Fortinet black logo

Cookbook

Enabling FSSO and SAML on the FortiAuthenticator

Copy Link
Copy Doc ID 53d09085-7746-11e9-81a4-00505692583a:506186
Download PDF

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.
  2. Enter a Secret key and select OK to apply your changes. This key will be used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  3. Then go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
  • Portal url - Captive Portal URL for the FortiGate and user.
  • Entity id - Used in the Okta SAML IdP application setup.
  • ACS (login) url - Assertion POST URL used by the SAML IdP.

Enable Implicit group membership and assign the saml_users group from the drop-down menu. This will place SAML authenticated users into this group.

Keep this window open as these URLs will be needed during the IdP application configuration and for testing.

Note that, at this point, you will not be able to save these settings, as the IdP information — IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint — needs to be entered. These fields will be filled once the IdP application configuration is complete.

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.
  2. Enter a Secret key and select OK to apply your changes. This key will be used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  3. Then go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
  • Portal url - Captive Portal URL for the FortiGate and user.
  • Entity id - Used in the Okta SAML IdP application setup.
  • ACS (login) url - Assertion POST URL used by the SAML IdP.

Enable Implicit group membership and assign the saml_users group from the drop-down menu. This will place SAML authenticated users into this group.

Keep this window open as these URLs will be needed during the IdP application configuration and for testing.

Note that, at this point, you will not be able to save these settings, as the IdP information — IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint — needs to be entered. These fields will be filled once the IdP application configuration is complete.