config user saml-sp
Use this command to configure a saml-sp user.
Syntax
config user saml-sp
edit <name>
set entity-id <string>
set service-url <string>
set assertion-consuming-service-path <string>
set assertion-consuming-service-binding <string>
set metadata-path <string>
set logoff-path <string>
set logoff-binding {post|binding}
set local-cert <datasource>
set auth-session-lifetime <integer>
set auth-session-timeout <integer>
set idp-metadata <datasource>
set assertion-require-sign {enable|disable}
set authnrequest-sign-algorithm {rsa-sha1|rsa-sha256|rsa-sha512}
set sso-export {enable|disable}
set export-assertion {enable|disable}
set export-assertion-path <string>
set export-cookie {enable|disable}
config export-assertion-acl
edit <name>
set ip-mask <integer>
next
end
next
end
|
entity-id |
Specify the SAML service provider's entity ID, which is the SAML service provider's URL. |
|
service-url |
Specify the SAML service URL. The default value is /SSO. |
|
assertion-consuming-service-path |
Specify the Assertion Consuming Service Path. The default value is /SAML2/Post |
|
assertion-consuming-binding |
Specify the Assertion Consuming Service Binding Type. The default value is post. |
|
metadata-path |
Specify the Metadata Export Service Location. The default value is /Metadata. |
|
logoff-path |
Specify the Single Logout Path. The default value is /SLO/Logout. |
|
logoff-binding |
Select either of the following Single Logout Binding Type:
The default value is post. |
|
local-cert |
Specify a local certification. The default is Factory. |
|
auth-session-lifetime |
Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800) |
|
auth-session-timeout |
Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600) |
|
idp-metadata |
Specify an IDP metadata file. Note: You must have the IDP metadata file imported into FortiADC ahead of time. |
|
assertion-require-sign |
Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request. This is enabled by default. |
|
authnrequest-sign-algorithm |
Select either of the following AuthNRequest algorithm:
The default value is rsa-sha1. |
|
sso-export |
Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function. |
|
export-assertion |
Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (i.e., identity information) can be fetched. |
|
export-assertion-path |
Specify the Export Assertion Path. The default value is /GetAssertion. |
|
export-cookie |
Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited. |
|
config export-assertion-acl |
|
|
ip-mask |
Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions. |
Example
config user saml-sp
edit "sp-example"
set entity-id foradc221-7170
set service-url /SSO
set assertion-consuming-service-path /SAML2/Post
set assertion-consuming-service-binding post
set metadata-path /Metadata
set logoff-path /SLO/Logout
set logoff-binding post
set local-cert Factory
set auth-session-lifetime 28800
set auth-session-timeout 3600
set idp-metadata idp-example
set assertion-require-sign enable
set authnrequest-sign-algorithm rsa-sha512
set sso-export enable
set export-assertion enable
set export-assertion-path /GetAssertion
set export-cookie {enable|disable}
config export-assertion-acl
edit 1
set ip-mask 192.168.0.2/31
next
end
next
end