SAML configuration options
Configuration options
The /etc/hapee-extras/saml.ini
file configures how HAProxy Enterprise integrates with the SAML identity provider. It supports the following configuration directives.
Option and Description | Type | Default value |
---|---|---|
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| Boolean | 0 |
| Boolean | 0 |
| Boolean | 0 |
| String | |
| Boolean | 0 |
| Boolean | 0 |
| String | bk-{{APP_NAME}} |
| Boolean | 0 |
| String | |
| Boolean | 1 |
| Integer | 0 |
| Integer | 36000 |
| String | |
| String | |
| String |
Actions
In the /etc/hapee-extras/saml.ini
file, actions let you validate the schema, set variables, and other tasks.
on_saml_response check_attr
Description | Mandatory argument | Optional argument |
---|---|---|
Check an arbitrary attribute in a SAML Response. To store the attribute value in an HAProxy Enterprise variable To set per application variables, use {{APP_NAME}} is replaced with the application name (ie the section name in saml.ini). | The SAML Response validation fails if an attribute is not present, except if you set the optional flag. | None |
on_saml_response check_attr entity_id
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the | The specific | None |
on_saml_response check_attr version
Description | Mandatory argument | Optional argument |
---|---|---|
Check that SAML protocol version is 2.0. | None | None |
on_saml_response check_attr status_code
Description | Mandatory argument | Optional argument |
---|---|---|
Check the | None | The status to match. Otherwise compare to |
on_saml_response check_attr destination
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the | The destination to match. To match the configured On Microsoft Azure, it must match the URL Assertion Consumer Service (ACS). | None |
on_saml_response check_attr issuer
Description | Mandatory argument | Optional argument |
---|---|---|
Check the | None | The specific issuer value to check. |
on_saml_response check_attr issue_instant
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the To store it in a variable, use To store it in a timestamp variable, use | None | None |
on_saml_response check_attr assertion
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the | None | None |
on_saml_response check_schema
Description | Mandatory argument | Optional argument |
---|---|---|
Validate the SAML response against the SAML 2.0 xsd schema. | None | None |
on_saml_response check_conditions
Description | Mandatory argument | Optional argument |
---|---|---|
Check the XML attribute, including | None | None |
on_saml_response check_subject_confirmation_data
Description | Mandatory argument | Optional argument |
---|---|---|
Check the XML attribute, including | None | None |
on_logout_request check_attr
Description | Mandatory argument | Optional argument |
---|---|---|
Check an arbitrary attribute in a To put it in an HAProxy Enterprise variable, use | None | None |
on_logout_request check_attr issuer
Description | Mandatory argument | Optional argument |
---|---|---|
Check the | None | The specific issuer value to check. |
on_logout_request check_attr name_id
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the | None | None |
on_logout_request check_attr destination
Description | Mandatory argument | Optional argument |
---|---|---|
Check that the | The destination to match. To match the configured | None |
Action flags
Actions accept the following arguments.
Description | Mandatory argument |
---|---|
Optional | This argument is not required. |
required | This argument is mandatory. |
nofail | For testing purposes. This action never fails, even if it returns an error. |
required_count=<count> | Fail if the number of searched elements is different from <count>. |
xpath=<XPath expression> | XPath expression to look for. Use with |
expected=<expected_value> | Fail if the result is different from this expression. |
set_var=<var_name> | When one or more XPath results are found, store its value in this specific variable. The variable name is prefixed with the application name, then with a dot. |
set_var_once | The variable is set only after the POST from the SAML Identity Provider. Otherwise, it is set each time we see the cookie again. |
set_var_cnt | The number of XPath results is stored in the variable |
set_var_as_timestamp | When used with a value in ISO 8601 date and time format (for instance 2020-01-28T15:25:14.884Z), the variable is converted to a timestamp. |
set_var_sep=<separator> | When multiple results are returned from the XPath query, separate them with this character. |
set_var_default=<default_value> | Default value used if the XPath expression does not match. |
Next up
Response Policies