auth-methods create

Command: boundary auth-methods create

The auth-methods create command lets you create Boundary auth method resources. The available auth method types are: LDAP, OIDC, and password.

Examples

The following example creates an OIDC auth method by passing the OIDC provider's domain (-issuer), client ID, and client secret:

$ boundary auth-methods create oidc \
  -issuer "https://dev-1sdl8c0z.us.auth0.com" \
  -client-id "zaxJLTZh3n14WqSQ7qQ9onuIVRDaZdzz;" \
  -client-secret "t35c9NNw1aZ8haEKFJbJF0lauMOSp5UNPovUJXo8Ea2sPZAR1DszEowX-6-lg-Xr" \
  -signing-algorithm RS256 \
  -api-url-prefix "http://localhost:9200" \
  -name "auth0"

Example output:

Auth Method information:
  Created Time:         Thu, 06 May 2021 16:39:33 MDT
  ID:                   amoidc_oHt4HQFCrN
  Name:                 auth0
  Type:                 oidc
  Updated Time:         Thu, 06 May 2021 16:39:33 MDT
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:          zbaJLTZh3n14WqSV7qQ9onuIVRDaZdzx
    client_secret_hmac: ayJRYSCphzxcHiKJvBrnDVtz1yiR958ejQuRGdQJMeM
    issuer:             https://dev-1vdl8c0q.us.auth0.com
    signing_algorithms: [RS256]
    state:              inactive

Usage

$ boundary auth-methods create [type] [sub command] [options] [args]

Command options:

-description (string: "") - The description to set on the auth method.
-name (string: "") - The name to set on the auth method.
-scope-id (string: "") - The scope in which to make the request. The default is global. You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable.

CLI options

In addition to the command specific options, there are options common to all CLI commands and subcommands:

Usages by type

The available types are: ldap, oidc, and password.

The boundary auth-methods create ldap command creates an LDAP auth method.

Example

The following example creates an LDAP auth method with the name prodops and the description LDAP auth-method for ProdOps:

$ boundary auth-methods create ldap -name prodops \
   -description "LDAP auth-method for ProdOps"

Usage

$ boundary auth-methods create ldap [options] [args]

LDAP auth method options

The following are LDAP-specific options in addition to the command options:

-anon-group-search - Uses anon bind when performing LDAP group searches (optional). The default is false.
-bind-dn (string: "") - Uses the distinguished name of entry to bind when performing user and group searches (optional).
-bind-password (string: "") - Indicates the password to use along with bind-dn performing user and group searches (optional).
-certificate (string: "") - Specifies a PEM-encoded X.509 CA certificate in ASN.1 DER form that can be used as a trust anchor when connecting to an LDAP server(optional). You can specify this value multiple times.
-client-certificate (string: "") - Specifies a PEM-encoded X.509 client certificate in ASN.1 DER form that can be used to authenticate against an LDAP server (optional).
-client-certificate-key (string: "") - Specifies a PEM-encoded X.509 client certificate key in PKCS #8, ASN.1 DER form used with the client certificate (optional).
-discover-dn - Uses anon bind to discover the bind DN of a user (optional). The default value is false.
-enable-groups - Finds the authenticated user's groups during authentication (optional). The default is false.
-group-attr (string: "") - Indicates the attribute that enumerates a user's group membership from entries returned by a group search (optional).
-group-dn (string: "") - Specifies the base DN under which to perform group search.
-group-filter (string: "") - Indicates a go template used to construct a LDAP group search filter (optional).
-insecure-tls - Skips the LDAP server SSL certificate validation (optional). Use this option with caution; it is insecure. The default value is false.
-start-tls - Issues the StartTLS command after connecting (optional). The default value is false.
-state (string: "") - Indicates the desired operational state of the auth method.
-upn-domain (string: "") - Specifies the userPrincipalDomain used to construct the UPN string for the authenticating user (optional).
-urls (string: "") - Indicates the LDAP URLs that specify LDAP servers to connect to (required). You can specify this value multiple times.
-use-token-groups - Uses the Active Directory tokenGroups constructed attribute of the user to find the group memberships (optional). The default value is false.
-user-attr (string: "") - Specifies the attribute on user entry that matches the username that is passed during authentication (optional).
-user-dn (string: "") - Indicates the base DN under which to perform user search (optional).
-user-filter (string: "") - Specifies a go template used to construct a LDAP user search filter (optional).

The boundary auth-methods create oidc command creates an OIDC auth method.

Example

The following example creates an OIDC auth method with the name prodops and the description Oidc auth-method for ProdOps:

$ boundary auth-methods create oidc -name prodops \
   -description "Oidc auth-method for ProdOps"

Usage

$ boundary auth-methods create oidc [options] [args]

OIDC auth method options

The following are OIDC-specific options in addition to the command options:

-account-claim-maps (string: "") - Specifies the optional account claim maps from custom claims to the standard claims of sub, name and email. These maps are represented as key=value where the key equals the Provider from-claim and the value equals the Boundary to-claim. For example "oid=sub". You may specify this value multiple times for different to-claims.
-allowed-audience (string: "") - Indicates the acceptable audience ("aud") claim. You may specify this value multiple times.
-api-url-prefix (string: "") - Specifies the URL prefix used by the OIDC provider in the authentication flow.
-claims-scopes (tring: "") - Indicates the optional claims scope requested. You may specify this value multiple times.
-client-id (string: "") - Specifies the OAuth 2.0 Client Identifier this auth method should use with the provider.
-client-secret (string: "") - Indicates the corresponding client secret.
-idp-ca-cert (string: "") - Specifies an optional PEM-encoded X.509 CA certificate that can be used as trust anchors when connecting to an OIDC provider. You may specify this value multiple times.
-issuer (string: "") - Indicates the provider's issuer URL.
-max-age (string: "") - Indicates the OIDC "max_age" parameter that is sent to the provider.
-signing-algorithm (string: "") - Indicates the allowed signing algorithm. You may specify this multiple times for multiple values.

The boundary auth-methods create password command creates a Password type auth method.

Example

The following example creates a Password type auth method with the name prodops and the description Password auth-method for ProdOps:

$ boundary auth-methods create password -name prodops \
   -description "Password auth-method for ProdOps"

Usage

$ boundary accounts create password [options] [args]

Password auth method options

The following are password auth method specific options in addition to the command options:

-min-login-name-length (string: "") - The minimum length of login names.
-min-password-length (string: "") - The minimum length of passwords.