Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

SAML IdP and SP configurations

Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that will be used by the client endpoint to connect to the IdP and SP.

In this topology, the IP addresses and ports used by the client endpoint are:

FortiAuthenticator (IdP) – 10.0.3.7:443

FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port for SSL VPN. Change this accordingly when listening on a different port)

In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:

Settings

FortiGate CLI setting

URL format

SP Entity ID

entity-id

http://<SP_IP>:<port>/remote/saml/metadata/

SP Assertion consumer service (login) URL

single-sign-on-url

https://<SP_IP>:<port>/remote/saml/login/

SP Single logout service URL

single-logout-url

https://<SP_IP>:<port>/remote/saml/logout/

IdP Entity ID

idp-entity-id

http://<IdP_IP>:<port>/saml-idp/<prefix>/metadata/

IdP Assertion consumer service URL (Single sign-on URL)

idp-single-sign-on-url

https://<IdP_IP>:<port>/saml-idp/<prefix>/login/

IdP Single logout service URL (single logout URL)

idp-single-logout-url

https://<IdP_IP>:<port>/saml-idp/<prefix>/logout/

To configure general SAML IdP settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML Identity Provider portal.
  3. Enter the server address. This address must be accessible by the client endpoint.
  4. In Realms, select Add a realm and select the recently created realm from the dropdown.
  5. In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
  6. In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities > Local Services. See Generating a server certificate.
  7. Click OK.

To configure service provider SAML settings on FortiAuthenticator
  1. Go to Authentication > SAML IdP > Service Providers and select Create New.
  2. Enter an SP name.
  3. Enter an IdP prefix. This prefix will appear in the IdP URLs.
  4. In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local Services. See Generating a server certificate.
  5. Store the IdP URLs on Notepad as they are needed on FortiGate.
  6. Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
  7. In Assertion Attributes, select Add Assertion Attribute:
    1. In SAML attribute, enter username.
    2. In User attribute dropdown, select FortiAuthenticator > Username.
  8. Select Add Assertion Attribute:
    1. In SAML attribute, enter group.
    2. In User attribute dropdown, select Remote LDAP server > Group.

      This is equivalent to returning the groups from the memberOf attribute.

    3. Click OK.

To configure SAML Single Sign-On settings on the FortiGate:

SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created. Therefore, the following instructions show how to configure the SAML settings from CLI instead.

  1. In the CLI console, enter the following commands:

    config user saml

    edit "fac_saml_idp-sslvpn"

    set cert "saml_sp.fortiad.info"

    set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"

    set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"

    set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"

    set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"

    set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"

    set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"

    set idp-cert "saml_idp.fortiad.info"

    set user-name "username"

    set group-name "group"

    set digest-method sha1

    next

    end

  • The setting set cert <certificate> corresponds to the SP certificate imported to the FortiGate as a local certificate earlier in the example.

  • The setting set idp-cert <certificate> corresponds to the IdP certificate imported to the FortiGate as a remote certificate earlier in the example.

SAML IdP and SP configurations

Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that will be used by the client endpoint to connect to the IdP and SP.

In this topology, the IP addresses and ports used by the client endpoint are:

FortiAuthenticator (IdP) – 10.0.3.7:443

FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port for SSL VPN. Change this accordingly when listening on a different port)

In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:

Settings

FortiGate CLI setting

URL format

SP Entity ID

entity-id

http://<SP_IP>:<port>/remote/saml/metadata/

SP Assertion consumer service (login) URL

single-sign-on-url

https://<SP_IP>:<port>/remote/saml/login/

SP Single logout service URL

single-logout-url

https://<SP_IP>:<port>/remote/saml/logout/

IdP Entity ID

idp-entity-id

http://<IdP_IP>:<port>/saml-idp/<prefix>/metadata/

IdP Assertion consumer service URL (Single sign-on URL)

idp-single-sign-on-url

https://<IdP_IP>:<port>/saml-idp/<prefix>/login/

IdP Single logout service URL (single logout URL)

idp-single-logout-url

https://<IdP_IP>:<port>/saml-idp/<prefix>/logout/

To configure general SAML IdP settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML Identity Provider portal.
  3. Enter the server address. This address must be accessible by the client endpoint.
  4. In Realms, select Add a realm and select the recently created realm from the dropdown.
  5. In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
  6. In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities > Local Services. See Generating a server certificate.
  7. Click OK.

To configure service provider SAML settings on FortiAuthenticator
  1. Go to Authentication > SAML IdP > Service Providers and select Create New.
  2. Enter an SP name.
  3. Enter an IdP prefix. This prefix will appear in the IdP URLs.
  4. In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local Services. See Generating a server certificate.
  5. Store the IdP URLs on Notepad as they are needed on FortiGate.
  6. Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
  7. In Assertion Attributes, select Add Assertion Attribute:
    1. In SAML attribute, enter username.
    2. In User attribute dropdown, select FortiAuthenticator > Username.
  8. Select Add Assertion Attribute:
    1. In SAML attribute, enter group.
    2. In User attribute dropdown, select Remote LDAP server > Group.

      This is equivalent to returning the groups from the memberOf attribute.

    3. Click OK.

To configure SAML Single Sign-On settings on the FortiGate:

SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created. Therefore, the following instructions show how to configure the SAML settings from CLI instead.

  1. In the CLI console, enter the following commands:

    config user saml

    edit "fac_saml_idp-sslvpn"

    set cert "saml_sp.fortiad.info"

    set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"

    set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"

    set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"

    set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"

    set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"

    set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"

    set idp-cert "saml_idp.fortiad.info"

    set user-name "username"

    set group-name "group"

    set digest-method sha1

    next

    end

  • The setting set cert <certificate> corresponds to the SP certificate imported to the FortiGate as a local certificate earlier in the example.

  • The setting set idp-cert <certificate> corresponds to the IdP certificate imported to the FortiGate as a remote certificate earlier in the example.