Fortinet black logo

CLI Reference

config user saml

config user saml

SAML server entry configuration.

config user saml

Description: SAML server entry configuration.

edit <name>

set cert {string}

set entity-id {string}

set single-sign-on-url {string}

set single-logout-url {string}

set idp-entity-id {string}

set idp-single-sign-on-url {string}

set idp-single-logout-url {string}

set idp-cert {string}

set user-name {string}

set group-name {string}

set digest-method [sha1|sha256]

set limit-relaystate [enable|disable]

set clock-tolerance {integer}

set adfs-claim [enable|disable]

set user-claim-type [email|given-name|...]

set group-claim-type [email|given-name|...]

next

end

config user saml

Parameter

Description

Type

Size

Default

cert

Certificate to sign SAML messages.

string

Maximum length: 35

entity-id

SP entity ID.

string

Maximum length: 255

single-sign-on-url

SP single sign-on URL.

string

Maximum length: 255

single-logout-url

SP single logout URL.

string

Maximum length: 255

idp-entity-id

IDP entity ID.

string

Maximum length: 255

idp-single-sign-on-url

IDP single sign-on URL.

string

Maximum length: 255

idp-single-logout-url

IDP single logout url.

string

Maximum length: 255

idp-cert

IDP Certificate name.

string

Maximum length: 35

user-name

User name in assertion statement.

string

Maximum length: 255

group-name

Group name in assertion statement.

string

Maximum length: 255

digest-method

Digest method algorithm .

option

-

sha1

Option

Description

sha1

Digest Method Algorithm is SHA1.

sha256

Digest Method Algorithm is SHA256.

limit-relaystate

Enable/disable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

option

-

disable

Option

Description

enable

Enable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

disable

Disable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

clock-tolerance

Clock skew tolerance in seconds .

integer

Minimum value: 0 Maximum value: 300

15

adfs-claim

Enable/disable ADFS Claim for user/group attribute in assertion statement .

option

-

disable

Option

Description

enable

Enable ADFS Claim for user/group attribute in assertion statement.

disable

Disable ADFS Claim for user/group attribute in assertion statement.

user-claim-type

User name claim in assertion statement.

option

-

upn

Option

Description

email

E-mail address of the user.

given-name

Given name of the user.

name

Unique name of the user.

upn

User principal name (UPN) of the user.

common-name

Common name of the user.

email-adfs-1x

E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group

Group that the user is a member of.

upn-adfs-1x

User principal name (UPN) of the user.

role

Role that the user has.

sur-name

Surname of the user

ppid

Private identifier of the user.

name-identifier

SAML name identifier of the user.

authentication-method

Method used to authenticate the user.

deny-only-group-sid

Deny-only group SID of the user.

deny-only-primary-sid

Deny-only primary SID of the user.

deny-only-primary-group-sid

Deny-only primary group SID of the user.

group-sid

Group SID of the user.

primary-group-sid

Primary group SID of the user.

primary-sid

Primary SID of the user.

windows-account-name

Domain account name of the user in the form of <domain>\<user>.

group-claim-type

Group claim in assertion statement.

option

-

group

Option

Description

email

E-mail address of the user.

given-name

Given name of the user.

name

Unique name of the user.

upn

User principal name (UPN) of the user.

common-name

Common name of the user.

email-adfs-1x

E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group

Group that the user is a member of.

upn-adfs-1x

User principal name (UPN) of the user.

role

Role that the user has.

sur-name

Surname of the user

ppid

Private identifier of the user.

name-identifier

SAML name identifier of the user.

authentication-method

Method used to authenticate the user.

deny-only-group-sid

Deny-only group SID of the user.

deny-only-primary-sid

Deny-only primary SID of the user.

deny-only-primary-group-sid

Deny-only primary group SID of the user.

group-sid

Group SID of the user.

primary-group-sid

Primary group SID of the user.

primary-sid

Primary SID of the user.

windows-account-name

Domain account name of the user in the form of <domain>\<user>.

config user saml

SAML server entry configuration.

config user saml

Description: SAML server entry configuration.

edit <name>

set cert {string}

set entity-id {string}

set single-sign-on-url {string}

set single-logout-url {string}

set idp-entity-id {string}

set idp-single-sign-on-url {string}

set idp-single-logout-url {string}

set idp-cert {string}

set user-name {string}

set group-name {string}

set digest-method [sha1|sha256]

set limit-relaystate [enable|disable]

set clock-tolerance {integer}

set adfs-claim [enable|disable]

set user-claim-type [email|given-name|...]

set group-claim-type [email|given-name|...]

next

end

config user saml

Parameter

Description

Type

Size

Default

cert

Certificate to sign SAML messages.

string

Maximum length: 35

entity-id

SP entity ID.

string

Maximum length: 255

single-sign-on-url

SP single sign-on URL.

string

Maximum length: 255

single-logout-url

SP single logout URL.

string

Maximum length: 255

idp-entity-id

IDP entity ID.

string

Maximum length: 255

idp-single-sign-on-url

IDP single sign-on URL.

string

Maximum length: 255

idp-single-logout-url

IDP single logout url.

string

Maximum length: 255

idp-cert

IDP Certificate name.

string

Maximum length: 35

user-name

User name in assertion statement.

string

Maximum length: 255

group-name

Group name in assertion statement.

string

Maximum length: 255

digest-method

Digest method algorithm .

option

-

sha1

Option

Description

sha1

Digest Method Algorithm is SHA1.

sha256

Digest Method Algorithm is SHA256.

limit-relaystate

Enable/disable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

option

-

disable

Option

Description

enable

Enable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

disable

Disable limiting of relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

clock-tolerance

Clock skew tolerance in seconds .

integer

Minimum value: 0 Maximum value: 300

15

adfs-claim

Enable/disable ADFS Claim for user/group attribute in assertion statement .

option

-

disable

Option

Description

enable

Enable ADFS Claim for user/group attribute in assertion statement.

disable

Disable ADFS Claim for user/group attribute in assertion statement.

user-claim-type

User name claim in assertion statement.

option

-

upn

Option

Description

email

E-mail address of the user.

given-name

Given name of the user.

name

Unique name of the user.

upn

User principal name (UPN) of the user.

common-name

Common name of the user.

email-adfs-1x

E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group

Group that the user is a member of.

upn-adfs-1x

User principal name (UPN) of the user.

role

Role that the user has.

sur-name

Surname of the user

ppid

Private identifier of the user.

name-identifier

SAML name identifier of the user.

authentication-method

Method used to authenticate the user.

deny-only-group-sid

Deny-only group SID of the user.

deny-only-primary-sid

Deny-only primary SID of the user.

deny-only-primary-group-sid

Deny-only primary group SID of the user.

group-sid

Group SID of the user.

primary-group-sid

Primary group SID of the user.

primary-sid

Primary SID of the user.

windows-account-name

Domain account name of the user in the form of <domain>\<user>.

group-claim-type

Group claim in assertion statement.

option

-

group

Option

Description

email

E-mail address of the user.

given-name

Given name of the user.

name

Unique name of the user.

upn

User principal name (UPN) of the user.

common-name

Common name of the user.

email-adfs-1x

E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

group

Group that the user is a member of.

upn-adfs-1x

User principal name (UPN) of the user.

role

Role that the user has.

sur-name

Surname of the user

ppid

Private identifier of the user.

name-identifier

SAML name identifier of the user.

authentication-method

Method used to authenticate the user.

deny-only-group-sid

Deny-only group SID of the user.

deny-only-primary-sid

Deny-only primary SID of the user.

deny-only-primary-group-sid

Deny-only primary group SID of the user.

group-sid

Group SID of the user.

primary-group-sid

Primary group SID of the user.

primary-sid

Primary SID of the user.

windows-account-name

Domain account name of the user in the form of <domain>\<user>.