For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ingebrigt_Maurs's avatar
Ingebrigt_Maurs
Icon for Nimbostratus rankNimbostratus
Feb 24, 2015

How to add idpConnector with iControl REST API

Hi !

I use APM, and am using the iControl REST API to automate my configuration. I have trouble adding a new idpConnector binding to an existing SP with iControlRest.

When I GET

The result is

 

{
    "kind": "tm:apm:aaa:saml:samlstate",
    "name": "my_sp",
    "partition": "Common",
    "fullPath": "/Common/my_sp",
    "generation": 6030,
    "selfLink": "https://localhost/mgmt/tm/apm/aaa/saml/~Common~my_sp?ver=11.6.0",
    "assertionConsumerBinding": "http-post",
    "entityId": "https://dummy:999",
    "isAuthnRequestSigned": "false",
    "locationSpecific": "false",
    "spCertificate": "/Common/somecert.crt",
    "spSignkey": "/Common/somekey.key",
    "wantAssertionEncrypted": "false",
    "wantAssertionSigned": "false",
    "idpConnectors": [
        {
            "name": "existing-idp",
            "partition": "Common",
            "idpMatchingSource": "%{session.server.landinguri}",
            "idpMatchingValue": "*idp=existingmujina*"
        }
    ]
}

 

When I try to be more specific and GET an idpConnector I get a 403:

 

{
    "code": 403,
    "message": "Operation is not allowed on property /apm/aaa/saml/~Common~my_sp/idp-connectors.",
    "errorStack": []
}

 

I can't find a way to POST new idpConnectors bindings (The config object that bind the SP to the idpConfig, found in the admin GUI under: Access Policy -> SAML -> BIG-IP as SP -> my_sp -> bind/unbind IDP connectors -> Add new row)

How would i add a new binding with iControl (without DELETEing the SP and all its dependencies, and then recreating)?

BIG-IP Access Policy Manager (APM)
devops
iControl
iControlREST
security

1 Reply

  • Ingebrigt_Maurs's avatar
    Ingebrigt_Maurs
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2015

    I found a solution in the iControlRest API, I can PATCH a resource. I wasn't able to add a new connector in addition to the existing IDP connectors. But I can replace the IDP connectors for the SP with a new collection of IDP connectors, this is almost as good.

     

    curl -sk -uUSER:PASS https://bigip-test.env/mgmt/tm/apm/aaa/saml/~Common~my_sp -H 'Content-Type: application/json'-X PATCH -d
{
    "idpConnectors": [
        {
            "name": "vps-existing-idp",
            "partition": "Common",
            "idpMatchingSource": "%{session.server.landinguri}",
            "idpMatchingValue": "*idp=existing*"
        },
        {
            "name": "vps-new-idp",
            "partition": "Common",
            "idpMatchingSource": "%{session.server.landinguri}",
            "idpMatchingValue": "*idp=new*"
        }
    ]
}