---
layout: docs
page_title: auth-methods create - Command
description: |-
  The "auth-methods create" command creates auth method resources in Boundary. You can create LDAP, OIDC, and password auth method types.
---

# auth-methods create

Command: `boundary auth-methods create`

The `auth-methods create` command lets you create Boundary auth
method resources. The available auth method types are: LDAP, OIDC, and password.

## Examples

The following example creates an OIDC auth method by passing the OIDC provider's domain (`-issuer`), client ID, and client secret:

```shell-session
$ boundary auth-methods create oidc \
  -issuer "https://dev-1sdl8c0z.us.auth0.com" \
  -client-id "zaxJLTZh3n14WqSQ7qQ9onuIVRDaZdzz;" \
  -client-secret "t35c9NNw1aZ8haEKFJbJF0lauMOSp5UNPovUJXo8Ea2sPZAR1DszEowX-6-lg-Xr" \
  -signing-algorithm RS256 \
  -api-url-prefix "http://localhost:9200" \
  -name "auth0"
```

**Example output:**

<CodeBlockConfig hideClipboard>

```plaintext
Auth Method information:
  Created Time:         Thu, 06 May 2021 16:39:33 MDT
  ID:                   amoidc_oHt4HQFCrN
  Name:                 auth0
  Type:                 oidc
  Updated Time:         Thu, 06 May 2021 16:39:33 MDT
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:          zbaJLTZh3n14WqSV7qQ9onuIVRDaZdzx
    client_secret_hmac: ayJRYSCphzxcHiKJvBrnDVtz1yiR958ejQuRGdQJMeM
    issuer:             https://dev-1vdl8c0q.us.auth0.com
    signing_algorithms: [RS256]
    state:              inactive
```

</CodeBlockConfig>


## Usage

<CodeBlockConfig hideClipboard>

```shell-session
$ boundary auth-methods create [type] [sub command] [options] [args]
```

</CodeBlockConfig>

### Command options:

- `-description` `(string: "")` - The description to set on the auth method.
- `-name` `(string: "")` - The name to set on the auth method.
- `-scope-id` `(string: "")` - The scope in which to make the request. The default
   is `global`. You can also specify the scope using the **BOUNDARY_SCOPE_ID** environment variable.

@include 'cmd-option-note.mdx'

### Usages by type

The available types are: `ldap`, `oidc`, and `password`.

<Tabs>
<Tab heading="LDAP">

The `boundary auth-methods create ldap` command creates an LDAP auth method.

#### Example

The following example creates an LDAP auth method with the name `prodops` and the description `LDAP auth-method for ProdOps`:

```shell-session
$ boundary auth-methods create ldap -name prodops \
   -description "LDAP auth-method for ProdOps"
```

#### Usage

<CodeBlockConfig hideClipboard>

```shell-session
$ boundary auth-methods create ldap [options] [args]
```

</CodeBlockConfig>

#### LDAP auth method options

The following are LDAP-specific options in addition to the command
options:

- `-anon-group-search`  - Uses anon bind when performing LDAP
   group searches (optional). The default is `false`.

- `-bind-dn` `(string: "")` - Uses the distinguished name of entry to bind when
   performing user and group searches (optional).

- `-bind-password` `(string: "")` - Indicates the password to use along with bind-dn
  performing user and group searches (optional).

- `-certificate` `(string: "")` - Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER
   form that can be used as a trust anchor when connecting to an LDAP
   server(optional). You can specify this value multiple times.

- `-client-certificate` `(string: "")` - Specifies a PEM-encoded X.509 client certificate in
   ASN.1 DER form that can be used to authenticate against an LDAP server
   (optional).

- `-client-certificate-key` `(string: "")` - Specifies a PEM-encoded X.509 client
   certificate key in PKCS #8, ASN.1 DER form used with the client certificate
   (optional).

- `-discover-dn`  - Uses anon bind to discover the bind DN of a
   user (optional). The default value is `false`.

- `-enable-groups`  - Finds the authenticated user's groups during
   authentication (optional). The default is `false`.

- `-group-attr` `(string: "")` - Indicates the attribute that enumerates a user's group
   membership from entries returned by a group search (optional).

- `-group-dn` `(string: "")` - Specifies the base DN under which to perform group search.

- `-group-filter` `(string: "")` - Indicates a go template used to construct a LDAP group
   search filter (optional).

- `-insecure-tls`  - Skips the LDAP server SSL certificate
   validation (optional). Use this option with caution; it is insecure. The default value is `false`.

- `-start-tls`  - Issues the StartTLS command after connecting
   (optional). The default value is `false`.

- `-state` `(string: "")` - Indicates the desired operational state of the auth method.

- `-upn-domain` `(string: "")` - Specifies the userPrincipalDomain used to construct the
   UPN string for the authenticating user (optional).

- `-urls` `(string: "")` - Indicates the LDAP URLs that specify LDAP servers to connect to
   (required). You can specify this value multiple times.

- `-use-token-groups`  - Uses the Active Directory tokenGroups
   constructed attribute of the user to find the group memberships (optional).
   The default value is `false`.

- `-user-attr` `(string: "")` - Specifies the attribute on user entry that matches the
   username that is passed during authentication (optional).

- `-user-dn` `(string: "")` - Indicates the base DN under which to perform user search
(optional).

- `-user-filter` `(string: "")` - Specifies a go template used to construct a LDAP user
search filter (optional).

</Tab>
<Tab heading="OIDC">

The `boundary auth-methods create oidc` command creates an OIDC auth method.

#### Example

The following example creates an OIDC auth method with the name `prodops` and the description `Oidc auth-method for ProdOps`:

```shell-session
$ boundary auth-methods create oidc -name prodops \
   -description "Oidc auth-method for ProdOps"
```

#### Usage

<CodeBlockConfig hideClipboard>

```shell-session
$ boundary auth-methods create oidc [options] [args]
```

</CodeBlockConfig>

#### OIDC auth method options

The following are OIDC-specific options in addition to the command options:

- `-account-claim-maps` `(string: "")` - Specifies the optional account claim maps from
   custom claims to the standard claims of sub, name and email. These maps are
   represented as key=value where the key equals the Provider from-claim and the
   value equals the Boundary to-claim. For example "oid=sub". You may specify this value
   multiple times for different to-claims.

- `-allowed-audience` `(string: "")` - Indicates the acceptable audience ("aud") claim.
 You may specify this value multiple times.

- `-api-url-prefix` `(string: "")` - Specifies the URL prefix used by the OIDC provider in
  the authentication flow.

- `-claims-scopes` `(tring: "")` - Indicates the optional claims scope requested. You may specify this value multiple times.

- `-client-id` `(string: "")` - Specifies the OAuth 2.0 Client Identifier this auth method
   should use with the provider.

- `-client-secret` `(string: "")` - Indicates the corresponding client secret.

- `-idp-ca-cert` `(string: "")` - Specifies an optional PEM-encoded X.509 CA certificate that
   can be used as trust anchors when connecting to an OIDC provider. You may specify this value multiple times.

- `-issuer` `(string: "")` - Indicates the provider's issuer URL.

- `-max-age` `(string: "")` - Indicates the OIDC "max_age" parameter that is sent to the provider.

- `prompts` `(string: "")` - Indicates whether the OIDC authorization server should display reauthentication, account selection, or consent user interface prompts.
You can optionally configure one or more of the following types of prompts to customize the behavior of the authentication process:
   - `none` - The authorization server does not display any authentication or consent prompts.
   - `login` - The authorization server prompts users for reauthentication before allowing them to log in.
   - `consent` - The authorization server prompts users for consent before returning any information to Boundary.
   - `select_account` - The authorization server prompts users to select a user account.
   The `select_account` option can be helpful if your users have multiple accounts.

<Note>

Cloud providers implement `prompts` in different ways.
You may notice differences in behavior if you configure OIDC authentication on multiple cloud providers.

</Note>

- `-signing-algorithm` `(string: "")` - Indicates the allowed signing algorithm. You may specify this multiple times for multiple values.



</Tab>
<Tab heading="Password">

The `boundary auth-methods create password` command creates a Password type auth method.

#### Example

The following example creates a Password type auth method with the name `prodops` and the description `Password auth-method for ProdOps`:

```shell-session
$ boundary auth-methods create password -name prodops \
   -description "Password auth-method for ProdOps"
```
#### Usage

<CodeBlockConfig hideClipboard>

```shell-session
$ boundary accounts create password [options] [args]
```

</CodeBlockConfig>

#### Password auth method options

The following are password auth method specific options in addition to the
command options:

- `-min-login-name-length` `(string: "")` - The minimum length of login names.

- `-min-password-length` `(string: "")` - The minimum length of passwords.

</Tab>
</Tabs>