SAML Authentication
Security Assertion Markup Language (SAML) is an XML standard that allows for maintaining a single repository for authentication amongst internal and/or external systems.
The FortiAuthenticator can act as a Service Provider (SP) to request user identity information from a third-party Identity Provider (IDP). This information can then be used to sign the user on transparently based on what information the IDP sends.
In this scenario:
- A user attempts to connect to the Internet via FortiGate
- The user is not authenticated in FSSO so gets redirected to FortiAuthenticator
- FortiAuthenticator (a service provider) checks with the existing third party IDP to get the user identity
- FortiAuthenticator pushes identity and group information into FSSO
- FortiAuthenticator redirects the user to the original URL
- FortiGate sees the user in FSSO and allows the user to pass
To configure SAML Portal settings, go to Fortinet SSO Methods > SSO > SAML Authentication, and select Enable SAML portal.
The following settings can be configured:
| Device FQDN | Enter the FQDN of the configured device from the system dashboard. | |
| Portal url |
Enter the Portal URL, for example: http://www.example.com/login/saml-auth |
|
| Entity id |
Enter the Entity ID, for example: http://www.example.com/metadata/ |
|
| ACS (login) url |
Enter the Assertion Consumer Service (ACS) login URL, for example: https://www.example.com/saml/?acs |
|
| Download SP metadata | Select to load the service provider SAMLv2 metadata, which will be used for exchanging data with remote parties. All SAMLv2 protocol URLs will be recognized. | |
| Import IDP metadata | Select to import a datafile of the identity provider. | |
| Import IDP certificate | Select to import the certificate of the identity provider. | |
| IDP entity id |
Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL: https://idp_name.example.edu/idp |
|
| IDP single sign-on URL | Enter the identity provider portal URL you wish to use for single sign-on. | |
| IDP certificate fingerprint |
Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL. Use the following OpenSSL command:
Example result:
In the example above, the fingerprint would be:
|
|
| Enable SAML single logout | Select to enable SLS (logout) url and set IDP single logout URL. | |
| Sign SAML requests with a local certificate | Select to choose a local SAML certificate. | |
| Obtain group membership from |
This is a new enhancement introduced in 4.3. Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. IFSSO requires group membership of each user with an active SSO session while different SAML IdP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can now choose to convert Azure's group membership UUIDs into names, retrieve group membership from an LDAP service, or configure other assertions which can be used in group membership retrieval. Select the method to extract usernames: SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes. Azure: Enable and enter the Username field and Groups field. If Convert Azure UUIDs into names is enabled, you must have already created an SSO group with the Azure UUID already added. To save time, administrators may instead choose to import them directly from Azure. LDAP lookup: Enable and select the LDAP server to pull group memberships. |
|
| Implicit group membership |
This is a new enhancement introduced in 4.3. Select which local group the retrieved SAML users are placed into. |
|
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
