SAML IdP and SP configurations
|
Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that will be used by the client endpoint to connect to the IdP and SP. |
In this topology, the IP addresses and ports used by the client endpoint are:
• FortiAuthenticator (IdP) – 10.0.3.7:443
• FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port for SSL VPN. Change this accordingly when listening on a different port)
In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:
|
Settings |
FortiGate CLI setting |
URL format |
|---|---|---|
|
SP Entity ID |
|
http://<SP_IP>:<port>/remote/saml/metadata/ |
|
SP Assertion consumer service (login) URL |
|
https://<SP_IP>:<port>/remote/saml/login/ |
|
SP Single logout service URL |
|
https://<SP_IP>:<port>/remote/saml/logout/ |
|
IdP Entity ID |
|
http://<IdP_IP>:<port>/saml-idp/<prefix>/metadata/ |
|
IdP Assertion consumer service URL (Single sign-on URL) |
|
https://<IdP_IP>:<port>/saml-idp/<prefix>/login/ |
|
IdP Single logout service URL (single logout URL) |
|
https://<IdP_IP>:<port>/saml-idp/<prefix>/logout/ |
To configure general SAML IdP settings on FortiAuthenticator:
- Go to Authentication > SAML IdP > General.
- Enable SAML Identity Provider portal.
- Enter the server address. This address must be accessible by the client endpoint.
- In Realms, select Add a realm and select the recently created realm from the dropdown.
- In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
- In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities > Local Services. See Generating a server certificate.
- Click OK.
To configure service provider SAML settings on FortiAuthenticator
- Go to Authentication > SAML IdP > Service Providers and select Create New.
- Enter an SP name.
- Enter an IdP prefix. This prefix will appear in the IdP URLs.
- In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local Services. See Generating a server certificate.
- Store the IdP URLs on Notepad as they are needed on FortiGate.
- Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
- In Assertion Attributes, select Add Assertion Attribute:
- In SAML attribute, enter
username. - In User attribute dropdown, select FortiAuthenticator > Username.
- In SAML attribute, enter
- Select Add Assertion Attribute:
- In SAML attribute, enter
group. - In User attribute dropdown, select Remote LDAP server > Group.
This is equivalent to returning the groups from the memberOf attribute.
- Click OK.
- In SAML attribute, enter
To configure SAML Single Sign-On settings on the FortiGate:
SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created. Therefore, the following instructions show how to configure the SAML settings from CLI instead.
-
In the CLI console, enter the following commands:
config user saml
edit "fac_saml_idp-sslvpn"
set cert "saml_sp.fortiad.info"
set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"
set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"
set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"
set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"
set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"
set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"
set idp-cert "saml_idp.fortiad.info"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
|
|