|
To check the metadata for SSL VPN (FortiGate as SP), run the following in the CLI:
diag vpn ssl saml-metadata "<SAML HERE>"
Example output:
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://FortiGate IP/FQDN:port/remote/saml/metadatarealm=ADFS-SAML/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://FortiGate IP/FQDN:port/remote/saml/login?realm=ADFS-SAML/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://FortiGate IP/FQDN:port/remote/saml/logout?realm=ADFS-SAML/"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
</SPSSODescriptor>
</EntityDescriptor>
To check the metadata for admin access (FortiGate as SP), run the following command:
diag sys saml metadata
Example output:
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://FortiGate IP/FQDN:port/metadata/">
<SPSSODescriptor AuthnRequestsSigned="true" WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIGMzCCBRugAwIBAgIMRGOxmgw6BWgidNRcMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJdMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNtTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIxMDQxOTEzMzQxNloXDTIyMDUy
MTEzMzQxNlowFzEVMBMGA1UEAwwMKi5ncmFrb3YubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAs+gyQEFqqd
.
.
.
|
