Configure SAML settings on FortiAuthenticator
Configure SAML settings on FortiAuthenticator
To configure FortiAuthenticator IdP settings:
- Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
- Configure the following settings:
-
Server address: The IP address or FQDN of the FortiAuthenticator.
-
Realms: Select the previously created LDAP realm.
-
Default IdP certificate: Choose a certificate. The default can be used if desired.
The remaining settings can be left in their default state.
- Click OK to save your changes.
To configure the service provider settings on FortiAuthenticator:
- Go to Authentication > SAML IdP > Service Providers and click Create New.
- Configure the following settings:
-
SP Name: enter a name for your service provider.
-
IdP Prefix: Click Generate prefix to create a new IdP prefix.
-
Server certificate: Select the certificate to be used in your configuration or choose Use default setting in SAML IdP General page.
-
SP entity ID: Enter
urn:federation:MicrosoftOnline
.
-
SP ACS (login) URL: Enter
https://login.microsoftonline.com/login.srf
.
-
SP SLS (logout) URL: Enter
https://login.microsoftonline.com/login.srf
.
-
Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
- In the Assertion Attributes section, configure the following settings:
-
Subject NameID: Select user mS-DS-Consistency Guid.
-
Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Press Enter
and then SAML attributes can be created.
- In the Debugging Options section click Create New to create a SAML attribute with the following settings:
-
SAML attribute: Enter
IDPEmail
.
-
User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.
- Click OK to save your changes.
Configure SAML settings on FortiAuthenticator
To configure FortiAuthenticator IdP settings:
- Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
- Configure the following settings:
-
Server address: The IP address or FQDN of the FortiAuthenticator.
-
Realms: Select the previously created LDAP realm.
-
Default IdP certificate: Choose a certificate. The default can be used if desired.
The remaining settings can be left in their default state.
- Click OK to save your changes.
To configure the service provider settings on FortiAuthenticator:
- Go to Authentication > SAML IdP > Service Providers and click Create New.
- Configure the following settings:
-
SP Name: enter a name for your service provider.
-
IdP Prefix: Click Generate prefix to create a new IdP prefix.
-
Server certificate: Select the certificate to be used in your configuration or choose Use default setting in SAML IdP General page.
-
SP entity ID: Enter
urn:federation:MicrosoftOnline
.
-
SP ACS (login) URL: Enter
https://login.microsoftonline.com/login.srf
.
-
SP SLS (logout) URL: Enter
https://login.microsoftonline.com/login.srf
.
-
Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
- In the Assertion Attributes section, configure the following settings:
-
Subject NameID: Select user mS-DS-Consistency Guid.
-
Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Press Enter
and then SAML attributes can be created.
- In the Debugging Options section click Create New to create a SAML attribute with the following settings:
-
SAML attribute: Enter
IDPEmail
.
-
User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.
- Click OK to save your changes.