createAuthorizationRealm

This command takes a JSON request string or file. Use the following template for the request:

{
  "description": "A description (optional)",
  "name": "AuthorizationRealm name",
  "properties": {
    "authentication-mech": "LDAP: Simple or DIGEST-MD5",
    "connection-name": "LDAP: The username to use for 
  Simple binding to LDAP for searches. If not specified, an 
  anonymous connection is made.",
    "connection-password": "LDAP: The password to use for 
  Simple binding to LDAP for searches.",
    "entra-group-source": "OIDC: Applies only to Microsoft 
  Entra ID realms. Determines which token claim is used to 
  resolve group membership. Any one of: APP_ROLES, 
  SECURITY_GROUPS. APP_ROLES (default): checks the \"roles\" 
  claim for Application Roles defined in the Entra ID 
  manifest. SECURITY_GROUPS: checks the \"groups\" claim, 
  matching on the group Object ID (GUID). The Entra ID 
  application must be configured to include group claims in 
  the token.",
    "group-attribute": "LDAP: The name of the attribute 
  that contains group names in the user directory entry.",
    "group-base": "LDAP: The base directory to execute 
  group searches in.",
    "group-name": "LDAP: The name of the entry that 
  contains the user's group names in the directory entries 
  returned by the group search. If this is not specified, no 
  group search will take place.",
    "group-search": "LDAP: The LDAP filter expression to 
  use when searching for group entries. The username will be 
  put in place of {1} in the search pattern and the full 
  user DN will be put in place of {0}.",
    "group-search-iterative": "LDAP: Perform additional 
  lookups to find indirectly assigned groups. This option 
  may significantly increase the amount of time required to 
  authenticate users. Consult your LDAP administrators 
  before enabling this option.",
    "group-search-subtree": "LDAP: Search the full subtree 
  for the groups, as opposed to a single-level search only 
  covering groups directly inside the specified search 
  base.",
    "groups-delim": "SSO: A string that acts as the 
  delimiter between groups that are passed in the headers. 
  For example, if the user should be added to groups GROUP1 
  and GROUP2, and the header value was \"GROUP=GROUP1;
  GROUP=GROUP2\" the delimiter would be ';'. Note: special 
  regex characters such as '+' must be escaped with one 
  backslash ''.",
    "groups-header": "SSO: The header name that denotes 
  the user groups to which user will be added.",
    "groups-regex": "SSO: The regular expression to find 
  the groups in the header value. If a capturing group is 
  specified, only the first will be caught (per delimited 
  string). If no capturing group is specified with 
  parentheses, then the whole delimited string will be 
  captured.",
    "oidc-vendor": "OIDC: The vendor of the OpenID Connect 
  provider. Any one of: MS_ENTRA, OKTA, GENERIC. MS_ENTRA: 
  Microsoft Entra ID authorization realm will check the \"
  roles\" claim for Application Roles. The Entra ID manifest 
  must be configured with requestedAccessTokenVersion set to 
  2. Deploy must be exposed as an API in Entra ID, and the 
  corresponding API ID must be configured as a scope in 
  Deploy's Authentication Realm configuration. OKTA 
  authorization realm will check the \"groups\" claim for 
  groups. An Authorization Server for this application must 
  be defined in Okta. The authentication realm must be 
  configured with the Issuer and other URLs for the 
  Authorization Server.",
    "sasl-realm": "LDAP: The sasl Realm for DIGEST-MD5 
  authentication",
    "url": "LDAP: The URL of the LDAP server. It should 
  begin with 'ldap://' or 'ldaps://'. Failover servers can 
  be added by separating the URLs with a space. Example: 
  ldap://ldap.mydomain.com:389 ldap://ldap.mydomain2.com",
    "user-base": "LDAP: When you search multiple 
  directories, specify the starting directory that is used 
  for searches, such as ou=employees,dc=mydomain,dc=com.",
    "user-pattern": "LDAP: LDAP users exist in a single 
  directory; use a pattern to create the DN for users.",
    "user-search": "LDAP: The LDAP filter expression to 
  use when searching for user directory entries. The 
  username is put in place of {0} in the search pattern. If 
  this is an attribute and not part of the user DN, wrap in 
  parentheses. E.g. uid={0} or (sAMAccountName={0})",
    "user-search-subtree": "LDAP: Search the full subtree 
  for the user, as opposed to a single-level search only 
  covering users directly inside the specified search base. 
  \"true\" or \"false\""
  },
  "type": "Any one of: INTERNAL, LDAP, SSO, OIDC"
}