SAML SSO domains are fundamentally different from other SSO domains which can be configured on the LoadMaster. This is because the LoadMaster does not directly interact with the authentication server. In the context of SAML, the LoadMaster performs redirections. The LoadMaster asks the client to redirect to an IdP to issue some claims and get the required assertions back.

To configure a SAML-based SSO domain in the LoadMaster, follow the steps below:

  1. In the main menu of the LoadMaster WUI, go to Virtual Services > Manage SSO.

  2. Enter a name for the SSO domain in the Add new Client Side Configuration text box and click Add.

  3. Select SAML as the Authentication Protocol.
  4. Select the relevant IdP Provisioning option.

    The MetaData File option enables you to upload an IdP MetaData File. This simplifies the configuration of the IdP attributes, including the IdP Entity ID, IdP SSO URL and IdP Logoff URL. The metadata file can be downloaded from the IdP. For further information, refer to the Endpoint Settings section. To upload the file - click Browse, navigate to and select the relevant file and click Import IdP MetaData File.

    The Manual option enables you to manually input details into the IdP fields.

  5. Select an IdP Certificate for use in the context of assertion verification.
    Note: The certificate can be exported from the IdP and imported in the LoadMaster in the Certificates & Security section.
    Note: The IdP Certificate is very important in terms of verification of the assertions that must be contained in the SAML response that is received from the IdP. Without the certificate, verification cannot proceed.
  6. Decide whether or not to enable the IdP Certificate Match check box.
    Note: If this option is enabled, the IdP certificate assigned must match the certificate in the IdP SAML response.
  7. Enter the SP Entity ID and click Set SP Entity ID.
    Note: This is an identifier that is shared to enable the IdP to understand, accept and have knowledge of the entity when request messages are sent from the LoadMaster. This must correlate to the identifier of the relying party on the AD FS server.
  8. Select the relevant SP Signing Certificate option.

    In the SP Signing Certificate field, you can use a self-signed certificate to perform the signing.

    In the context of log off requests – it is mandatory and these requests must be signed. This is to avoid any spoofing and to provide extra security in relation to log off functionality. This ensures that users are not being hacked and not being logged off unnecessarily.

    It is optional to sign requests that are sent in the context of logon. Currently, the LoadMaster does not sign those requests.

  9. If using a self-signed certificate, click the Download button to download the certificate. This certificate must be installed on the IdP server (for example AD FS) to be added to the relying party signature.

    The AD FS server requires this certificate for use of the public key to verify the signatures that the LoadMaster generates.

  10. Select the relevant Session Control option.
    Note: The IdP maximum duration value cannot be set in the LoadMaster. The value is taken from the IdP protocol. If the value is not already set in the IdP authentication response, the default value of 30 minutes is assigned as the IdP maximum duration.
  11. If using SP Session Idle Duration, enter the SP Session Idle Duration and click Set SP Idle Duration.
  12. If using SP Session Max Duration, enter the SP Session Max Duration and click Set SP Max Duration.