Fortinet black logo

CLI Reference

config user saml-sp

config user saml-sp

Use this command to configure a saml-sp user.

Syntax

config user saml-sp

edit <name>

set entity-id <string>

set service-url <string>

set assertion-consuming-service-path <string>

set assertion-consuming-service-binding <string>

set metadata-path <string>

set logoff-path <string>

set logoff-binding {post|binding}

set local-cert <datasource>

set auth-session-lifetime <integer>

set auth-session-timeout <integer>

set idp-metadata <datasource>

set assertion-require-sign {enable|disable}

set authnrequest-sign-algorithm {rsa-sha1|rsa-sha256|rsa-sha512}

set sso-export {enable|disable}

set export-assertion {enable|disable}

set export-assertion-path <string>

set export-cookie {enable|disable}

config export-assertion-acl

edit <name>

set ip-mask <integer>

next

end

next

end

entity-id

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

service-url

Specify the SAML service URL. The default value is /SSO.

assertion-consuming-service-path

Specify the Assertion Consuming Service Path. The default value is /SAML2/Post

assertion-consuming-binding

Specify the Assertion Consuming Service Binding Type. The default value is post.

metadata-path

Specify the Metadata Export Service Location. The default value is /Metadata.

logoff-path

Specify the Single Logout Path. The default value is /SLO/Logout.

logoff-binding

Select either of the following Single Logout Binding Type:

  • post

  • redirect

The default value is post.

local-cert

Specify a local certification. The default is Factory.

auth-session-lifetime

Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)

auth-session-timeout

Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)

idp-metadata

Specify an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

assertion-require-sign

Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request. This is enabled by default.

authnrequest-sign-algorithm

Select either of the following AuthNRequest algorithm:

  • rsa-sha1

  • rsa-sha256

  • rsa-sha512

The default value is rsa-sha1.

sso-export

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

export-assertion

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (i.e., identity information) can be fetched.

export-assertion-path

Specify the Export Assertion Path. The default value is /GetAssertion.

export-cookie

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

config export-assertion-acl

ip-mask

Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.

Example

config user saml-sp

edit "sp-example"

set entity-id foradc221-7170

set service-url /SSO

set assertion-consuming-service-path /SAML2/Post

set assertion-consuming-service-binding post

set metadata-path /Metadata

set logoff-path /SLO/Logout

set logoff-binding post

set local-cert Factory

set auth-session-lifetime 28800

set auth-session-timeout 3600

set idp-metadata idp-example

set assertion-require-sign enable

set authnrequest-sign-algorithm rsa-sha512

set sso-export enable

set export-assertion enable

set export-assertion-path /GetAssertion

set export-cookie {enable|disable}

config export-assertion-acl

edit 1

set ip-mask 192.168.0.2/31

next

end

next

end

config user saml-sp

Use this command to configure a saml-sp user.

Syntax

config user saml-sp

edit <name>

set entity-id <string>

set service-url <string>

set assertion-consuming-service-path <string>

set assertion-consuming-service-binding <string>

set metadata-path <string>

set logoff-path <string>

set logoff-binding {post|binding}

set local-cert <datasource>

set auth-session-lifetime <integer>

set auth-session-timeout <integer>

set idp-metadata <datasource>

set assertion-require-sign {enable|disable}

set authnrequest-sign-algorithm {rsa-sha1|rsa-sha256|rsa-sha512}

set sso-export {enable|disable}

set export-assertion {enable|disable}

set export-assertion-path <string>

set export-cookie {enable|disable}

config export-assertion-acl

edit <name>

set ip-mask <integer>

next

end

next

end

entity-id

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

service-url

Specify the SAML service URL. The default value is /SSO.

assertion-consuming-service-path

Specify the Assertion Consuming Service Path. The default value is /SAML2/Post

assertion-consuming-binding

Specify the Assertion Consuming Service Binding Type. The default value is post.

metadata-path

Specify the Metadata Export Service Location. The default value is /Metadata.

logoff-path

Specify the Single Logout Path. The default value is /SLO/Logout.

logoff-binding

Select either of the following Single Logout Binding Type:

  • post

  • redirect

The default value is post.

local-cert

Specify a local certification. The default is Factory.

auth-session-lifetime

Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)

auth-session-timeout

Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)

idp-metadata

Specify an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

assertion-require-sign

Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request. This is enabled by default.

authnrequest-sign-algorithm

Select either of the following AuthNRequest algorithm:

  • rsa-sha1

  • rsa-sha256

  • rsa-sha512

The default value is rsa-sha1.

sso-export

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

export-assertion

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (i.e., identity information) can be fetched.

export-assertion-path

Specify the Export Assertion Path. The default value is /GetAssertion.

export-cookie

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

config export-assertion-acl

ip-mask

Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.

Example

config user saml-sp

edit "sp-example"

set entity-id foradc221-7170

set service-url /SSO

set assertion-consuming-service-path /SAML2/Post

set assertion-consuming-service-binding post

set metadata-path /Metadata

set logoff-path /SLO/Logout

set logoff-binding post

set local-cert Factory

set auth-session-lifetime 28800

set auth-session-timeout 3600

set idp-metadata idp-example

set assertion-require-sign enable

set authnrequest-sign-algorithm rsa-sha512

set sso-export enable

set export-assertion enable

set export-assertion-path /GetAssertion

set export-cookie {enable|disable}

config export-assertion-acl

edit 1

set ip-mask 192.168.0.2/31

next

end

next

end