The fields vary when the Authentication Protocol is set to SAML. The SAML-specific fields are described below.

IdP Provisioning

The Manual option enables you to manually input details into the IdP fields.

The MetaData File option allows you to upload an IdP MetaData File. This simplifies the configuration of the IdP attributes, including the IdP Entity ID, IdP SSO URL and IdP Logoff URL. The metadata file can be downloaded from the IdP.

IdP Metadata File

This field is only visible if the IdP Provisioning field is set to MetaData File. To upload the file - click Browse, navigate to and select the relevant file and click Import IdP MetaData File.

IdP Entity ID

Specify the IdP entity identifier. The maximum number of characters permitted in this field is 255.

IdP SSO URL

Specify the IdP SSO URL. The maximum number of characters permitted in this field is 255.

IdP Logoff URL

Specify the IdP logoff URL. The maximum number of characters permitted in this field is 255.

IdP Certificate

The IdP Certificate is very important in terms of verification of the assertions that must be contained in the SAML response that is received from the IdP. Without the certificate, verification cannot proceed.

IdP Certificate Match

If this option is enabled, the IdP certificate assigned must match the certificate in the IdP SAML response.

SP Entity ID

This is an identifier that is shared to enable the IdP to understand, accept and have knowledge of the entity when request messages are sent from the LoadMaster. This must correlate to the identifier of the relying party on the AD FS server. The maximum number of characters permitted in this field is 255.

SP Signing Certificate

It is optional to sign requests that are sent in the context of logon. Currently, the LoadMaster does not sign those requests.

In the context of log off requests – it is mandatory and these requests must be signed. This is to avoid any spoofing and to provide extra security in relation to log off functionality. This ensures that users are not being hacked and not being logged off unnecessarily.

In the SP Signing Certificate drop-down list, you can choose to use a self-signed certificate or third party certificate to perform the signing.

Download SP Signing Certificate

If using a self-signed certificate, click Download to download the certificate. This certificate must be installed on the IdP server (for example AD FS) to be added to the relying party signature.

The AD FS server requires this certificate for use of the public key to verify the signatures that the LoadMaster generates.

Session Control

Select the relevant session control option. The available options are:

  • SP Session Idle Duration
  • SP Session Max Duration
  • IdP Session Max Duration

The IdP maximum duration value cannot be set in the LoadMaster. The value is taken from the IdP protocol. If the value is not already set in the IdP authentication response, the default value of 30 minutes is assigned as the IdP maximum duration.

SP Session Idle Duration

Specify the session idle duration (in seconds). This field is only visible if SP Session Idle Duration is set as the Session Control option.

SP Session Max Duration

Specify the maximum duration of the session (in seconds). This field is only visible if SP Session Max Duration is set as the Session Control option.