auth-methods create

Command: boundary auth-methods create

The auth-methods create command lets you create Boundary auth method resources. The available auth method types are: LDAP, OIDC, and password.

Examples

The following example creates an OIDC auth method by passing the OIDC provider's domain (-issuer), client ID, and client secret:

$ boundary auth-methods create oidc \
  -issuer "https://dev-1sdl8c0z.us.auth0.com" \
  -client-id "zaxJLTZh3n14WqSQ7qQ9onuIVRDaZdzz;" \
  -client-secret "t35c9NNw1aZ8haEKFJbJF0lauMOSp5UNPovUJXo8Ea2sPZAR1DszEowX-6-lg-Xr" \
  -signing-algorithm RS256 \
  -api-url-prefix "http://localhost:9200" \
  -name "auth0"

Example output:

Auth Method information:
  Created Time:         Thu, 06 May 2021 16:39:33 MDT
  ID:                   amoidc_oHt4HQFCrN
  Name:                 auth0
  Type:                 oidc
  Updated Time:         Thu, 06 May 2021 16:39:33 MDT
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:          zbaJLTZh3n14WqSV7qQ9onuIVRDaZdzx
    client_secret_hmac: ayJRYSCphzxcHiKJvBrnDVtz1yiR958ejQuRGdQJMeM
    issuer:             https://dev-1vdl8c0q.us.auth0.com
    signing_algorithms: [RS256]
    state:              inactive

Usage

$ boundary auth-methods create [type] [sub command] [options] [args]

Command options:

-description (string: "") - The description to set on the auth method.
-name (string: "") - The name to set on the auth method.
-scope-id (string: "") - The scope in which to make the request. The default is global. You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable.

CLI options

In addition to the command specific options, there are options common to all CLI commands and subcommands:

Usages by type

The available types are: ldap, oidc, and password.

The boundary auth-methods create ldap command creates an LDAP auth method.

Example

The following example creates an LDAP auth method with the name prodops and the description LDAP auth-method for ProdOps:

$ boundary auth-methods create ldap -name prodops \
   -description "LDAP auth-method for ProdOps"

Usage

$ boundary auth-methods create ldap [options] [args]

LDAP auth method options

The following are LDAP-specific options in addition to the command options:

-anon-group-search - Uses anon bind when performing LDAP group searches (optional). The default is false.
-bind-dn (string: "") - Uses the distinguished name of entry to bind when performing user and group searches (optional).
-bind-password (string: "") - Indicates the password to use along with bind-dn performing user and group searches (optional).
-certificate (string: "") - Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER form that can be used as a trust anchor when connecting to an LDAP server(optional). You can specify this value multiple times.
-client-certificate (string: "") - Specifies a PEM-encoded X.509 client certificate in ASN.1 DER form that can be used to authenticate against an LDAP server (optional).
-client-certificate-key (string: "") - Specifies a PEM-encoded X.509 client certificate key in PKCS #8, ASN.1 DER form used with the client certificate (optional).
-discover-dn - Uses anon bind to discover the bind DN of a user (optional). The default value is false.
-enable-groups - Finds the authenticated user's groups during authentication (optional). The default is false.
-group-attr (string: "") - Indicates the attribute that enumerates a user's group membership from entries returned by a group search (optional).
-group-dn (string: "") - Specifies the base DN under which to perform group search.
-group-filter (string: "") - Indicates a go template used to construct a LDAP group search filter (optional).
-insecure-tls - Skips the LDAP server SSL certificate validation (optional). Use this option with caution; it is insecure. The default value is false.
-start-tls - Issues the StartTLS command after connecting (optional). The default value is false.
-state (string: "") - Indicates the desired operational state of the auth method.
-upn-domain (string: "") - Specifies the userPrincipalDomain used to construct the UPN string for the authenticating user (optional).
-urls (string: "") - Indicates the LDAP URLs that specify LDAP servers to connect to (required). You can specify this value multiple times.
-use-token-groups - Uses the Active Directory tokenGroups constructed attribute of the user to find the group memberships (optional). The default value is false.
-user-attr (string: "") - Specifies the attribute on user entry that matches the username that is passed during authentication (optional).
-user-dn (string: "") - Indicates the base DN under which to perform user search (optional).
-user-filter (string: "") - Specifies a go template used to construct a LDAP user search filter (optional).

The boundary auth-methods create oidc command creates an OIDC auth method.

Example

The following example creates an OIDC auth method with the name prodops and the description Oidc auth-method for ProdOps:

$ boundary auth-methods create oidc -name prodops \
   -description "Oidc auth-method for ProdOps"

Usage

$ boundary auth-methods create oidc [options] [args]

OIDC auth method options

The following are OIDC-specific options in addition to the command options:

-account-claim-maps (string: "") - Specifies the optional account claim maps from custom claims to the standard claims of sub, name and email. These maps are represented as key=value where the key equals the Provider from-claim and the value equals the Boundary to-claim. For example "oid=sub". You may specify this value multiple times for different to-claims.
-allowed-audience (string: "") - Indicates the acceptable audience ("aud") claim. You may specify this value multiple times.
-api-url-prefix (string: "") - Specifies the URL prefix used by the OIDC provider in the authentication flow.
-claims-scopes (tring: "") - Indicates the optional claims scope requested. You may specify this value multiple times.
-client-id (string: "") - Specifies the OAuth 2.0 Client Identifier this auth method should use with the provider.
-client-secret (string: "") - Indicates the corresponding client secret.
-idp-ca-cert (string: "") - Specifies an optional PEM-encoded X.509 CA certificate that can be used as trust anchors when connecting to an OIDC provider. You may specify this value multiple times.
-issuer (string: "") - Indicates the provider's issuer URL.
-max-age (string: "") - Indicates the OIDC "max_age" parameter that is sent to the provider.
prompts (string: "") - Indicates whether the OIDC authorization server should display reauthentication, account selection, or consent user interface prompts. You can optionally configure one or more of the following types of prompts to customize the behavior of the authentication process:
- none - The authorization server does not display any authentication or consent prompts.
- login - The authorization server prompts users for reauthentication before allowing them to log in.
- consent - The authorization server prompts users for consent before returning any information to Boundary.
- select_account - The authorization server prompts users to select a user account. The select_account option can be helpful if your users have multiple accounts.

Note

Cloud providers implement prompts in different ways. You may notice differences in behavior if you configure OIDC authentication on multiple cloud providers.

-signing-algorithm (string: "") - Indicates the allowed signing algorithm. You may specify this multiple times for multiple values.

The boundary auth-methods create password command creates a Password type auth method.

Example

The following example creates a Password type auth method with the name prodops and the description Password auth-method for ProdOps:

$ boundary auth-methods create password -name prodops \
   -description "Password auth-method for ProdOps"

Usage

$ boundary accounts create password [options] [args]

Password auth method options

The following are password auth method specific options in addition to the command options:

-min-login-name-length (string: "") - The minimum length of login names.
-min-password-length (string: "") - The minimum length of passwords.