Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configure a SAML service provider

You must configure your SPs in order to use SAML authentication. To configure an SP, you mus have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.

Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:

  1. Click User Authentication > SAML.
  2. Select the SAML Service Providers tab, if it is not selected.
  3. Click Create New to open the SAML Service Providers configuration editor.
  4. Make the desired entries or selections, as described inConfigure a SAML service provider.
  5. Click Save when done.

Configure a SAML service provider

Parameter Description
SAML Service Provider

Use this page to configure an SAML service provider.

Name

Specify a unique name for the SAML service provider.

Entity ID

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

Local Certification

Select an option. The default is Factory.

Service URL

/SSO

Assertion Consuming Service Binding Type

Post.

Assertion Consuming Service Path

/SAML2/Post

Single Logout Binding Type

Post

Single Logout Path

/SLO/Logout

IDP Metadata

Select an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

Metadata Export Service Location

/Metadata

Authentication Session Lifetime

28800

Authentication Session Timeout

3600

SSO Status

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

Export Assertion Status

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

Export Assertion Path

/GetAssertion

Export Cookie Status

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

Export Assertion ACL  
IP Netmask

Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.

Configure a SAML service provider

You must configure your SPs in order to use SAML authentication. To configure an SP, you mus have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.

Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:

  1. Click User Authentication > SAML.
  2. Select the SAML Service Providers tab, if it is not selected.
  3. Click Create New to open the SAML Service Providers configuration editor.
  4. Make the desired entries or selections, as described inConfigure a SAML service provider.
  5. Click Save when done.

Configure a SAML service provider

Parameter Description
SAML Service Provider

Use this page to configure an SAML service provider.

Name

Specify a unique name for the SAML service provider.

Entity ID

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

Local Certification

Select an option. The default is Factory.

Service URL

/SSO

Assertion Consuming Service Binding Type

Post.

Assertion Consuming Service Path

/SAML2/Post

Single Logout Binding Type

Post

Single Logout Path

/SLO/Logout

IDP Metadata

Select an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

Metadata Export Service Location

/Metadata

Authentication Session Lifetime

28800

Authentication Session Timeout

3600

SSO Status

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

Export Assertion Status

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

Export Assertion Path

/GetAssertion

Export Cookie Status

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

Export Assertion ACL  
IP Netmask

Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.