aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'efe9fe780d'
${ noResults }
boundary/website/content/docs/commands/auth-methods/create.mdx

294 lines
9.6 KiB
Raw Blame History

---
layout: docs
page_title: auth-methods create - Command
description: >-
The "auth-methods create" command creates new auth method resources. You can create LDAP, OIDC, and password auth method types.
---
# auth-methods create
Command: `boundary auth-methods create`
The `auth-methods create` command lets you create Boundary auth
method resources. The available auth method types are: LDAP, OIDC, and password.
## Examples
The following example creates an OIDC auth method by passing the OIDC provider's domain (`-issuer`), client ID, and client secret:
```shell-session
$ boundary auth-methods create oidc \
-issuer "https://dev-1sdl8c0z.us.auth0.com" \
-client-id "zaxJLTZh3n14WqSQ7qQ9onuIVRDaZdzz;" \
-client-secret "t35c9NNw1aZ8haEKFJbJF0lauMOSp5UNPovUJXo8Ea2sPZAR1DszEowX-6-lg-Xr" \
-signing-algorithm RS256 \
-api-url-prefix "http://localhost:9200" \
-name "auth0"
```
**Example output:**
<CodeBlockConfig hideClipboard>
```plaintext
Auth Method information:
Created Time: Thu, 06 May 2021 16:39:33 MDT
ID: amoidc_oHt4HQFCrN
Name: auth0
Type: oidc
Updated Time: Thu, 06 May 2021 16:39:33 MDT
Version: 1
Scope:
ID: global
Name: global
Type: global
Authorized Actions:
no-op
read
update
delete
change-state
authenticate
Authorized Actions on Auth Method's Collections:
accounts:
create
list
Attributes:
api_url_prefix: http://localhost:9200
callback_url: http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
client_id: zbaJLTZh3n14WqSV7qQ9onuIVRDaZdzx
client_secret_hmac: ayJRYSCphzxcHiKJvBrnDVtz1yiR958ejQuRGdQJMeM
issuer: https://dev-1vdl8c0q.us.auth0.com
signing_algorithms: [RS256]
state: inactive
```
</CodeBlockConfig>
## Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create [type] [sub command] [options] [args]
```
</CodeBlockConfig>
### Command options:
- `-description` `(string: "")` - The description to set on the auth method.
- `-name` `(string: "")` - The name to set on the auth method.
- `-scope-id` `(string: "")` - The scope in which to make the request. The default
is `global`. You can also specify the scope using the **BOUNDARY_SCOPE_ID** environment variable.
@include 'cmd-option-note.mdx'
### Usages by type
The available types are: `ldap`, `oidc`, and `password`.
<Tabs>
<Tab heading="LDAP">
The `boundary auth-methods create ldap` command creates an LDAP auth method.
#### Example
The following example creates an LDAP auth method with the name `prodops` and the description `LDAP auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create ldap -name prodops \
-description "LDAP auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create ldap [options] [args]
```
</CodeBlockConfig>
#### LDAP auth method options
The following are LDAP-specific options in addition to the command
options:
- `-anon-group-search` - Uses anon bind when performing LDAP
group searches (optional). The default is `false`.
- `-bind-dn` `(string: "")` - Uses the distinguished name of entry to bind when
performing user and group searches (optional).
- `-bind-password` `(string: "")` - Indicates the password to use along with bind-dn
performing user and group searches (optional).
- `-certificate` `(string: "")` - Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER
form that can be used as a trust anchor when connecting to an LDAP
server(optional). You can specify this value multiple times.
- `-client-certificate` `(string: "")` - Specifies a PEM-encoded X.509 client certificate in
ASN.1 DER form that can be used to authenticate against an LDAP server
(optional).
- `-client-certificate-key` `(string: "")` - Specifies a PEM-encoded X.509 client
certificate key in PKCS #8, ASN.1 DER form used with the client certificate
(optional).
- `-discover-dn` - Uses anon bind to discover the bind DN of a
user (optional). The default value is `false`.
- `-enable-groups` - Finds the authenticated user's groups during
authentication (optional). The default is `false`.
- `-group-attr` `(string: "")` - Indicates the attribute that enumerates a user's group
membership from entries returned by a group search (optional).
- `-group-dn` `(string: "")` - Specifies the base DN under which to perform group search.
- `-group-filter` `(string: "")` - Indicates a go template used to construct a LDAP group
search filter (optional).
- `-insecure-tls` - Skips the LDAP server SSL certificate
validation (optional). Use this option with caution; it is insecure. The default value is `false`.
- `-start-tls` - Issues the StartTLS command after connecting
(optional). The default value is `false`.
- `-state` `(string: "")` - Indicates the desired operational state of the auth method.
- `-upn-domain` `(string: "")` - Specifies the userPrincipalDomain used to construct the
UPN string for the authenticating user (optional).
- `-urls` `(string: "")` - Indicates the LDAP URLs that specify LDAP servers to connect to
(required). You can specify this value multiple times.
- `-use-token-groups` - Uses the Active Directory tokenGroups
constructed attribute of the user to find the group memberships (optional).
The default value is `false`.
- `-user-attr` `(string: "")` - Specifies the attribute on user entry that matches the
username that is passed during authentication (optional).
- `-user-dn` `(string: "")` - Indicates the base DN under which to perform user search
(optional).
- `-user-filter` `(string: "")` - Specifies a go template used to construct a LDAP user
search filter (optional).
</Tab>
<Tab heading="OIDC">
The `boundary auth-methods create oidc` command creates an OIDC auth method.
#### Example
The following example creates an OIDC auth method with the name `prodops` and the description `Oidc auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create oidc -name prodops \
-description "Oidc auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary auth-methods create oidc [options] [args]
```
</CodeBlockConfig>
#### OIDC auth method options
The following are OIDC-specific options in addition to the command options:
- `-account-claim-maps` `(string: "")` - Specifies the optional account claim maps from
custom claims to the standard claims of sub, name and email. These maps are
represented as key=value where the key equals the Provider from-claim and the
value equals the Boundary to-claim. For example "oid=sub". You may specify this value
multiple times for different to-claims.
- `-allowed-audience` `(string: "")` - Indicates the acceptable audience ("aud") claim.
You may specify this value multiple times.
- `-api-url-prefix` `(string: "")` - Specifies the URL prefix used by the OIDC provider in
the authentication flow.
- `-claims-scopes` `(tring: "")` - Indicates the optional claims scope requested. You may specify this value multiple times.
- `-client-id` `(string: "")` - Specifies the OAuth 2.0 Client Identifier this auth method
should use with the provider.
- `-client-secret` `(string: "")` - Indicates the corresponding client secret.
- `-idp-ca-cert` `(string: "")` - Specifies an optional PEM-encoded X.509 CA certificate that
can be used as trust anchors when connecting to an OIDC provider. You may specify this value multiple times.
- `-issuer` `(string: "")` - Indicates the provider's issuer URL.
- `-max-age` `(string: "")` - Indicates the OIDC "max_age" parameter that is sent to the provider.
- `prompts` `(string: "")` - Indicates whether the OIDC authorization server should display reauthentication, account selection, or consent user interface prompts.
You can optionally configure one or more of the following types of prompts to customize the behavior of the authentication process:
- `none` - The authorization server does not display any authentication or consent prompts.
- `login` - The authorization server prompts users for reauthentication before allowing them to log in.
- `consent` - The authorization server prompts users for consent before returning any information to Boundary.
- `select_account` - The authorization server prompts users to select a user account.
The `select_account` option can be helpful if your users have multiple accounts.
<Note>
Cloud providers implement `prompts` in different ways.
You may notice differences in behavior if you configure OIDC authentication on multiple cloud providers.
</Note>
- `-signing-algorithm` `(string: "")` - Indicates the allowed signing algorithm. You may specify this multiple times for multiple values.
</Tab>
<Tab heading="Password">
The `boundary auth-methods create password` command creates a Password type auth method.
#### Example
The following example creates a Password type auth method with the name `prodops` and the description `Password auth-method for ProdOps`:
```shell-session
$ boundary auth-methods create password -name prodops \
-description "Password auth-method for ProdOps"
```
#### Usage
<CodeBlockConfig hideClipboard>
```shell-session
$ boundary accounts create password [options] [args]
```
</CodeBlockConfig>
#### Password auth method options
The following are password auth method specific options in addition to the
command options:
- `-min-login-name-length` `(string: "")` - The minimum length of login names.
- `-min-password-length` `(string: "")` - The minimum length of passwords.
</Tab>
</Tabs>
Reference in new issue View Git Blame Copy Permalink