To set up a working authentication method, we must first set up an authentication server.
The first stage is to select which authentication method you need.
Click Add Server.
Select the Method from the dropdown menu.
The Authentication Server function is dynamic and displays only those fields that are required for the authentication method you choose.
Fill out the fields accurately to ensure proper connection to the servers.
Options for LDAP, LDAP-MD5, LSAPS, LDAPS-MD5, Radius and SAML
Option
Description
Method
Choose an authentication method
LDAP – basic LDAP with usernames and passwords sent in clear text to the LDAP server.
LDAP-MD5 – basic LDAP with username in clear text and password MD5 hashed for increased security.
LDAPS – LDAP over SSL. Sends the password in clear text within an encrypted tunnel between the ADC and LDAP server.
LDAPS-MD5 – LDAP over SSL. The password is MD5 hashed for added security within an encrypted tunnel between the ADC and the LDAP server
Name
Give your server a name for identification purposes – this name is used in any rules.
Server Address
Add the IP address or hostname of the authentication server
Port
For LDAP and LDAPS the ports are set to 389 and 636 by default.
For Radius the port is generally 1812.
For SAML, the ports are set in the ADC.
Domain
Add in the domain name for the LDAP server.
Login Format
Use the login format you need.
Username – with this format chosen, you need only enter the username. Any user and domain information entered by the user is deleted, and the domain information from the server is used.
Username and Domain – The user must enter the whole domain and username syntax. Example: mycompany\jdoe OR jdoe@mycompany. The domain information entered at the server level is ignored.
Blank – the ADC will accept anything the user inputs and send it on to the authentication server. This option is used when using MD5.
Description
Add a description
Search Base
This value is the starting point for the search in the LDAP database.
Example dc=mycompany,dc=local
Search Condition
Search conditions must conform to RFC 4515. Example:
Perform a search for a domain admin user within the directory server.
Password
Password for the domain admin user.
Dead Time
The amount of time after which an inactive server is marked as active again
Options for SAML Authentication
IMPORTANT: When setting up authentication via SAML, you are required to create an Enterprise App for Entra ID Authentication. The instructions for doing this are available in chapter, Setting up the Entra ID Authentication Application in Microsoft Entra
Option
Description
Method
Choose an authentication method
LDAP – basic LDAP with usernames and passwords sent in clear text to the LDAP server.
LDAP-MD5 – basic LDAP with username in clear text and password MD5 hashed for increased security.
LDAPS – LDAP over SSL. Sends the password in clear text within an encrypted tunnel between the ADC and LDAP server.
LDAPS-MD5 – LDAP over SSL. The password is MD5 hashed for added security within an encrypted tunnel between the ADC and the LDAP server
Name
Give your server a name for identification purposes – this name is used in any rules.
Identity Provider
IdP Certificate Match
IdP Certificate Match refers to the process of verifying that the digital certificate used by an Identity Provider (IdP) to sign SAML assertions matches the certificate that the Service Provider (SP) trusts. This validation ensures that the IdP is legitimate and that the assertions it sends are authentic and unaltered. The SP typically stores the IdP's certificate in its metadata, and it compares the certificate embedded in the SAML assertions against the stored one to determine a match.
IdP Entity ID
A SAML IdP Entity ID is a globally unique identifier that serves as the definitive address for an Identity Provider (IdP) within the Security Assertion Markup Language (SAML) ecosystem. This identifier is typically a URL or URI that uniquely distinguishes the IdP from other entities involved in SAML-based authentication and authorization processes. It plays a crucial role in establishing trust and facilitating secure communication between IdPs, Service Providers (SPs), and users.
IdP SSO URL
An IdP SSO URL, short for Single Sign-On URL, is a specific endpoint URL provided by an identity provider (IdP) that serves as the authentication gateway for initiating single sign-on (SSO) sessions. Upon redirecting a user to this URL, the IdP prompts them to authenticate using their credentials, and upon successful authentication, it redirects them back to the service provider (SP) with an assertion containing their identity information. This assertion is then validated by the SP, allowing the user to access the SP's resources without having to re-authenticate.
IdP Log off URL
The SAML IdP Log off URL is a specific endpoint on the Identity Provider (IdP) that initiates and manages the logout process for Single Sign-On (SSO) sessions. When a user clicks the logout button on an application, the application redirects the user to the IdP's Log off URL. The IdP then invalidates the user's session on all relying parties associated with the SSO authentication and sends a logout response back to the application, effectively logging the user out of all connected applications.
IdP Certificate
A SAML IdP Certificate is an X.509 digital certificate issued by a trusted authority to an identity provider (IdP) that participates in Security Assertion Markup Language (SAML) authentication protocols. This certificate serves as a secure means of verifying the identity of the IdP and authenticating the integrity and confidentiality of SAML messages exchanged between the IdP and service providers (SPs).
You can select the IdP Certificate that you will have installed in the ADC using the drop-down menu.
Description
A description for the definition.
Search User
Perform a search for a domain admin user.
Password
For specifying the password for the admin user.
Server Provider
SP Entity ID
An SP Entity ID is a unique identifier that serves as a global address for a specific Service Provider (SP) in the context of the SAML protocol. It is a standardized way to identify an SP and is typically a URL or other URI that pinpoints the SP's SAML metadata, which contains critical information like encryption certificates and authentication endpoints.
SP Signing Certificate
A SAML SP Signing Certificate is an X.509 certificate used by a Service Provider (SP) to sign SAML responses, ensuring the authenticity and integrity of the messages exchanged between the SP and Identity Provider (IdP) during Single Sign-On (SSO) authentication. The SP signs the response using its private key, and the IdP verifies the signature using the public key associated with the certificate, confirming the sender's identity and the message's contents have not been tampered with.
SP Session timeout
SP Session Timeout refers to the maximum duration for which a user's authentication session is considered valid on the Service Provider (SP) side after successful Single Sign-On (SSO) through an Identity Provider (IdP). After this specified time, the SP terminates the session and requires the user to reauthenticate to regain access to protected resources. This mechanism helps protect against unauthorized access and ensures that user sessions are not idle for extended periods.
