Reset Search
 

 

Article

KB43606 - How to automate the creation of sign-in policies, realms and roles using XML import/export

« Go Back

Information

 
Last Modified Date9/14/2018 11:09 PM
Synopsis
This article provides the steps to create roles, realms and sign-in policies using XML then import/export.  
Problem or Goal
The PCS admin has been tasked with creating multiple roles, realms, and sign-in policies and would like a way to do this efficiently without having to manually create these from the admin GUI.  
 
Cause
Solution
Follow the steps below to export the XML template with baseline settings which can be used to create roles, realms and sign-in policies.  
(Note:  It is best to create the authentication server prior to these steps.  It will be necessary to reference the auth server in the realm settings.)
  1. To create the XML template for the role:
  • Login as an admin
  • Navigate to Maintenance>Import/Export>Export XML
  • Expand the Roles section
  • Find the role that has the desired settings, click on it, and add to selected
  • Export and save the file
  1. To create the XML template for the realm:
  • Login as an admin
  • Navigate to Maintenance>Import/Export>Export XML
  • Expand the Authentication Realms section
  • Find the realm that has the desired settings, click on it, and add to selected
  • Export and save the file
  1. To create the XML template for the sign-in policy:
  • Login as an admin
  • Navigate to Maintenance>Import/Export>Export XML
  • Expand the Sign-in Settings section
  • Choose "SELECTED sign-in URLs"
  • Find the sign-in policy that has the desired settings, click on it, and add to selected
  • If custom pages are being used, click on "ONLY pages used by URLs selected above" in the Sign-in Pages section
  • if sign-in notifications are being used, click on "ONLY Notifications used by selected URL(s) and Role(s)"
  • Export and save the file


To create three roles for Finance, IT and HR, and a sign-in policy for */users that authenticates users with an LDAP server named "LDAP", see example below:  

 

Role XML section:
(Note: 
To prevent overwriting of the existing configuration, the top element for the specific feature needs to have the command xc:operation="create" included as per examples below.)

<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2909" saData="2803">
<users>
<user-roles xc:operation="create"> create command goes here
<user-role>
<name>Finance</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
<user-role>
<name>IT</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
<user-role>
<name>HR</name> New role name goes here
< .... > Rest of the elements go here
</user-role>
</user-roles>
</users>
</configuration>

Realm XML section:

<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2909" saData="2803">
    <users>
        <user-realms xc:operation="create">
create command goes here
<realm>
<name>LDAP</name> New realm name goes here
<authentication-policy>
                    <source-ip>
                        <customized>any-ip</customized>
                        <ips>
                        </ips>
                    </source-ip>
                    <browser>
                        <customized>any-user-agent</customized>
                        <user-agent-patterns>
                        </user-agent-patterns>
                    </browser>
                    <certificate>
                        <customized>allow-all-users</customized>
                        <cert-key-value-pairs>
                        </cert-key-value-pairs>
                    </certificate>
                    <password>
                        <primary-password-restricted>allow-passwords-of-minimum-length</primary-password-restricted>
                        <primary-password-management>false</primary-password-management>
                        <primary-password-minimum-length>4</primary-password-minimum-length>
                        <primary-password-expiration-warning-days>14</primary-password-expiration-warning-days>
                        <secondary-password-restricted>allow-passwords-of-minimum-length</secondary-password-restricted>
                        <secondary-password-management>false</secondary-password-management>
                        <secondary-password-minimum-length>4</secondary-password-minimum-length>
                        <secondary-password-expiration-warning-days>14</secondary-password-expiration-warning-days>
                    </password>
                    <host-checker>
                        <evaluate-all-policies>false</evaluate-all-policies>
                        <evaluate-policy-list xsi:nil="true"/>
                        <enforce-all-policies>false</enforce-all-policies>
                        <enforce-policy-list xsi:nil="true"/>
                        <evaluate-logic>all-policies-must-succeed</evaluate-logic>
                    </host-checker>
                    <limits>
                        <limit-concurrent-users>false</limit-concurrent-users>
                        <guaranteed-minimum xsi:nil="true"/>
                        <maximum xsi:nil="true"/>
                        <max-sessions-per-user>1</max-sessions-per-user>
                    </limits>
                </authentication-policy>
                <role-mapping-rules>
                    <rule>
                        <name></name>
                        <custom-expression>
                            <expressions></expressions>
                        </custom-expression>
                        <roles></roles>
                        <stop-rules-processing>false</stop-rules-processing>
                    </rule>
                    <user-selects-role>false</user-selects-role>
                    <user-selects-roleset>false</user-selects-roleset>
                </role-mapping-rules>
                <description></description>
                <editing-description>false</editing-description>
                <authentication-server>LDAP</authentication-server>
LDAP auth server goes here
                <directory-server>LDAP</directory-server> LDAP directory server goes here
< .... > Rest of the elements go here
</realm>
</user-realms>
<users>
</configuration>

Sign-In Policy XML section:


<configuration xmlns="http://xml.juniper.net/ive-sa/8.3R6" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="2912" saData="2803">
<authentication>
<signin>
<urls>
<access-urls xc:operation="create"> Create command goes here
<access-url>
<url-pattern>*/users/</url-pattern> URL name goes here
          <description></description>
<enabled>true</enabled>
<page>Default Sign-In Page</page>                       
          <realm-select>pick-list</realm-select>
          <user>
<meeting-url>*/meeting/</meeting-url>
<realms>Users</realms> Realm assignment goes here
<pre-authentication-signin-notification-id>None</pre-authentication-signin-notification-id>
<post-authentication-signin-notification-id>None</post-authentication-signin-notification-id>
<post-authentication-signin-notification-skip>false</post-authentication-signin-notification-skip>
</user>
</access-url>
</access-urls>
</urls>
</signin>
</authentication>
</configuration>


Please note:
  • Make sure to create the role-mapping rules on the realm from the admin GUI after the imports.
  • When importing the new elements, the order should be role(s), realm(s), sign-in policies(s) due to the dependencies (mentioned below) on other elements.  
  • When importing newly created sign-in policies, the realm that is referenced needs to already exist in the system or the import will fail.
  • When importing newly created realms, the role that is referenced in the role-mapping rules needs to exist in the system or the import will fail.
Related Links
Attachment 1 
Created ByNick Christen

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255