Add a Single Sign-on Server

Before you begin

Obtain the following from your SAML identity provider:

  • Identity Provider Entity ID URL

  • Sign-in URL

  • Sign-out URL

  • Identity provider certificate and enroll the certificate in FTD using the CDO web interface (Devices > Certificates)

For more information, see Configuring a SAML Single Sign-on Authentication.

Procedure

Step 1

Choose Object > Object Management > AAA Server > Single Sign-on Server.

Step 2

Click Add Single Sign-on Server and provide the following details:

  • Name—The name of the SAML single sign-on server object.

  • Identity Provider Entity ID—The URL that is defined in SAML IdP to identify a service provider uniquely.

    The URL for a page that serves a metadata XML that describes how the SAML Issuer is going to respond to requests.

  • SSO URL—The URL for signing into the SAML identity provider server.

  • Logout URL—The URL for signing out of the SAML identity provider server.

  • Base URL—URL that will redirect the user back to FTD once the identity provider authentication is done. This is the URL of the access interface configured for the FTD remote access VPN.

  • Identity Provider Certificate—Certificate of the IdP enrolled into the FTD to verify the messages signed by the IdP.

    Select an identify provider certificate from the list or click Add to create a new certificate enrollment object.

    For more information, see Managing FTD VPN Certificates.

    You must enroll all of the Microsoft Azure registered application CA certificates as Trustpoints on the FTD. The Microsoft Azure SAML identity provider is configured on FTD for the initial application. All connection profiles are mapped to the configured MS Azure SAML identity provider. For each of the MS Azure applications (other than the default), you can choose the required trustpoint(CA certificate) in the connection profile configuration of the remote access VPN.

    For details, see Configure AAA Settings for Remote Access VPN.

  • Service Provider CertificateFTD certificate, which will be used to sign the requests and build circle of trust with IdP.

    If you have not enrolled internal FTD certificates, click + to add and enroll a certificate. For more information, see Managing FTD VPN Certificates.

  • Request Signature—Select the encryption algorithm to sign the SAML single sign-on requests.

    The signatures are listed from weakest to strongest: SHA1,SHA256, SHA384, SHA512. Select None to disable encryption.

  • Request Timeout—Specify the SAML assertion validity duration for the users to complete the single sing-on request. The SAML IdP has two time outs: NotBefore and NotOnOrAfter. If you set a timeout longer than the IdP's NotOnOrAfter timeout, the specified timeout is ignored and the NotOnOrAfter timeout is selected. If the sum of the specified timeout and the NotBefore timeout is less than the NotOnOrAfter time, FTD timeout overrides the timeout.

    The timeout range is 1-7200 seconds; the default is 300 seconds.

  • Enable IdP only accessible on Internal Network—Select this option if the SAML IdP resides on the internal network. FTD acts as a gateway and establishes communication between the users and IdP using an anonymous webvpn session.

  • Request IdP re-authentication on Login—Select this option to authenticate user at each login even if the previous IdP session is valid.

  • Allow Overrides—Select this check box to allow overrides for this single sign-on server object.

Step 3

Click Save.