RemoteSaml2EntityProvider
Realm Operations
Allows the management of remote SAML2 entity providers.
Resource path: /realm-config/saml2/remote
Resource version: 1.0
delete
Removes the SAML2 entity provider from the configuration including all of its associated roles.
Usage:
am> delete RemoteSaml2EntityProvider --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
importEntity
Import the standard metadata of a remote entity provider.
Usage:
am> action RemoteSaml2EntityProvider --realm Realm --body body --actionName importEntity
Parameters:
--body
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "The JSON schema for importEntity action requests.", "type" : "object", "title" : "Import remote entity provider request", "properties" : { "standardMetadata" : { "type" : "string", "title" : "Standard Metadata", "description" : "The standard SAML metadata for the remote entity provider. The value should be Base64url encoded." } }, "required" : [ "standardMetadata" ] }
read
Returns the roles of the SAML2 entity provider.
Usage:
am> read RemoteSaml2EntityProvider --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
update
Updates details of the SAML2 entity provider role.
Usage:
am> update RemoteSaml2EntityProvider --realm Realm --id id --body body
Parameters:
--id
The unique identifier for the resource.
--body
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-07/schema#", "ignoredProperties" : [ "_id", "_rev" ], "description" : "This schema describes a remote SAML2 entity provider.", "title" : "SAML2 Remote Entity Provider", "type" : "object", "properties" : { "entityId" : { "type" : "string" }, "identityProvider" : { "title" : "Remote Identity Provider", "description" : "This schema describes a SAML2 remote identity provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "title" : "Request/Response Signing", "description" : "Select the checkbox for each request/response that should be signed", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/wantAuthnRequestsSigned" }, "title" : "Authentication Request", "type" : "boolean" }, "artifactResolve" : { "attributeKey" : "wantArtifactResolveSigned", "title" : "Artifact Resolve", "type" : "boolean" }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request", "type" : "boolean" }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response", "type" : "boolean" }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request", "type" : "boolean" }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response", "type" : "boolean" } }, "required" : [ "authenticationRequest", "artifactResolve", "logoutRequest", "logoutResponse", "manageNameIdRequest", "manageNameIdResponse" ] }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean" } }, "required" : [ "nameIdEncryption" ] } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } } } }, "services" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Services", "type" : "object", "properties" : { "serviceAttributes" : { "type" : "object", "title" : "IDP Service Attributes", "traverseObject" : true, "properties" : { "artifactResolutionService" : { "title" : "Artifact Resolution Service", "type" : "array", "attributePath" : { "value" : "artifactResolutionService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IndexedEndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "singleSignOnService" : { "title" : "Single SignOn Service", "type" : "array", "attributePath" : { "value" : "singleSignOnService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } } } }, "nameIdMapping" : { "title" : "NameID Mapping", "type" : "array", "attributePath" : { "value" : "nameIDMappingService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } } } } } }, "serviceProvider" : { "title" : "Remote Service Provider", "description" : "This schema describes a SAML2 remote service provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "description" : "Select the checkbox for each request/response that should be signed", "title" : "Request/Response Signing", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/authnRequestsSigned" }, "title" : "Authentication Requests Signed", "type" : "boolean" }, "assertion" : { "attributePath" : "/wantAssertionsSigned", "title" : "Assertions Signed", "type" : "boolean" }, "postResponse" : { "attributeKey" : "wantPOSTResponseSigned", "title" : "POST Response Signed", "type" : "boolean" }, "artifactResponse" : { "attributeKey" : "wantArtifactResponseSigned", "title" : "Artifact Response Signed", "type" : "boolean" }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request Signed", "type" : "boolean" }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response Signed", "type" : "boolean" }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request Signed", "type" : "boolean" }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response Signed", "type" : "boolean" } } }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "attributeEncryption" : { "attributeKey" : "wantAttributeEncrypted", "title" : "Attribute Encryption", "type" : "boolean" }, "assertionEncryption" : { "attributeKey" : "wantAssertionEncrypted", "title" : "Assertion Encryption", "type" : "boolean" }, "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean" } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "disableNameIdPersistence" : { "attributeKey" : "spDoNotWriteFederationInfo", "title" : "Disable NameID persistence", "description" : "Instructs the hosted IdP to not persist the NameID into the User Data Store even if the NameID Format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the Assertion.", "type" : "boolean" } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Assertion Processing", "type" : "object", "properties" : { "attributeMapper" : { "traverseObject" : true, "title" : "Attribute Mapper", "type" : "object", "properties" : { "attributeMap" : { "title" : "Attribute Map", "description" : "This mapping is the configuration used by the Attribue Mapper. Mapping should be defined as SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress.", "type" : "array", "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AttributeMapMapper" }, "items" : { "type" : "object", "properties" : { "nameFormatUri" : { "title" : "Name Format Uri", "propertyOrder" : 0, "type" : "string" }, "samlAttribute" : { "title" : "SAML Attribute", "propertyOrder" : 1, "type" : "string" }, "localAttribute" : { "title" : "Local Attribute", "propertyOrder" : 2, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 3, "type" : "boolean" } }, "required" : [ "samlAttribute", "localAttribute" ] } } } }, "responseArtifactMessageEncoding" : { "traverseObject" : true, "title" : "Artifact Message Encoding", "type" : "object", "properties" : { "encoding" : { "attributeKey" : { "value" : "responseArtifactMessageEncoding", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.MessageEncodingMapper" }, "title" : "Artifact Message Encoding", "type" : "string", "enum" : [ "URI", "FORM" ], "default" : "URI" } } } } }, "services" : { "propertyOrder" : 2, "traverseObject" : true, "title" : "Services", "type" : "object", "properties" : { "serviceAttributes" : { "traverseObject" : true, "title" : "SP Service Attributes", "type" : "object", "properties" : { "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "post" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "soap" : { "type" : "object", "properties" : { "location" : { "type" : "string" } }, "required" : [ "location" ] } }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "soap" : { "type" : "object", "properties" : { "location" : { "type" : "string" } }, "required" : [ "location" ] } }, "assertionConsumerService" : { "attributePath" : { "value" : "assertionConsumerService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ExtendedIndexedEndpointMapper" }, "title" : "Assertion Consumer Service", "description" : "Location denotes the URL to accept the respective request type. Index denotes the index of the URL in the standard metadata", "type" : "array", "items" : { "type" : "object", "properties" : { "isDefault" : { "type" : "boolean" }, "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-Artifact", "HTTP-POST", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "index" : { "type" : "integer" } } } } } } } }, "advanced" : { "propertyOrder" : 3, "traverseObject" : true, "title" : "Advanced", "type" : "object", "properties" : { "skipEndpointValidationWhenSigned" : { "title" : "Skip Endpoint Validation For Signed Requests", "description" : "When enabled, AM will not attempt to verify the AssertionConsumerServiceURL value provided in the SAML AuthnRequest. This SP MUST also be configured to sign authentication requests", "type" : "boolean", "attributeKey" : "skipEndpointValidationWhenSigned" }, "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "spUrl" : { "attributeKey" : "saeSPUrl", "title" : "SP URL", "description" : "URL endpoint on Service Provider that can handle SAE requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal samlv2 single sign-on response will be sent to SP", "type" : "string" }, "spLogoutUrl" : { "attributeKey" : "saeSPLogoutUrl", "title" : "SP Logout URL", "description" : "URL endpoint on the Service Provider that can handle SAE global logout requests", "type" : "string" } } }, "idpProxy" : { "traverseObject" : true, "title" : "IDP Proxy", "type" : "object", "properties" : { "enableIdpProxy" : { "attributeKey" : "enableIDPProxy", "title" : "IDP Proxy enabled", "description" : "Enable IDP Proxy if not enabled", "type" : "boolean" }, "alwaysIdpProxy" : { "attributeKey" : "alwaysIdpProxy", "title" : "Proxy all requests", "description" : "When this option is enabled, the IdP will proxy every single authentication request no matter it contains the Scoping element or not.", "type" : "boolean" }, "useIntroductionForIdpProxy" : { "attributeKey" : "useIntroductionForIDPProxy", "title" : "Introduction enabled", "type" : "boolean" }, "useIDPFinder" : { "attributeKey" : "useIDPFinder", "title" : "Use IDP Finder", "type" : "boolean" }, "idpProxyCount" : { "attributeKey" : "idpProxyCount", "title" : "Proxy Count", "description" : "Number of IDP proxies that the SP can have", "type" : "integer", "default" : 0 }, "idpProxyList" : { "attributeKey" : "idpProxyList", "description" : "A list of preferred IDPs that the SP would proxy to", "title" : "IDP Proxy List", "type" : "array", "items" : { "type" : "string" } } } } } } } } }, "required" : [ "entityId" ], "$id" : "https://www.forgerock.com/remoteSaml2EntityProvider.schema.json" }