connection (Identity Management Advanced Query)
Syntax
connection { connect-method (http | https); port port; primary { address address; ca-certificate ca-certificate; client-id client-id; client-secret client-secret; interface interface-name; routing-instance routing-instance -name; source source-address; } query-api query-api; secondary{ address address; ca-certificate ca-certificate; client-id client-id; client-secret client-secret; interface interface-name; routing-instance routing-instance -name; source source-address; } token-api token-api; }
Hierarchy Level
[edit services user-identification identity-management]
Description
Configure parameters for connecting the SRX Series to the Juniper Identity Management Service (JIMS) server to obtain user identity and device information.
For the SRX Series Firewall to obtain user identity information, you must first establish a connection to the JIMSserver. The parameters to specify for the connection include the protocol, the IP address of the JIMS server, and the information to authenticate the SRX Series Firewall to the JIMS server.
If you are using more than one JIMS server, you must configure each server separately. The SRX Series Firewall always attempts to connect to the primary server first. If the primary server fails, the SRX Series Firewall falls back to the secondary server. The SRX Series Firewall periodically probes the failed primary server and reverts to it when it is available.
Only configuration of the primary server is mandatory. You are not required to use a secondary server.
The SRX Series advanced user identity query feature queries the JIMS for user identity information that the SRX Series stores in its authentication table and uses to authenticate users. Use of the JIMS allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.
Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.
To obtain device information, such as device identity, groups, and the operating system, from the JIMS server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.
user@host# set services user-identification device-information authentication-source network-access-controller
connect-method- Configure the protocol to be used for the SRX Series Firewall connection to JIMS. The SRX Series Firewall connects to the JIMS to obtain user identity information.
port- Configure the port on the JIMS server that the SRX Series Firewall uses to connect to the server.
query-api- Configure the prefix of the URL path for querying user identities. This value is used to construct the prefix of the path for queries for individual users, as well as for ip-query and batch-query requests, each of which has a unique suffix:
For IP query, query-api/ip/
For batch query, query-api/users/
For user-query query-api/user
The default value for query-api is user-query/v2.
For example, for a batch query, assume that the query API is configured as
user-query/v2
. To generate the complete URL, the prefix is
combined with the connection method, which is HTTPS
, the IP address
of the JIMS server, expressed as a variable in this example
(JIMS), the beginning timestamp,
begintime={timestamp}
, and the number of user identity
information items to be provided in the record that the JIMS server returns,
entry_count={count}
.
'https://JIMS/user_query/v2/users/endpoints?begintime={timestamp}&entry_count={count}’
token-api- The path of the URL for acquiring the access token for OAuth2 authentication (RFC 6749). The JIMS server requires that the SRX Series Firewall authenticate to it using OAuth2. The SRX Series Firewall uses the Client Credentials grant type for this purpose.
The following example shows the default tokenAPI, oauth_token/oauth
, combined
with the connection method, https
, and the JIMS server IP address
placeholder to create the complete URL:
https://JIMS/oauth_token/oauth.
The advanced user identity query feature, to which this statement belongs, allows you to obtain user identity information from the JIMS through queries. It allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.
Options
connect-method | Method of connection
|
port | Server port
|
query-api | Query API |
token-api | API of acquiring token for OAuth2 authentication |
The remaining statements are described separately.
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X49-D100.
Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.