set-saml-authn-request-signing-key¶

subtitle: Sets the SAML AuthnRequest signing key and verification certificate.
version: 0.9.151

Description¶

Sets the SAML AuthnRequest signing key and verification certificate. The signing key will be used by CDP to sign the AuthnRequest and the verification certificate(s) will be used by the customer’s Identity Provider to verify the AuthnRequest. These keys are generated and managed by the customer. The API always replaces the previously stored signing key and verification certificates with the given key and certificates. The parameters that are omitted from the request will be cleared.

Synopsis¶

  set-saml-authn-request-signing-key
--saml-provider <value>
[--authn-request-signing-key <value>]
[--current-authn-request-verification-certificate <value>]
[--next-authn-request-verification-certificate <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton]

Options¶

--saml-provider (string)

The name or CRN of the SAML Provider associated with the signing key.

--authn-request-signing-key (string)

The private key used for signing AuthnRequests sent from CDP to the customer’s SAML provider. It must be in PEM format. It must be non-empty and valid when ‘currentAuthnRequestVerificationCertificate’ is set. Omitting it from request will remove this key.

--current-authn-request-verification-certificate (string)

The certificate used by SAML provider to verify AuthnRequests sent from CDP. It must be in PEM format. It must be non-empty and valid when ‘authnRequestSigningKey’ is set. Omitting it from request will remove this certificate.

--next-authn-request-verification-certificate (string)

The next verification certificate used by the SAML provider to verify AuthnRequests sent from CDP. It must be in PEM format. It is used for rotating verification certificate, and is expected to be empty after certification rotation completes. When both the current and next AuthnRequest certificates are set, both will appear in the CDP SP SAML metadata, indicating the Identity Provider should validate if either of the certificates validates the signature of the AuthnRequest. Both must be valid certificates, not expired. Once the Identity Provider has been updated with the new CDP SP SAML metadata to use both certificates, the signing key can be updated to correspond to the next certificate, the current certificate set to what had been next, and the next certificate cleared. The CDP SP SAML metadata can then be updated in the Identity Provider to use only a single certificate before the previous certificate expires. This allows rotating the signing key without downtime. Omitting it from request will remove this certificate.

--cli-input-json (string)

Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (boolean)

Prints a sample input JSON to standard output. Note the specified operation is not run if this argument is specified. The sample input can be used as an argument for --cli-input-json.

Output¶

authnRequestConfigurationLastUpdated -> (datetime)

The date when SAML AuthnRequest signing key and verification certificates were set or cleared.

authnRequestSigningKeyDefined -> (boolean)

Whether the AuthnRequest signing key is set or cleared.

currentAuthnRequestVerificationCertificateDefined -> (boolean)

Whether the current AuthnRequest verification certificate is set or cleared.

nextAuthnRequestVerificationCertificateDefined -> (boolean)

Whether the next AuthnRequest verification certificate is set or cleared.

Form Factors¶

private

set-saml-authn-request-signing-key¶

Description¶

Synopsis¶

Options¶

Output¶

Form Factors¶

Table of Contents

Previous topic

Next topic