aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cf3900a906'
${ noResults }
boundary/website/content/docs/commands/auth-methods/create.mdx

279 lines
8.6 KiB
Raw Blame History

---
layout: docs
page_title: auth-methods create - Command
description: |-
The "auth-methods create" command lets Boundary admin create an auth method.
---
# auth-methods create
Command: `boundary auth-methods create`
The `auth-methods create` command lets you create Boundary auth
method resources. The available auth method types are: LDAP, OIDC, and password.
## Examples
The following example creates an OIDC auth method by passing the OIDC provider's domain (`-issuer`), client ID, and client secret:
```shell-session
$ boundary auth-methods create oidc \
-issuer "https://dev-1sdl8c0z.us.auth0.com" \
-client-id "zaxJLTZh3n14WqSQ7qQ9onuIVRDaZdzz;" \
-client-secret "t35c9NNw1aZ8haEKFJbJF0lauMOSp5UNPovUJXo8Ea2sPZAR1DszEowX-6-lg-Xr" \
-signing-algorithm RS256 \
-api-url-prefix "http://localhost:9200" \
-name "auth0"
```
**Example output:**
<CodeBlockConfig hideClipboard>
```plaintext
Auth Method information:
Created Time: Thu, 06 May 2021 16:39:33 MDT
ID: amoidc_oHt4HQFCrN
Name: auth0
Type: oidc
Updated Time: Thu, 06 May 2021 16:39:33 MDT
Version: 1
Scope:
ID: global
Name: global
Type: global
Authorized Actions:
no-op
read
update
delete
change-state
authenticate
Authorized Actions on Auth Method's Collections:
accounts:
create
list
Attributes:
api_url_prefix: http://localhost:9200
callback_url: http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
client_id: zbaJLTZh3n14WqSV7qQ9onuIVRDaZdzx
client_secret_hmac: ayJRYSCphzxcHiKJvBrnDVtz1yiR958ejQuRGdQJMeM
issuer: https://dev-1vdl8c0q.us.auth0.com
signing_algorithms: [RS256]
state: inactive
```
</CodeBlockConfig>
## Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create [type] [sub command] [options] [args]
```
</CodeBlockConfig>
### Command options:
- `-description` `(string: "")` - The description to set on the auth method.
- `-name` `(string: "")` - The name to set on the auth method.
- `-scope-id` `(string: "")` - The scope in which to make the request. The default
is `global`. You can also specify the scope using the **BOUNDARY_SCOPE_ID** environment variable.
@include 'cmd-option-note.mdx'
### Usages by type
The available types are: `ldap`, `oidc`, and `password`.
<Tabs>
<Tab heading="LDAP">
The `boundary auth-methods create ldap` command creates an LDAP auth method.
#### Example
The following example creates an LDAP auth method with the name `prodops` and the description `LDAP auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create ldap -name prodops \
-description "LDAP auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create ldap [options] [args]
```
</CodeBlockConfig>
#### LDAP auth method options
The following are LDAP-specific options in addition to the command
options:
- `-anon-group-search` - Uses anon bind when performing LDAP
group searches (optional). The default is `false`.
- `-bind-dn` `(string: "")` - Uses the distinguished name of entry to bind when
performing user and group searches (optional).
- `-bind-password` `(string: "")` - Indicates the password to use along with bind-dn
performing user and group searches (optional).
- `-certificate` `(string: "")` - Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER
form that can be used as a trust anchor when connecting to an LDAP
server(optional). You can specify this value multiple times.
- `-client-certificate` `(string: "")` - Specifies a PEM-encoded X.509 client certificate in
ASN.1 DER form that can be used to authenticate against an LDAP server
(optional).
- `-client-certificate-key` `(string: "")` - Specifies a PEM-encoded X.509 client
certificate key in PKCS #8, ASN.1 DER form used with the client certificate
(optional).
- `-discover-dn` - Uses anon bind to discover the bind DN of a
user (optional). The default value is `false`.
- `-enable-groups` - Finds the authenticated user's groups during
authentication (optional). The default is `false`.
- `-group-attr` `(string: "")` - Indicates the attribute that enumerates a user's group
membership from entries returned by a group search (optional).
- `-group-dn` `(string: "")` - Specifies the base DN under which to perform group search.
- `-group-filter` `(string: "")` - Indicates a go template used to construct a LDAP group
search filter (optional).
- `-insecure-tls` - Skips the LDAP server SSL certificate
validation (optional). Use this option with caution; it is insecure. The default value is `false`.
- `-start-tls` - Issues the StartTLS command after connecting
(optional). The default value is `false`.
- `-state` `(string: "")` - Indicates the desired operational state of the auth method.
- `-upn-domain` `(string: "")` - Specifies the userPrincipalDomain used to construct the
UPN string for the authenticating user (optional).
- `-urls` `(string: "")` - Indicates the LDAP URLs that specify LDAP servers to connect to
(required). You can specify this value multiple times.
- `-use-token-groups` - Uses the Active Directory tokenGroups
constructed attribute of the user to find the group memberships (optional).
The default value is `false`.
- `-user-attr` `(string: "")` - Specifies the attribute on user entry that matches the
username that is passed during authentication (optional).
- `-user-dn` `(string: "")` - Indicates the base DN under which to perform user search
(optional).
- `-user-filter` `(string: "")` - Specifies a go template used to construct a LDAP user
search filter (optional).
</Tab>
<Tab heading="OIDC">
The `boundary auth-methods create oidc` command creates an OIDC auth method.
#### Example
The following example creates an OIDC auth method with the name `prodops` and the description `Oidc auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create oidc -name prodops \
-description "Oidc auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create oidc [options] [args]
```
</CodeBlockConfig>
#### OIDC auth method options
The following are OIDC-specific options in addition to the command options:
- `-account-claim-maps` `(string: "")` - Specifies the optional account claim maps from
custom claims to the standard claims of sub, name and email. These maps are
represented as key=value where the key equals the Provider from-claim and the
value equals the Boundary to-claim. For example "oid=sub". You may specify this value
multiple times for different to-claims.
- `-allowed-audience` `(string: "")` - Indicates the acceptable audience ("aud") claim.
You may specify this value multiple times.
- `-api-url-prefix` `(string: "")` - Specifies the URL prefix used by the OIDC provider in
the authentication flow.
- `-claims-scopes` `(tring: "")` - Indicates the optional claims scope requested. You may specify this value multiple times.
- `-client-id` `(string: "")` - Specifies the OAuth 2.0 Client Identifier this auth method
should use with the provider.
- `-client-secret` `(string: "")` - Indicates the corresponding client secret.
- `-idp-ca-cert` `(string: "")` - Specifies an optional PEM-encoded X.509 CA certificate that
can be used as trust anchors when connecting to an OIDC provider. You may specify this value multiple times.
- `-issuer` `(string: "")` - Indicates the provider's issuer URL.
- `-max-age` `(string: "")` - Indicates the OIDC "max_age" parameter that is sent to the provider.
- `-signing-algorithm` `(string: "")` - Indicates the allowed signing algorithm. You may specify this multiple times for multiple values.
</Tab>
<Tab heading="Password">
The `boundary auth-methods create password` command creates a Password type auth method.
#### Example
The following example creates a Password type auth method with the name `prodops` and the description `Password auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create password -name prodops \
-description "Password auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary accounts create password [options] [args]
```
</CodeBlockConfig>
#### Password auth method options
The following are password auth method specific options in addition to the
command options:
- `-min-login-name-length` `(string: "")` - The minimum length of login names.
- `-min-password-length` `(string: "")` - The minimum length of passwords.
</Tab>
</Tabs>
Reference in new issue View Git Blame Copy Permalink