Fortinet white logo
Fortinet white logo

CLI Reference

config load-balance auth-policy

config load-balance auth-policy

Use this command to configure an auth policy. The parameters of the policy set the matching terms that mandate authentication for the data source that has authorization. The authentication server type determines the type of data source that would be referenced for the auth policy. There are three authentication server types: standard, SAML and OAuth.

For example, you can define an auth policy for a standard authentication server type that has the following logic: if the Host header matches example.com and the URI matches /index.html, then the group example-group is authorized. FortiADC supports the Basic Authentication Scheme described in RFC 2617.

Figure 3 illustrates the client-server communication when authorization is required.

Authorization and authentication

  1. The client sends an HTTP request for a URL belonging to a FortiADC virtual server that has an authorization policy.
  2. FortiADC replies with an HTTP 401 to require authorization. On the client computer, the user might be prompted with a dialog box to provide credentials.
  3. The client reply includes an Authorization header that gives the credentials.
  4. FortiADC sends a request to the server (local, LDAP, or RADIUS) to authenticate the user.
  5. The authentication server sends its response, which can be cached according to your user group configuration.
  6. If authentication is successful, FortiADC continues processing the traffic and forwards the request to the real server.
  7. The real server responds with an HTTP 200 OK.
  8. FortiADC processes the traffic and forwards the server response to the client.

Before you begin:

  • You must have created the user groups to be authorized with the policy. You also configure users and authentication servers separately.
  • You must have read-write permission for load balancing settings.

After you have configured an auth policy, you can select it in the virtual server configuration. Note the following requirements:

  • Virtual server type must be Layer 2 or Layer 7.
  • Profile type must be HTTP or HTTPS.
  • The profile option once-only must be disabled.

Define an auth policy for a standard authentication server type

Define the auth policy to use standard authentication with set type standard and reference the user group data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type standard

set user-realm <string>

set auth-path <path>

set user-group <datasource>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

user-realm

Realm to which the auth-path URI belongs. If a request is authenticated and a realm specified, the same credentials should be valid for all other requests within this realm.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

user-group

User group that is authorized to access the protected resource.

Define an auth policy for a SAML authentication server type

Define the auth policy to use SAML authentication with set type SAML and reference the SAML SSO ID data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type SAML

set auth-path <path>

set saml-sp <saml-sso-id>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

saml-sp

SAML SSO ID that is authorized to access the protected resource.

Define an auth policy for an OAuth authentication server type

Define the auth policy to use OAuth authentication with set type OAuth and reference the OAuth data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type OAuth

set auth-path <path>

set oauth <oauth-policy>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

oauth

OAuth policy that is authorized to access the protected resource.

config load-balance auth-policy

config load-balance auth-policy

Use this command to configure an auth policy. The parameters of the policy set the matching terms that mandate authentication for the data source that has authorization. The authentication server type determines the type of data source that would be referenced for the auth policy. There are three authentication server types: standard, SAML and OAuth.

For example, you can define an auth policy for a standard authentication server type that has the following logic: if the Host header matches example.com and the URI matches /index.html, then the group example-group is authorized. FortiADC supports the Basic Authentication Scheme described in RFC 2617.

Figure 3 illustrates the client-server communication when authorization is required.

Authorization and authentication

  1. The client sends an HTTP request for a URL belonging to a FortiADC virtual server that has an authorization policy.
  2. FortiADC replies with an HTTP 401 to require authorization. On the client computer, the user might be prompted with a dialog box to provide credentials.
  3. The client reply includes an Authorization header that gives the credentials.
  4. FortiADC sends a request to the server (local, LDAP, or RADIUS) to authenticate the user.
  5. The authentication server sends its response, which can be cached according to your user group configuration.
  6. If authentication is successful, FortiADC continues processing the traffic and forwards the request to the real server.
  7. The real server responds with an HTTP 200 OK.
  8. FortiADC processes the traffic and forwards the server response to the client.

Before you begin:

  • You must have created the user groups to be authorized with the policy. You also configure users and authentication servers separately.
  • You must have read-write permission for load balancing settings.

After you have configured an auth policy, you can select it in the virtual server configuration. Note the following requirements:

  • Virtual server type must be Layer 2 or Layer 7.
  • Profile type must be HTTP or HTTPS.
  • The profile option once-only must be disabled.

Define an auth policy for a standard authentication server type

Define the auth policy to use standard authentication with set type standard and reference the user group data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type standard

set user-realm <string>

set auth-path <path>

set user-group <datasource>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

user-realm

Realm to which the auth-path URI belongs. If a request is authenticated and a realm specified, the same credentials should be valid for all other requests within this realm.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

user-group

User group that is authorized to access the protected resource.

Define an auth policy for a SAML authentication server type

Define the auth policy to use SAML authentication with set type SAML and reference the SAML SSO ID data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type SAML

set auth-path <path>

set saml-sp <saml-sso-id>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

saml-sp

SAML SSO ID that is authorized to access the protected resource.

Define an auth policy for an OAuth authentication server type

Define the auth policy to use OAuth authentication with set type OAuth and reference the OAuth data source.

Syntax

config load-balance auth-policy

edit <name>

config member

edit 1

set host-status {enable|disable}

set host <hostname>

set type OAuth

set auth-path <path>

set oauth <oauth-policy>

next

end

next

end

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

Specify the HTTP Host header. If host-status is enabled, the policy matches only if the hostname header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

auth-path

Require authorization only if the URI of the HTTP request matches this pathname. If none is specified, requests to any URI require authorization. The value is parsed as a match string prefix. For example, /abc matches http://www.example.com/abcd and http://www.example.com/abc/11.html but not http://www.example.com/1abcd.

oauth

OAuth policy that is authorized to access the protected resource.