Fortinet black logo

Handbook

Configure a SAML service provider

Configure a SAML service provider

You must configure your SPs in order to use SAML authentication. To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.

Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:

  1. Click User Authentication > SAML.
  2. Select the SAML Service Providers tab, if it is not selected.
  3. Click Create New to open the SAML Service Providers configuration editor.
  4. Configure the following settings.
    Parameter Description
    SAML Service Provider
    Name

    Specify a unique name for the SAML service provider.

    Entity ID

    Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

    Local Certification

    Select a Local Certification from the drop-down. The default is Factory.

    Service URL

    Specify the SAML service URL. The default value is /SSO.

    Assertion Consuming Service Binding Type

    Specify the Assertion Consuming Service Binding Type. The default value is Post.

    Assertion Consuming Service Path

    Specify the Assertion Consuming Service Path. The default value is /SAML2/Post.

    Single Logout Binding Type

    Select either of the following Single Logout Binding Type:

    • Post

    • Redirect

    The default value is Post.

    Single Logout Path

    Specify the Single Logout Path. The default value is /SLO/Logout.

    IDP Metadata

    Select an IDP metadata file from the drop-down.

    Note: You must have the IDP metadata file imported into FortiADC ahead of time.

    Metadata Export Service Location

    Specify the Metadata Export Service Location. The default value is /Metadata.

    Authentication Session Lifetime

    Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)

    Authentication Session Timeout

    Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)

    Assertion Require Sign

    Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request.

    AuthNRequest Sign Algo

    Select either of the following AuthNRequest algorithm:

    • RSA-SHA1

    • RSA-SHA256

    • RSA-SHA512

    The default value is RSA-SHA1.

    SSO Status

    Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

    Export Assertion Status

    Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

    Export Assertion Path

    Specify the Export Assertion Path. The default value is /GetAssertion.

    Export Cookie Status

    Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

    Export Assertion ACL
    IP Netmask

    Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.

  5. Click Save when done.
  6. Optional: Click Metadata to export the SP Metadata.
    1. Specify the SP Root URL.
    2. Click Export.

Configure a SAML service provider

You must configure your SPs in order to use SAML authentication. To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.

Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:

  1. Click User Authentication > SAML.
  2. Select the SAML Service Providers tab, if it is not selected.
  3. Click Create New to open the SAML Service Providers configuration editor.
  4. Configure the following settings.
    Parameter Description
    SAML Service Provider
    Name

    Specify a unique name for the SAML service provider.

    Entity ID

    Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

    Local Certification

    Select a Local Certification from the drop-down. The default is Factory.

    Service URL

    Specify the SAML service URL. The default value is /SSO.

    Assertion Consuming Service Binding Type

    Specify the Assertion Consuming Service Binding Type. The default value is Post.

    Assertion Consuming Service Path

    Specify the Assertion Consuming Service Path. The default value is /SAML2/Post.

    Single Logout Binding Type

    Select either of the following Single Logout Binding Type:

    • Post

    • Redirect

    The default value is Post.

    Single Logout Path

    Specify the Single Logout Path. The default value is /SLO/Logout.

    IDP Metadata

    Select an IDP metadata file from the drop-down.

    Note: You must have the IDP metadata file imported into FortiADC ahead of time.

    Metadata Export Service Location

    Specify the Metadata Export Service Location. The default value is /Metadata.

    Authentication Session Lifetime

    Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)

    Authentication Session Timeout

    Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)

    Assertion Require Sign

    Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request.

    AuthNRequest Sign Algo

    Select either of the following AuthNRequest algorithm:

    • RSA-SHA1

    • RSA-SHA256

    • RSA-SHA512

    The default value is RSA-SHA1.

    SSO Status

    Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

    Export Assertion Status

    Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

    Export Assertion Path

    Specify the Export Assertion Path. The default value is /GetAssertion.

    Export Cookie Status

    Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

    Export Assertion ACL
    IP Netmask

    Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.

  5. Click Save when done.
  6. Optional: Click Metadata to export the SP Metadata.
    1. Specify the SP Root URL.
    2. Click Export.