Fortinet black logo

CLI Reference

user saml-user

user saml-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via a Security Assertion Markup Language (SAML) server.

To use a SAML server for client authentication, you need to first add this SAML server to a SAML server pool (for details, see waf site-publish-helper saml-spool), then select the server pool in a site publish rule (for details, see waf site-publish-helper rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user saml-user

edit "<saml_server_name>"

set entityID "<server_URL>"

set service-path "<server_URL_path>"

set enforce-signing {enable | disable}

set slo-bind {post | redirect}

set slo-path "<slo_URL_path>"

set sso-bind <post>

set sso-path "<sso_URL_path>"

config mapping-domains

edit <index>

set domain <domain_name>

next

end

next

end

Variable Description Default

"<saml_server_name>"

Enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

No default.

entityID "<server_URL>"

Enter the URL for the SAML server. The communications protocol must be HTTPS.

No default.

service-path "<server_URL_path>"

Enter a path for the SAML server at the URL you specified in entityID "<server_URL>".

No default.

enforce-signing {enable | disable}

Enable to enforce signing verification to digitally sign the SAML message, and then the Identity Provider will verify the signature to confirm its integrity.

disable

slo-bind {post | redirect}

Select the binding that the server will use when the service provider initiates a single logout request:

  • POST—SAML protocol messages are transported via the user's browser in an XHTML document using base64-encoding.
  • REDIRECT—SAML protocol messages will be carried in the URL of an HTTP GET request. Because the length of URLs is limited, this option is best for shorter messages. If the SAML message contains information that the IDP is not yet aware of, you can sign the message for security purposes.

POST

slo-path "<slo_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been logged out.

No default.

sso-bind <post>

Select the binding that the server will use to transport the SAML authentication request to the IDP.

POST

sso-path "<sso_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been authenticated.

No default.

<index>

Enter the index number for the domain name.

No default

domain <domain_name>

Add domain names for this server. When users log in with an email address suffixed with the specified domain name, the authentication request will be forwarded to this SAML server.
For instance, if a user enters "xxx@example.com" in the Email field, FortiWeb will forward the request to the SAML server which is configured with the domain name "example.com".

You can add multiple domain names for one SAML server. Similarly, it's allowed to associate multiple SAML server with the same domain name.

No default

Example

This example configures a SAML server at https://sp.example.com/samlsp. We specify the Service Path, Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a REDIRECT binding for SLS.

config user saml-user

edit "saml_example"

set entityID "https://sp.example.com/samlsp"

set service-path "/saml.sso"

set slo-bind redirect

set slo-path "/SLO/REDIRECT"

set sso-bind post

set sso-path "/SAML2/POST"

next

end

Related topic

user saml-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via a Security Assertion Markup Language (SAML) server.

To use a SAML server for client authentication, you need to first add this SAML server to a SAML server pool (for details, see waf site-publish-helper saml-spool), then select the server pool in a site publish rule (for details, see waf site-publish-helper rule.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user saml-user

edit "<saml_server_name>"

set entityID "<server_URL>"

set service-path "<server_URL_path>"

set enforce-signing {enable | disable}

set slo-bind {post | redirect}

set slo-path "<slo_URL_path>"

set sso-bind <post>

set sso-path "<sso_URL_path>"

config mapping-domains

edit <index>

set domain <domain_name>

next

end

next

end

Variable Description Default

"<saml_server_name>"

Enter a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

No default.

entityID "<server_URL>"

Enter the URL for the SAML server. The communications protocol must be HTTPS.

No default.

service-path "<server_URL_path>"

Enter a path for the SAML server at the URL you specified in entityID "<server_URL>".

No default.

enforce-signing {enable | disable}

Enable to enforce signing verification to digitally sign the SAML message, and then the Identity Provider will verify the signature to confirm its integrity.

disable

slo-bind {post | redirect}

Select the binding that the server will use when the service provider initiates a single logout request:

  • POST—SAML protocol messages are transported via the user's browser in an XHTML document using base64-encoding.
  • REDIRECT—SAML protocol messages will be carried in the URL of an HTTP GET request. Because the length of URLs is limited, this option is best for shorter messages. If the SAML message contains information that the IDP is not yet aware of, you can sign the message for security purposes.

POST

slo-path "<slo_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been logged out.

No default.

sso-bind <post>

Select the binding that the server will use to transport the SAML authentication request to the IDP.

POST

sso-path "<sso_URL_path>"

Enter a partial URL that the IDP will use to confirm with the service provider that a user has been authenticated.

No default.

<index>

Enter the index number for the domain name.

No default

domain <domain_name>

Add domain names for this server. When users log in with an email address suffixed with the specified domain name, the authentication request will be forwarded to this SAML server.
For instance, if a user enters "xxx@example.com" in the Email field, FortiWeb will forward the request to the SAML server which is configured with the domain name "example.com".

You can add multiple domain names for one SAML server. Similarly, it's allowed to associate multiple SAML server with the same domain name.

No default

Example

This example configures a SAML server at https://sp.example.com/samlsp. We specify the Service Path, Assertion Consumer Service (ACS), and Single Logout Service (SLS). We use a POST binding for ACS and a REDIRECT binding for SLS.

config user saml-user

edit "saml_example"

set entityID "https://sp.example.com/samlsp"

set service-path "/saml.sso"

set slo-bind redirect

set slo-path "/SLO/REDIRECT"

set sso-bind post

set sso-path "/SAML2/POST"

next

end

Related topic