Follow the steps below to export the XML template with baseline settings which can be used to create roles, realms and sign-in policies.
(Note: It is best to create the authentication server prior to these steps. It will be necessary to reference the auth server in the realm settings.)
- To create the XML template for the role:
- Login as an admin
- Navigate to Maintenance>Import/Export>Export XML
- Expand the Roles section
- Find the role that has the desired settings, click on it, and add to selected
- Export and save the file
- To create the XML template for the realm:
- Login as an admin
- Navigate to Maintenance>Import/Export>Export XML
- Expand the Authentication Realms section
- Find the realm that has the desired settings, click on it, and add to selected
- Export and save the file
- To create the XML template for the sign-in policy:
- Login as an admin
- Navigate to Maintenance>Import/Export>Export XML
- Expand the Sign-in Settings section
- Choose "SELECTED sign-in URLs"
- Find the sign-in policy that has the desired settings, click on it, and add to selected
- If custom pages are being used, click on "ONLY pages used by URLs selected above" in the Sign-in Pages section
- if sign-in notifications are being used, click on "ONLY Notifications used by selected URL(s) and Role(s)"
- Export and save the file
To create three roles for Finance, IT and HR, and a sign-in policy for */users that authenticates users with an LDAP server named "LDAP", see example below:
Role XML section:
(Note: To prevent overwriting of the existing configuration, the top element for the specific feature needs to have the command xc:operation="create" included as per examples below.)
<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2909" saData="2803">
<users>
<user-roles xc:operation="create"> create command goes here
<user-role>
<name>Finance</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
<user-role>
<name>IT</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
<user-role>
<name>HR</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
</user-roles>
</users>
</configuration>
Realm XML section:
<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2909" saData="2803">
<users>
<user-realms xc:operation="create"> create command goes here
<realm>
<name>LDAP</name> New realm name goes here
<authentication-policy>
<source-ip>
<customized>any-ip</customized>
<ips>
</ips>
</source-ip>
<browser>
<customized>any-user-agent</customized>
<user-agent-patterns>
</user-agent-patterns>
</browser>
<certificate>
<customized>allow-all-users</customized>
<cert-key-value-pairs>
</cert-key-value-pairs>
</certificate>
<password>
<primary-password-restricted>allow-passwords-of-minimum-length</primary-password-restricted>
<primary-password-management>false</primary-password-management>
<primary-password-minimum-length>4</primary-password-minimum-length>
<primary-password-expiration-warning-days>14</primary-password-expiration-warning-days>
<secondary-password-restricted>allow-passwords-of-minimum-length</secondary-password-restricted>
<secondary-password-management>false</secondary-password-management>
<secondary-password-minimum-length>4</secondary-password-minimum-length>
<secondary-password-expiration-warning-days>14</secondary-password-expiration-warning-days>
</password>
<host-checker>
<evaluate-all-policies>false</evaluate-all-policies>
<evaluate-policy-list xsi:nil="true"/>
<enforce-all-policies>false</enforce-all-policies>
<enforce-policy-list xsi:nil="true"/>
<evaluate-logic>all-policies-must-succeed</evaluate-logic>
</host-checker>
<limits>
<limit-concurrent-users>false</limit-concurrent-users>
<guaranteed-minimum xsi:nil="true"/>
<maximum xsi:nil="true"/>
<max-sessions-per-user>1</max-sessions-per-user>
</limits>
</authentication-policy>
<role-mapping-rules>
<rule>
<name></name>
<custom-expression>
<expressions></expressions>
</custom-expression>
<roles></roles>
<stop-rules-processing>false</stop-rules-processing>
</rule>
<user-selects-role>false</user-selects-role>
<user-selects-roleset>false</user-selects-roleset>
</role-mapping-rules>
<description></description>
<editing-description>false</editing-description>
<authentication-server>LDAP</authentication-server> LDAP auth server goes here
<directory-server>LDAP</directory-server> LDAP directory server goes here
< .... > Rest of the elements go here
</realm>
</user-realms>
<users>
</configuration>
Sign-In Policy XML section:
<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R6" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2912" saData="2803">
<authentication>
<signin>
<urls>
<access-urls xc:operation="create"> Create command goes here
<access-url>
<url-pattern>*/users/</url-pattern> URL name goes here
<description></description>
<enabled>true</enabled>
<page>Default Sign-In Page</page>
<realm-select>pick-list</realm-select>
<user>
<meeting-url>*/meeting/</meeting-url>
<realms>Users</realms> Realm assignment goes here
<pre-authentication-signin-notification-id>None</pre-authentication-signin-notification-id>
<post-authentication-signin-notification-id>None</post-authentication-signin-notification-id>
<post-authentication-signin-notification-skip>false</post-authentication-signin-notification-skip>
</user>
</access-url>
</access-urls>
</urls>
</signin>
</authentication>
</configuration>
Please note:
- Make sure to create the role-mapping rules on the realm from the admin GUI after the imports.
- When importing the new elements, the order should be role(s), realm(s), sign-in policies(s) due to the dependencies (mentioned below) on other elements.
- When importing newly created sign-in policies, the realm that is referenced needs to already exist in the system or the import will fail.
- When importing newly created realms, the role that is referenced in the role-mapping rules needs to exist in the system or the import will fail.
