Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.0.0 Administration Guide
    6.0.0
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    SAML IdP

    SAML IdP

    Security Assertion Markup Language (SAML) is used for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP), such as Google Apps, Office 365, and Salesforce. The FortiAuthenticator can be configured as an IdP, providing trust relationship authentication for unauthenticated users trying to access an SP.

    Different realms can be selectively enabled while configuring the FortiAuthenticator as the IdP. These realms are available under Authentication > Self-service Portal > Access Control, where they can be enabled, disabled, or group filtered.

    SAML authentication works as follows:

    1. A user tries to access an SP, for example Google, using a browser.
    2. The SP's web server requests the SAML assertions for its service from the browser.
    3. Two possibilities:
      • The user's browser already has valid SAML assertions, so it sends them to the SP's web server. The web server uses them to grant or deny access to the service. SAML authentication stops here.
      • The user's browser doesn't have valid SAML assertions, so the SP's web server redirects the browser to the SAML IdP.
    4. Two possibilities:
      • The user's browser is already authenticated with the IdP, go to step 5.
      • The user's browser is not yet authenticated with the IdP, IdP requests and validates the user's credentials. If successful, go to step 5. Otherwise, access is denied.
    5. IdP provides SAML assertions for the SP's and redirects the user's browser back to the SP's web server. Go back to step 2.

    General

    To configure general SAML IdP portal settings, go to Authentication > SAML IdP > General and select Enable SAML Identity Provider portal.

    Enter the following information:

    Device FQDN To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
    Server address Enter the IP address, or FQDN, of the FortiAuthenticator device.
    Username input format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username
    Realms

    Select Add a realm to add the default local realm to which the users will be associated.

    Use Groups and Filter to add specific user groups.
    Login session timeout Set the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).
    IDP certificate Select a certificate from the dropdown menu.

    Select OK to apply any changes that you have made.

    Service providers

    Service Providers can be managed from Authentication > SAML IdP > Service Providers.

    To configure a SAML service provider:
    1. Select Create New.

    2. Enter the following information:
    SP name Enter a name for the SP.
    IDP prefix

    Enter a prefix for the IDP that will be appended to the end of the IDP URLs.

    Alternatively, you can select Generate unique prefix to generate a random 16 digit alphanumeric string.
    IDP address To configure the IDP address (and IDP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
    IDP entity id

    Configure the IDP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    IDP single sign-on URL

    Configure the IDP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    IDP single logout URL

    Configure the IDP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    SP entity id Enter the SP's entity ID.
    SP ACS (login) URL Enter the SP's Assertion Consumer Service (ACS) login URL.
    SP SLS (logout) URL Enter the SP's Single Logout Service (SLS) logout URL.
    SAML request must be signed by SP Enable this option and import the SP certificate for authentication request signing by the SP.
    Authentication
    Authentication method

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Bypass FortiToken authentication when user is from a trusted subnet

    Enable this option if you would like to have certain users bypass FortiToken authentication, so long as they belong to a trusted subnet.

    Select Configure subnets to be directed to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).
    Debugging Options
    Do not return to service provider automatically after successful authentication, wait for user input Enable this option to let users choose where to navigate to once authenticated.
    Disable this service provider Disables the SP.
    Assertion Attributes
    Subject NameID

    Select the user attribute that serves as SAML assertion subject NameID.

    Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote SAML Subject NameID, or Remote SAML Custom assertion. If the attribute being selected is not available for a user, Username will be used by default.
    Format Select from Unspecified, Transient, or Persistent.
    SAML Attribute

    Select Create New to create a new attribute that will be added to SAML assertion.

    The following user attributes are available when creating a new assertion attribute:

    • Username
    • First name
    • Last name
    • Email
    • FortiAuthenticator local group
    • Remote LDAP DN
    • Remote LDAP sAMAccountName
    • Remote LDAP userPrincipalName
    • Remote LDAP displayName
    • Remote LDAP objectGUID
    • Remote LDAP group

    Customizable successful login page

    The screen that appears for a successful SAML IdP login can be customized under Authentication > Self-service Portal > Replacement Messages, under SAML IdP.

    See Replacement messages for more information.

    Previous
    Next

    SAML IdP

    SAML IdP

    Security Assertion Markup Language (SAML) is used for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP), such as Google Apps, Office 365, and Salesforce. The FortiAuthenticator can be configured as an IdP, providing trust relationship authentication for unauthenticated users trying to access an SP.

    Different realms can be selectively enabled while configuring the FortiAuthenticator as the IdP. These realms are available under Authentication > Self-service Portal > Access Control, where they can be enabled, disabled, or group filtered.

    SAML authentication works as follows:

    1. A user tries to access an SP, for example Google, using a browser.
    2. The SP's web server requests the SAML assertions for its service from the browser.
    3. Two possibilities:
      • The user's browser already has valid SAML assertions, so it sends them to the SP's web server. The web server uses them to grant or deny access to the service. SAML authentication stops here.
      • The user's browser doesn't have valid SAML assertions, so the SP's web server redirects the browser to the SAML IdP.
    4. Two possibilities:
      • The user's browser is already authenticated with the IdP, go to step 5.
      • The user's browser is not yet authenticated with the IdP, IdP requests and validates the user's credentials. If successful, go to step 5. Otherwise, access is denied.
    5. IdP provides SAML assertions for the SP's and redirects the user's browser back to the SP's web server. Go back to step 2.

    General

    To configure general SAML IdP portal settings, go to Authentication > SAML IdP > General and select Enable SAML Identity Provider portal.

    Enter the following information:

    Device FQDN To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
    Server address Enter the IP address, or FQDN, of the FortiAuthenticator device.
    Username input format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username
    Realms

    Select Add a realm to add the default local realm to which the users will be associated.

    Use Groups and Filter to add specific user groups.
    Login session timeout Set the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).
    IDP certificate Select a certificate from the dropdown menu.

    Select OK to apply any changes that you have made.

    Service providers

    Service Providers can be managed from Authentication > SAML IdP > Service Providers.

    To configure a SAML service provider:
    1. Select Create New.

    2. Enter the following information:
    SP name Enter a name for the SP.
    IDP prefix

    Enter a prefix for the IDP that will be appended to the end of the IDP URLs.

    Alternatively, you can select Generate unique prefix to generate a random 16 digit alphanumeric string.
    IDP address To configure the IDP address (and IDP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
    IDP entity id

    Configure the IDP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    IDP single sign-on URL

    Configure the IDP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    IDP single logout URL

    Configure the IDP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    SP entity id Enter the SP's entity ID.
    SP ACS (login) URL Enter the SP's Assertion Consumer Service (ACS) login URL.
    SP SLS (logout) URL Enter the SP's Single Logout Service (SLS) logout URL.
    SAML request must be signed by SP Enable this option and import the SP certificate for authentication request signing by the SP.
    Authentication
    Authentication method

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Bypass FortiToken authentication when user is from a trusted subnet

    Enable this option if you would like to have certain users bypass FortiToken authentication, so long as they belong to a trusted subnet.

    Select Configure subnets to be directed to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).
    Debugging Options
    Do not return to service provider automatically after successful authentication, wait for user input Enable this option to let users choose where to navigate to once authenticated.
    Disable this service provider Disables the SP.
    Assertion Attributes
    Subject NameID

    Select the user attribute that serves as SAML assertion subject NameID.

    Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote SAML Subject NameID, or Remote SAML Custom assertion. If the attribute being selected is not available for a user, Username will be used by default.
    Format Select from Unspecified, Transient, or Persistent.
    SAML Attribute

    Select Create New to create a new attribute that will be added to SAML assertion.

    The following user attributes are available when creating a new assertion attribute:

    • Username
    • First name
    • Last name
    • Email
    • FortiAuthenticator local group
    • Remote LDAP DN
    • Remote LDAP sAMAccountName
    • Remote LDAP userPrincipalName
    • Remote LDAP displayName
    • Remote LDAP objectGUID
    • Remote LDAP group

    Customizable successful login page

    The screen that appears for a successful SAML IdP login can be customized under Authentication > Self-service Portal > Replacement Messages, under SAML IdP.

    See Replacement messages for more information.

    Previous
    Next