The fields vary when the Authentication Protocol is set to SAML. The SAML-specific fields are described below.

Idp Provisioning

The Manual option allows you to manually input details into the IdP fields.

The MetaData File option allows you to upload an IdP MetaData File. This simplifies the configuration of the IdP attributes, including the IdP Entity ID, IdP SSO URL and IdP Logoff URL. The metadata file can be downloaded from the IdP.

IdP Metadata File

This field is only visible if the IdP Provisioning field is set to MetaData File. To upload the file - click Browse, navigate to and select the relevant file and click Import IdP MetaData File.

IdP Entity ID

Specify the IdP entity identifier.

IdP SSO URL

Specify the IdP SSO URL.

IdP Logoff URL

Specify the IdP logoff URL.

IdP Certificate

The IdP Certificate is very important in terms of verification of the assertions that must be contained in the SAML response that is received from the IdP. Without the certificate, verification cannot proceed.

SP Entity ID

This is an identifier that is shared to enable the IdP to understand, accept and have knowledge of the entity when request messages are sent from the LoadMaster. This must correlate to the identifier of the relying party on the AD FS server.

SP Signing Certificate

It is optional to sign requests that are sent in the context of logon. Currently, the LoadMaster does not sign those requests.

In the context of log off requests – it is mandatory and these requests must be signed. This is to avoid any spoofing and to provide extra security in relation to log off functionality. This ensures that users are not being hacked and not being logged off unnecessarily.

In the SP Signing Certificate drop-down list, you can choose to use a self-signed certificate or third party certificate to perform the signing.

Download SP Signing Certificate

If using a self-signed certificate, click Download to download the certificate. This certificate must be installed on the IdP server (for example AD FS) to be added to the relying party signature.

The AD FS server requires this certificate for use of the public key to verify the signatures that the LoadMaster generates.

Session Control

The IdP Session Max Duration option does not appear to be usable when the IdP is AD FS. SAML and the LoadMaster supports it if present in the Authentication Response.

SP Session Idle Duration

Specify the session idle duration (in seconds).