title" : "IdP Entity ID", "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
delete
Usage
am> delete Saml2Module --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action Saml2Module --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action Saml2Module --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action Saml2Module --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query Saml2Module --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read Saml2Module --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update Saml2Module --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "authnContextDeclRef" : { "title" : "Authentication Context Declaration Reference", "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "sloEnabled" : { "title" : "Single Logout Enabled", "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "sloRelay" : { "title" : "Single Logout URL", "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "isPassive" : { "title" : "Passive Authentication", "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "allowCreate" : { "title" : "Allow IdP to Create NameID", "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authnContextClassRef" : { "title" : "Authentication Context Class Reference", "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "reqBinding" : { "title" : "Request Binding", "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "loginChain" : { "title" : "Linking Authentication Chain", "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "metaAlias" : { "title" : "SP MetaAlias", "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "forceAuthn" : { "title" : "Force IdP Authentication", "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "binding" : { "title" : "Response Binding", "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "nameIdFormat" : { "title" : "NameID Format", "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "authComparison" : { "title" : "Comparison Type", "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "entityName" : { "title" : "IdP Entity ID", "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/authSaml
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action Saml2Module --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action Saml2Module --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action Saml2Module --global --actionName nextdescendents
update
Usage
am> update Saml2Module --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "authComparison" : { "title" : "Comparison Type", "description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: <pre>better</pre>, <pre>exact</pre>, <pre>maximum</pre>, and <pre>minimum</pre>.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "allowCreate" : { "title" : "Allow IdP to Create NameID", "description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "sloRelay" : { "title" : "Single Logout URL", "description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.", "propertyOrder" : 1500, "required" : true, "type" : "string", "exampleValue" : "" }, "nameIdFormat" : { "title" : "NameID Format", "description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</pre> <pre>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</pre> <pre>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</pre>", "propertyOrder" : 1300, "required" : true, "type" : "string", "exampleValue" : "" }, "loginChain" : { "title" : "Linking Authentication Chain", "description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.", "propertyOrder" : 500, "required" : true, "type" : "string", "exampleValue" : "" }, "forceAuthn" : { "title" : "Force IdP Authentication", "description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).", "propertyOrder" : 1100, "required" : true, "type" : "string", "exampleValue" : "" }, "entityName" : { "title" : "IdP Entity ID", "description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).", "propertyOrder" : 200, "required" : true, "type" : "string", "exampleValue" : "" }, "authnContextClassRef" : { "title" : "Authentication Context Class Reference", "description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "metaAlias" : { "title" : "SP MetaAlias", "description" : "MetaAlias for Service Provider. The format of this parameter is <pre>/realm_name/SP</pre>", "propertyOrder" : 300, "required" : true, "type" : "string", "exampleValue" : "" }, "isPassive" : { "title" : "Passive Authentication", "description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "reqBinding" : { "title" : "Request Binding", "description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "binding" : { "title" : "Response Binding", "description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "authnContextDeclRef" : { "title" : "Authentication Context Declaration Reference", "description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "sloEnabled" : { "title" : "Single Logout Enabled", "description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the <pre>org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin</pre> to be active on the chain that includes this SAML2 module.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }