---
title: Saml2Module
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-saml2module
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-saml2module.html
section_ids:
sec-amster-entity-saml2module-realm-ops: Realm Operations
sec-amster-entity-saml2module-realm-ops-create: create
sec-amster-entity-saml2module-realm-ops-delete: delete
sec-amster-entity-saml2module-realm-ops-getalltypes: getAllTypes
sec-amster-entity-saml2module-realm-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-saml2module-realm-ops-nextdescendents: nextdescendents
sec-amster-entity-saml2module-realm-ops-query: query
sec-amster-entity-saml2module-realm-ops-read: read
sec-amster-entity-saml2module-realm-ops-update: update
sec-amster-entity-saml2module-global-ops: Global Operations
sec-amster-entity-saml2module-global-ops-getalltypes: getAllTypes
sec-amster-entity-saml2module-global-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-saml2module-global-ops-nextdescendents: nextdescendents
sec-amster-entity-saml2module-global-ops-read: read
sec-amster-entity-saml2module-global-ops-update: update
---
# Saml2Module
## Realm Operations
Resource path:
```
/realm-config/authentication/modules/authSaml
```
Resource version: `0.0`
### create
**Usage**
```
am> create Saml2Module --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: better
, exact
, maximum
, and minimum
.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is /realm_name/SP
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin
to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
### delete
**Usage**
```
am> delete Saml2Module --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action Saml2Module --realm Realm --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action Saml2Module --realm Realm --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action Saml2Module --realm Realm --actionName nextdescendents
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query Saml2Module --realm Realm --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read Saml2Module --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update Saml2Module --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: better
, exact
, maximum
, and minimum
.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is /realm_name/SP
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin
to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
## Global Operations
Resource path:
```
/global-config/authentication/modules/authSaml
```
Resource version: `1.0`
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action Saml2Module --global --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action Saml2Module --global --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action Saml2Module --global --actionName nextdescendents
```
### read
**Usage**
```
am> read Saml2Module --global
```
### update
**Usage**
```
am> update Saml2Module --global --body body
```
**Parameters**
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"authnContextClassRef" : {
"title" : "Authentication Context Class Reference",
"description" : "(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 700,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"allowCreate" : {
"title" : "Allow IdP to Create NameID",
"description" : "Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"binding" : {
"title" : "Response Binding",
"description" : "Use this parameter to indicate what binding the IdP should use when communicating with this SP.",
"propertyOrder" : 1000,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authnContextDeclRef" : {
"title" : "Authentication Context Declaration Reference",
"description" : "(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).",
"propertyOrder" : 800,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"sloRelay" : {
"title" : "Single Logout URL",
"description" : "If Single Logout is enabled, this is the URL to which the user should be forwarded after successful IdP logout. This must be a fully-qualified URL (start with http...), or the redirect will not function.",
"propertyOrder" : 1500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"entityName" : {
"title" : "IdP Entity ID",
"description" : "The entity name of the SAML2 IdP Service to use for this module (must be configured).",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authComparison" : {
"title" : "Comparison Type",
"description" : "(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: better
, exact
, maximum
, and minimum
.",
"propertyOrder" : 600,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"loginChain" : {
"title" : "Linking Authentication Chain",
"description" : "The authentication chain that will be executed when a user is required to be authenticated locally to match their user account with that of a remotely authenticated assertion.",
"propertyOrder" : 500,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"sloEnabled" : {
"title" : "Single Logout Enabled",
"description" : "Enable to attempt logout of the user's IdP session at the point of session logout. Required the org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin
to be active on the chain that includes this SAML2 module.",
"propertyOrder" : 1400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"forceAuthn" : {
"title" : "Force IdP Authentication",
"description" : "Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).",
"propertyOrder" : 1100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"nameIdFormat" : {
"title" : "NameID Format",
"description" : "(Optional) Use this parameter to specify a SAML Name Identifier format identifier such as urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
",
"propertyOrder" : 1300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"metaAlias" : {
"title" : "SP MetaAlias",
"description" : "MetaAlias for Service Provider. The format of this parameter is /realm_name/SP
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"isPassive" : {
"title" : "Passive Authentication",
"description" : "Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).",
"propertyOrder" : 1200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"reqBinding" : {
"title" : "Request Binding",
"description" : "Use this parameter to indicate what binding the SP should use when communicating with the IdP.",
"propertyOrder" : 900,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 100,
"required" : true,
"type" : "integer",
"exampleValue" : ""
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
```