Follow the steps below to configure the Virtual Service to use SAML authentication:

  1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

  2. Enter a valid IP address in the Virtual Address text box.
  3. Enter the Port.
  4. Enter a Service Name.
  5. Click Add this Virtual Service.
  6. Expand the ESP Options section.

  7. Select the Enable ESP check box.
  8. Select SAML as the Client Authentication Mode.
  9. Select the SAML SSO Domain.
  10. Enter any Allowed Virtual Hosts, as needed.
  11. Enter the Logoff String and click Set SSO Logoff String.
    Note: The Logoff String is important. The Logoff String has a special protocol flow associated with it in the context of SAML. Not only do you want to log out of the Service Provider on the LoadMaster, but the user also must be logged out of the IdP.
  12. If required, enter the Additional Authentication Header and click Set Additional Authentication Header.
    Note: The Additional Authentication Header specifies the name of the HTTP header. This header is added to the HTTP request from the LoadMaster to the Real Server and its value is set to the user ID for the authenticated session.
  13. Select the Server Authentication Mode.
    Note: If you select Server Token as the Server Authentication Mode on reception and verification of the SAML response, the LoadMaster requests a long-lived token. The LoadMaster then builds a redirection URL with the token specified.
    Note: The Server Authentication Mode can be set to None, KCD, or Server Token. Basic Authentication is not supported because the LoadMaster does not have access to the username and password.
  14. If using KCD as the Server Authentication Mode, please select the relevant option for Server Side configuration.
    Note: For further information on KCD, refer to the Kerberos Constrained Delegation, Feature Description.
  15. Configure any other settings as needed.