Create or edit a SAML server

To add a new SAML server in the GUI:

In the SAML server list, click Create New from the toolbar. The Create SAML window opens.

Configure the following:

Name	Enter the name that identifies the SAML server on the FortiProxy unit.
Certificate	Select the certificate to sign SAML messages.
Entity ID	Enter the service provider entity identifier. The URL must start with `http://` or `https://`.
Single Sign On URL	Enter the service provider single sign-on URL. The URL must start with `http://` or `https://`.
Single Logout URL	Enter the service provider single logout URL. The URL must start with `http://` or `https://`.
IDP Entity ID	Enter t he identity provider entity identifier. The URL must start with `http://` or `https://`.
IDP Single Sign On URL	Enter the identity provider single sign-on UR. The URL must start with `http://` or `https://`.
IDP Single Logout URL	Enter the identity provider single logout URL. The URL must start with `http://` or `https://`.
IDP Certificate	Enter the identity provider certificate name.
User Name	Enter the user name in the assertion statement.
Group Name	Enter the group name in the assertion statement.
Digest Method Algorithm	Select the algorithm used for the digest method.
ADFS Claim	Enable or disable the ADFS claim for the user and group attributes in the assertion statement.
User Claim Type	Select the user name claim in the assertion statement.
Group Claim Type	Select the group claim in the assertion statement.

Click OK to create the new SAML server.

To add a new SAML server in the CLI:

config user saml

edit <SAML_server_entry_name>

set cert <certificate_to_sign_SAML_messages>

set entity-id <service_provider_entity_ID>

set single-sign-on-url <service_provider_single_sign-on_URL>

set single-logout-url <service_provider_single_logout_URL>

set idp-entity-id <identity_provider_entity_ID>

set idp-single-sign-on-url <identity_provider_single_sign-on_URL>

set idp-single-logout-url <identity_provider_single_logout_URL>

set idp-cert <identity_provider_certificate_name>

set user-name <user_name_in_assertion_statement>

set group-name <group_name_in_assertion_statement>

set algo {sha1 | sh256}

set adfs-claim {enable | disable}

set limit-relaystate {enable | disable}

set user-claim-type {email | given-name | name | upn | common-name | email-adfs-1x | group | upn-adfs-1x | role | sur-name | ppid | name-identifier | authentication-method | deny-only-group-sid | deny-only-primary-sid | deny-only-primary-group-sid | group-sid | primary-group-sid | primary-sid | windows-account-name }

set group-claim-type {email | given-name | name | upn | common-name | email-adfs-1x | group | upn-adfs-1x | role | sur-name | ppid | name-identifier | authentication-method | deny-only-group-sid | deny-only-primary-sid | deny-only-primary-group-sid | group-sid | primary-group-sid | primary-sid | windows-account-name}

end

To edit a SAML: server:

Select the SAML server you want to edit and then click Edit from the toolbar. The Edit SAML window opens.
Edit the server information as required and click OK to apply your changes.

Create or edit a SAML server

To add a new SAML server in the GUI:

In the SAML server list, click Create New from the toolbar. The Create SAML window opens.

Configure the following:

Name	Enter the name that identifies the SAML server on the FortiProxy unit.
Certificate	Select the certificate to sign SAML messages.
Entity ID	Enter the service provider entity identifier. The URL must start with `http://` or `https://`.
Single Sign On URL	Enter the service provider single sign-on URL. The URL must start with `http://` or `https://`.
Single Logout URL	Enter the service provider single logout URL. The URL must start with `http://` or `https://`.
IDP Entity ID	Enter t he identity provider entity identifier. The URL must start with `http://` or `https://`.
IDP Single Sign On URL	Enter the identity provider single sign-on UR. The URL must start with `http://` or `https://`.
IDP Single Logout URL	Enter the identity provider single logout URL. The URL must start with `http://` or `https://`.
IDP Certificate	Enter the identity provider certificate name.
User Name	Enter the user name in the assertion statement.
Group Name	Enter the group name in the assertion statement.
Digest Method Algorithm	Select the algorithm used for the digest method.
ADFS Claim	Enable or disable the ADFS claim for the user and group attributes in the assertion statement.
User Claim Type	Select the user name claim in the assertion statement.
Group Claim Type	Select the group claim in the assertion statement.

Click OK to create the new SAML server.

To add a new SAML server in the CLI:

config user saml

edit <SAML_server_entry_name>

set cert <certificate_to_sign_SAML_messages>

set entity-id <service_provider_entity_ID>

set single-sign-on-url <service_provider_single_sign-on_URL>

set single-logout-url <service_provider_single_logout_URL>

set idp-entity-id <identity_provider_entity_ID>

set idp-single-sign-on-url <identity_provider_single_sign-on_URL>

set idp-single-logout-url <identity_provider_single_logout_URL>

set idp-cert <identity_provider_certificate_name>

set user-name <user_name_in_assertion_statement>

set group-name <group_name_in_assertion_statement>

set algo {sha1 | sh256}

set adfs-claim {enable | disable}

set limit-relaystate {enable | disable}

end

To edit a SAML: server:

Select the SAML server you want to edit and then click Edit from the toolbar. The Edit SAML window opens.
Edit the server information as required and click OK to apply your changes.

Administration Guide

Create or edit a SAML server

Create or edit a SAML server

To add a new SAML server in the GUI:

To add a new SAML server in the CLI:

To edit a SAML: server:

Create or edit a SAML server

To add a new SAML server in the GUI:

To add a new SAML server in the CLI:

To edit a SAML: server: