user saml-user
Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via a Security Assertion Markup Language (SAML) server.
To use a SAML server for client authentication, select it in a site publish rule. For details, see waf site-publish-helper rule.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the authusergrp
area. For details, see Permissions.
Syntax
config user saml-user
edit "<saml_server_name>"
set service-path "<server_URL_path>"
set slo-bind {post | redirect}
set sso-bind <post>
next
end
Variable | Description | Default |
Enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters. |
No default. |
|
Enter the URL for the SAML server. The communications protocol must be HTTPS. |
No default. |
|
Enter a path for the SAML server at the URL you specified in entityID "<server_URL>". |
No default. |
|
Select the binding that the server will use when the service provider initiates a single logout request:
|
POST |
|
Enter a partial URL that the IDP will use to confirm with the service provider that a user has been logged out. |
No default. |
|
Select the binding that the server will use to transport the SAML authentication request to the IDP. |
POST |
|
Enter a partial URL that the IDP will use to confirm with the service provider that a user has been authenticated. |
No default. |
Example
This example configures a SAML server at HTTPs://sp.example.com/samlsp
. We specify the Service Path, Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST
binding for ACS and a REDIRECT
binding for SLS.
config user saml-user
edit "saml_example"
set entityID "HTTPs://sp.example.com/samlsp"
set service-path "/saml.sso"
set slo-bind redirect
set slo-path "/SLO/REDIRECT"
set sso-bind post
set sso-path "/SAML2/POST"
next
end