Fortinet black logo

CLI Reference

user saml-user

user saml-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via a Security Assertion Markup Language (SAML) server.

To use a SAML server for client authentication, select it in a site publish rule. For details, see waf site-publish-helper rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user saml-user

edit "<saml_server_name>"

set entityID "<server_URL>"

set service-path "<server_URL_path>"

set slo-bind {post | redirect}

set slo-path "<slo_URL_path>"

set sso-bind <post>

set sso-path "<sso_URL_path>"

next

end

Variable Description Default

"<saml_server_name>"

Enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

No default.

entityID "<server_URL>"

Enter the URL for the SAML server. The communications protocol must be HTTPS.

No default.

service-path "<server_URL_path>"

Enter a path for the SAML server at the URL you specified in entityID "<server_URL>".

No default.

slo-bind {post | redirect}

Select the binding that the server will use when the service provider initiates a single logout request:

  • POST—SAML protocol messages are transported via the user's browser in an XHTML document using base64-encoding.
  • REDIRECT—SAML protocol messages will be carried in the URL of an HTTP GET request. Because the length of URLs is limited, this option is best for shorter messages. If the SAML message contains information that the IDP is not yet aware of, you can sign the message for security purposes.

POST

slo-path "<slo_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been logged out.

No default.

sso-bind <post>

Select the binding that the server will use to transport the SAML authentication request to the IDP.

POST

sso-path "<sso_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been authenticated.

No default.

Example

This example configures a SAML server at https://sp.example.com/samlsp. We specify the Service Path, Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a REDIRECT binding for SLS.

config user saml-user

edit "saml_example"

set entityID "https://sp.example.com/samlsp"

set service-path "/saml.sso"

set slo-bind redirect

set slo-path "/SLO/REDIRECT"

set sso-bind post

set sso-path "/SAML2/POST"

next

end

Related topic

user saml-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via a Security Assertion Markup Language (SAML) server.

To use a SAML server for client authentication, select it in a site publish rule. For details, see waf site-publish-helper rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user saml-user

edit "<saml_server_name>"

set entityID "<server_URL>"

set service-path "<server_URL_path>"

set slo-bind {post | redirect}

set slo-path "<slo_URL_path>"

set sso-bind <post>

set sso-path "<sso_URL_path>"

next

end

Variable Description Default

"<saml_server_name>"

Enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

No default.

entityID "<server_URL>"

Enter the URL for the SAML server. The communications protocol must be HTTPS.

No default.

service-path "<server_URL_path>"

Enter a path for the SAML server at the URL you specified in entityID "<server_URL>".

No default.

slo-bind {post | redirect}

Select the binding that the server will use when the service provider initiates a single logout request:

  • POST—SAML protocol messages are transported via the user's browser in an XHTML document using base64-encoding.
  • REDIRECT—SAML protocol messages will be carried in the URL of an HTTP GET request. Because the length of URLs is limited, this option is best for shorter messages. If the SAML message contains information that the IDP is not yet aware of, you can sign the message for security purposes.

POST

slo-path "<slo_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been logged out.

No default.

sso-bind <post>

Select the binding that the server will use to transport the SAML authentication request to the IDP.

POST

sso-path "<sso_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been authenticated.

No default.

Example

This example configures a SAML server at https://sp.example.com/samlsp. We specify the Service Path, Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a REDIRECT binding for SLS.

config user saml-user

edit "saml_example"

set entityID "https://sp.example.com/samlsp"

set service-path "/saml.sso"

set slo-bind redirect

set slo-path "/SLO/REDIRECT"

set sso-bind post

set sso-path "/SAML2/POST"

next

end

Related topic