You must configure your SPs in order to use SAML authentication. To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.
Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:
- Click User Authentication > SAML.
- Select the SAML Service Providers tab, if it is not selected.
- Click Create New to open the SAML Service Providers configuration editor.
- Configure the following settings.
Parameter Description SAML Service Provider Name
Specify a unique name for the SAML service provider.
Specify the SAML service provider's entity ID, which is the SAML service provider's URL.
Select a Local Certification from the drop-down. The default is Factory.
Specify the SAML service URL. The default value is /SSO.
Assertion Consuming Service Binding Type
Specify the Assertion Consuming Service Binding Type. The default value is Post.
Assertion Consuming Service Path
Specify the Assertion Consuming Service Path. The default value is /SAML2/Post.
Single Logout Binding Type
Select either of the following Single Logout Binding Type:
The default value is Post.
Single Logout Path
Specify the Single Logout Path. The default value is /SLO/Logout.
Select an IDP metadata file from the drop-down.
Note: You must have the IDP metadata file imported into FortiADC ahead of time.
Metadata Export Service Location
Specify the Metadata Export Service Location. The default value is /Metadata.
Authentication Session Lifetime
Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)
Authentication Session Timeout
Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)
Assertion Require Sign
Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request.
AuthNRequest Sign Algo
Select either of the following AuthNRequest algorithm:
The default value is RSA-SHA1.
Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.
Export Assertion Status
Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.
Export Assertion Path
Specify the Export Assertion Path. The default value is /GetAssertion.
Export Cookie Status
Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.
Export Assertion ACL IP Netmask
Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.
- Click Save when done.
- Optional: Click Metadata to export the SP Metadata.
- Specify the SP Root URL.
- Click Export.