Fortinet black logo

CLI Reference

config user saml-sp

config user saml-sp

Use this command to configure a saml-sp user.

Syntax

config user saml-sp

edit <name>

set entity-id <ip address>

set local-cert <default is Factory>

set assertion-consuming-service-binding <post>

set assertion-consuming-service-path <string>

set auth-session-lifetime <integer>

set auth-session-timeout <integer>

set export-assertion <enable/disable>

set export-assertion-path <string>

set export-cookie <enable/disable>

set logoff-binding <post>

set idp-metadata <datasource>

set service-url <string>

set sso-export <enable/disable>

name

Specify a unique name for the SAML service provider.

comments

Set a string for comments.

idp-file

Select a preexisting idp-file.

entity-id

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

local-cert

Select an option. The default is Factory.

service-url

/SSO

assertion-consuming-binding

Post.

assertion-consuming-service-path

/SAML2/Post.

logoff-binding

Post.

logoff-path

/SLO/Logout

idp-metadata

Select an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

metadata-path

/Metadata

auth-session-lifetime

28800

auth-session-timeout

3600

sso-export

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

export-assertion

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

export-assertion-path

/GetAssertion

export-cookie

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

Example

(M) adc-3-222 (root) #

adc-3-228 (root) # config user saml-sp

adc-3-228 (saml-sp) # edit 1

adc-3-228 (1) # set entity-id 103.203.13.12

adc-3-228 (1) # set service-url /SSO

adc-3-228 (1) # set idp-metadata fortiauth-idp-666

adc-3-228 (1) # set sso-export enable

adc-3-228 (1) # get

entity-id : 103.203.13.12

service-url : /SSO

assertion-consuming-service-path: /SAML2/Post

assertion-consuming-service-binding: post

metadata-path : /Metadata

logoff-path : /SLO/Logout

logoff-binding : post

local-cert :

auth-session-lifetime : 28800

auth-session-timeout : 3600

idp-metadata : fortiauth-idp-666

sso-export : enable

export-assertion : enable

export-assertion-path : /GetAssertion

export-cookie : enable

next

end

config user saml-sp

config user saml-sp

Use this command to configure a saml-sp user.

Syntax

config user saml-sp

edit <name>

set entity-id <ip address>

set local-cert <default is Factory>

set assertion-consuming-service-binding <post>

set assertion-consuming-service-path <string>

set auth-session-lifetime <integer>

set auth-session-timeout <integer>

set export-assertion <enable/disable>

set export-assertion-path <string>

set export-cookie <enable/disable>

set logoff-binding <post>

set idp-metadata <datasource>

set service-url <string>

set sso-export <enable/disable>

name

Specify a unique name for the SAML service provider.

comments

Set a string for comments.

idp-file

Select a preexisting idp-file.

entity-id

Specify the SAML service provider's entity ID, which is the SAML service provider's URL.

local-cert

Select an option. The default is Factory.

service-url

/SSO

assertion-consuming-binding

Post.

assertion-consuming-service-path

/SAML2/Post.

logoff-binding

Post.

logoff-path

/SLO/Logout

idp-metadata

Select an IDP metadata file.

Note: You must have the IDP metadata file imported into FortiADC ahead of time.

metadata-path

/Metadata

auth-session-lifetime

28800

auth-session-timeout

3600

sso-export

Enable(d) by default, which allows FortiADC to forward SSO information to the real server, which in turn gets the authentication information and implements the SSO function.

export-assertion

Enable(d) by default, which allows FortiADC to send to the real server the URL where the Authentication Assertion (.i.e., identity information) can be fetched.

export-assertion-path

/GetAssertion

export-cookie

Enable(d) by default, which allows FortiADC to send to the real server the cookie of a site that the user last visited.

Example

(M) adc-3-222 (root) #

adc-3-228 (root) # config user saml-sp

adc-3-228 (saml-sp) # edit 1

adc-3-228 (1) # set entity-id 103.203.13.12

adc-3-228 (1) # set service-url /SSO

adc-3-228 (1) # set idp-metadata fortiauth-idp-666

adc-3-228 (1) # set sso-export enable

adc-3-228 (1) # get

entity-id : 103.203.13.12

service-url : /SSO

assertion-consuming-service-path: /SAML2/Post

assertion-consuming-service-binding: post

metadata-path : /Metadata

logoff-path : /SLO/Logout

logoff-binding : post

local-cert :

auth-session-lifetime : 28800

auth-session-timeout : 3600

idp-metadata : fortiauth-idp-666

sso-export : enable

export-assertion : enable

export-assertion-path : /GetAssertion

export-cookie : enable

next

end