Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

SAML

To add a remote SAML Server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
  2. The Create New Remote SAML Server window appears.

  3. Enter the following information:
    Name Enter a name for the remote SAML server.
    Description Enter a description for the remote SAML server.
    Device FQDN The FQDN of the configured device from the system dashboard.
    Show IDP proxy URLs Click to display the IDP proxy portal URL, Entity ID, and ACS (login) URL.
    Show IDP server URLs Click to display the IDP server portal URL, Entity ID, and ACS (login) URL.
    URL Nomenclature

    Select the method to determine the URL path of the SAML service provider.

    • Individualize:Enable to include the name of the SAML service provider in the URL path.
    • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
    Portal URL

    The SAML service provider login URL.

    Entity ID

    The SAML service provider Entity ID.

    ACS (login) URL

    The SAML service provider Assertion Consumer Service (ACS) login URL.

    Import IDP metadata/certificate

    Select to import the SAML IdP metadata or certificate file.

    IDP entity ID

    Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

    https://idp_name.example.edu/idp

    IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO.
    IDP certificate fingerprint

    Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

    Use the following OpenSSL command:

    $ openssl x509 -noout -fingerprint -in "server.crt"

    Example result, showing the fingerprint:

    SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

    Fingerprint algorithm The SAML portal by default uses SHA-256.

    Authentication context

    Select the authentication context value for the "RequestedAuthnContext" assertion.

    • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
    • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
    Enable IdP-initiated assertion response Allows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.
    Sign SAML requests with a local certificate Select to choose a local SAML certificate.
    Single Logout  
      Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL.
    Username

     

      Obtain username from

    Select the method to extract usernames:

    • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
    • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
    Group Membership

     

      Obtain group membership from

    Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

    Select the method to extract usernames:

    • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
    • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
    • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      When the OAuth source is Azure Directory, you can configure Azure group UUID-to-name manual mapping as an alternative to dynamic lookups in the Groups field.
      Implicit group membership Select to choose a local group the retrieved SAML users are placed into.
  4. Select OK to add the remote SAML server.

SAML

To add a remote SAML Server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
  2. The Create New Remote SAML Server window appears.

  3. Enter the following information:
    Name Enter a name for the remote SAML server.
    Description Enter a description for the remote SAML server.
    Device FQDN The FQDN of the configured device from the system dashboard.
    Show IDP proxy URLs Click to display the IDP proxy portal URL, Entity ID, and ACS (login) URL.
    Show IDP server URLs Click to display the IDP server portal URL, Entity ID, and ACS (login) URL.
    URL Nomenclature

    Select the method to determine the URL path of the SAML service provider.

    • Individualize:Enable to include the name of the SAML service provider in the URL path.
    • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
    Portal URL

    The SAML service provider login URL.

    Entity ID

    The SAML service provider Entity ID.

    ACS (login) URL

    The SAML service provider Assertion Consumer Service (ACS) login URL.

    Import IDP metadata/certificate

    Select to import the SAML IdP metadata or certificate file.

    IDP entity ID

    Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

    https://idp_name.example.edu/idp

    IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO.
    IDP certificate fingerprint

    Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

    Use the following OpenSSL command:

    $ openssl x509 -noout -fingerprint -in "server.crt"

    Example result, showing the fingerprint:

    SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

    Fingerprint algorithm The SAML portal by default uses SHA-256.

    Authentication context

    Select the authentication context value for the "RequestedAuthnContext" assertion.

    • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
    • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
    Enable IdP-initiated assertion response Allows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.
    Sign SAML requests with a local certificate Select to choose a local SAML certificate.
    Single Logout  
      Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL.
    Username

     

      Obtain username from

    Select the method to extract usernames:

    • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
    • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
    Group Membership

     

      Obtain group membership from

    Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

    Select the method to extract usernames:

    • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
    • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
    • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      When the OAuth source is Azure Directory, you can configure Azure group UUID-to-name manual mapping as an alternative to dynamic lookups in the Groups field.
      Implicit group membership Select to choose a local group the retrieved SAML users are placed into.
  4. Select OK to add the remote SAML server.