Configure an SAML service provider
You must configure your SPs in order to use SAML authentication. To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time. See Import IDP Metadata for more information.
Once you have imported the needed IDP metadata file into FortiADC, you can use the following steps to configure a SAML service provider:
- Go to User Authentication > SAML.
The configuration page displays the SAML Service Providers tab. - Click Create New to open the SAML Service Providers configuration editor.
- Configure the following settings.
Parameter Description SAML Service Provider Name Specify a unique name for the SAML service provider.
Entity ID Specify the SAML service provider's entity ID, which is the SAML service provider's URL.
Local Certification Select a Local Certification from the drop-down. The default is Factory.
Service URL Specify the SAML service URL. The default value is /SSO.
Assertion Consuming Service Binding Type Specify the Assertion Consuming Service Binding Type. The default value is Post.
Assertion Consuming Service Path Specify the Assertion Consuming Service Path. The default value is /SAML2/Post.
Single Logout Binding Type Select either of the following Single Logout Binding Type:
Post
Redirect
The default value is Post.
Single Logout Path Specify the Single Logout Path. The default value is /SLO/Logout.
IDP Metadata Select an IDP metadata file from the drop-down.
Note: You must have the IDP metadata file imported into FortiADC ahead of time.
Metadata Export Service Location Specify the Metadata Export Service Location. The default value is /Metadata.
Authentication Session Lifetime Specify the Authentication Session Lifetime in seconds. (Range: 1-2592000, Default: 28800)
Authentication Session Timeout Specify the Authentication Session Timeout in seconds. (Range: 1-86400, Default: 3600)
Assertion Require Sign
Enable/disable the AuthNRequest algorithm to allow FortiADC to sign the SAML authentication request.
AuthNRequest Sign Algo
Select either of the following AuthNRequest algorithm:
RSA-SHA1
RSA-SHA256
RSA-SHA512
The default value is RSA-SHA1.
SSO Status Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.
Export Assertion Status Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.
Export Assertion Path Specify the Export Assertion Path. The default value is /GetAssertion.
Export Cookie Status Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.
Export Assertion ACL IP Netmask Enter the IP address of the real server (or the IP Netmask if the real server is one of a group of real servers) that requests authentication assertions.
- Click Save when done.
- Optional: Click Metadata to export the SP Metadata.
- Specify the SP Root URL.
- Click Export.