Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.4.3 Administration Guide
    6.4.3
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Service providers

    Service providers

    Service providers (SP) can be managed from Authentication > SAML IdP > Service Providers.

    To configure SAML service provider settings:
    1. Select Create New.

    2. Enter the following information:
      IdP addressTo configure the IdP address (and IdP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
      SP nameEnter a name for the SP.
      IdP prefix

      Select a prefix for the IdP that is appended to the end of the IdP URLs.

      Select + to create an alternate IdP prefix. Alternatively, you can select Generate prefix in the Create Alternate IdP Prefix dialog to generate a random 16 digit alphanumeric string.

      Select x to remove the IdP prefix.

      IdP entity id

      The IdP's entity ID, for example:

      http://www.example.com/saml-idp/xxx/metadata/

      IdP single sign-on URL

      The IdP's login URL, for example:

      http://www.example.com/saml-idp/xxx/login/

      IdP single logout URL

      The IdP's logout URL, for example:

      http://www.example.com/saml-idp/xxx/logout/

      Server certificate

      Select a server certificate to use for the SP. If a certificate is not selected, the specified default IdP certificate is used.

      IdP signing algorithm

      Select an IdP signing algorithm from the dropdown.

      Support IdP-initiated assertion response

      Allows the IdP to send an assertion response to the SP without a prior request from the SP.

      Enabling this setting allows the SP to participate in IdP initiated login, and causes the SP to appear in the IdP login portal.

      Relay state

      Allows SP to redirect user to the provided URL after a successful assertion response.

      Participate in single logout

      Enable or disable participation in single logout for the SAML IdP service.

      SP MetadataSP Metadata fields are only available once the SAML Service Provider settings has been saved.

      		SP entity idEnter the SP's entity ID.

      		SP ACS (login) URL

      Enter the SP's Assertion Consumer Service (ACS) login URL.

      Click Alternative ACS URLs to configure up to three additional ACS (login) and SLS (logout) URLs.

      		SP SLS (logout) URLEnter the SP's Single Logout Service (SLS) logout URL.
      SAML request must be signed by SPEnable this option and import the SP certificate for authentication request signing by the SP.

      Certificate type

      SP certificate: The SP request is signed by the specified certificate.

      Direct CA certificate: The SP request must contain the SP certificate fingerprint that was used to sign the request, and the certificate fingerprint must be issued by the CA specified in the configuration.

      Certificate fingerprint

      The primary certificate for verifying the SP request signature.

      Fingerprint algorithm

      Displays the detected fingerprint algorithm of the certificate fingerprint or alternative certificate fingerprint.

      Alternative certificate fingerprint

      Specify a second acceptable certificate for verifying the SP request signature. FortiAuthenticator will accept SP requests with a valid signature from either configured certificate.

      Use ACS URL from SP authentication request (override ACS URLs configured above)

      When enabled, indicates that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the pre-configured ACS URL.

      Authentication
      Authentication method

      Select one of the following:

      • Mandatory password and OTP

      • All configured password and OTP factors

      • Password-only

      • OTP-only

      • FIDO-only:

        • FIDO-only: Log in with FIDO token only (without password).

        • Password and FIDO: Log in with the password and the FIDO token.

        • Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account: Enable to allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account.

      Adaptive Authentication

      Enable this option if you would like to have certain users bypass the OTP verification, so long as they belong to a trusted subnet.

      Select Configure subnets to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).

      Select All trusted subnets to add all the available trusted subnets.

      You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

      This option is only available for Mandatory password and OTP and All configured password and OTP factors authentication methods.

      Application name for FTM push notification

      Enter the client application name. This field is displayed on the FortiToken app.

      When creating a new SP or upgrading to FortiAuthenticator 6.4, the SP name is the default client application name.

      Use FIDO-only authentication if requested by the SP

      Enable to use FIDO-only authentication if requested by the SP.

      This option is not available for FIDO-only authentication method.

      Assertion Attribute Configuration
      Subject NameID

      Select the user attribute that serves as SAML assertion subject NameID.

      Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote LDAP user mS-DS ConsistencyGuid, Remote LDAP Custom attribute, Remote SAML Subject NameID, or Remote SAML Custom assertion.

      If the attribute selected is not available for a user, Username is used by default.

      FormatSelect from Unspecified, Transient, or Persistent.

      Include realm name in subject NameID

      When enabled, you can select the username/realm format to include in subject NameID.

      Assertion Attributes

      SAML Attribute

      Enter a name for the SAML attribute.

      Select Add Assertion Attribute to add the attribute.

      The following user attributes are available when creating a new assertion attribute:

      FortiAuthenticator:

      • Username

      • First Name

      • Last Name

      • Email

      • Group

      • IAM account name

      • IAM account alias

      • IAM username

      Remote LDAP server:

      • DN

      • sAMAccountName

      • userPrincipalName

      • displayName

      • objectGUID

      • mS-DS-ConsistencyGuid

      • Group
      • Custom attribute (supports multiple values)

      Remote RADIUS server:

      • RADIUS attribute

      When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:

      • Vendor: The RADIUS vendor name.

      • Attribute ID: The attribute within the vendor's RADIUS dictionary.

      Remote SAML server:

      • SAML username

      • SAML group membership

      • SAML assertion

      Other:

      • Authentication status

      • Realm (returns the realm that the end user was authenticated against)

      Debugging Options
      Do not return to service provider automatically after successful authentication, wait for user inputEnable this option to let users choose where to navigate to after they are authenticated.
      Disable this service providerDisables the SP.
    Previous
    Next

    Service providers

    Service providers

    Service providers (SP) can be managed from Authentication > SAML IdP > Service Providers.

    To configure SAML service provider settings:
    1. Select Create New.

    2. Enter the following information:
      IdP addressTo configure the IdP address (and IdP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
      SP nameEnter a name for the SP.
      IdP prefix

      Select a prefix for the IdP that is appended to the end of the IdP URLs.

      Select + to create an alternate IdP prefix. Alternatively, you can select Generate prefix in the Create Alternate IdP Prefix dialog to generate a random 16 digit alphanumeric string.

      Select x to remove the IdP prefix.

      IdP entity id

      The IdP's entity ID, for example:

      http://www.example.com/saml-idp/xxx/metadata/

      IdP single sign-on URL

      The IdP's login URL, for example:

      http://www.example.com/saml-idp/xxx/login/

      IdP single logout URL

      The IdP's logout URL, for example:

      http://www.example.com/saml-idp/xxx/logout/

      Server certificate

      Select a server certificate to use for the SP. If a certificate is not selected, the specified default IdP certificate is used.

      IdP signing algorithm

      Select an IdP signing algorithm from the dropdown.

      Support IdP-initiated assertion response

      Allows the IdP to send an assertion response to the SP without a prior request from the SP.

      Enabling this setting allows the SP to participate in IdP initiated login, and causes the SP to appear in the IdP login portal.

      Relay state

      Allows SP to redirect user to the provided URL after a successful assertion response.

      Participate in single logout

      Enable or disable participation in single logout for the SAML IdP service.

      SP MetadataSP Metadata fields are only available once the SAML Service Provider settings has been saved.

      		SP entity idEnter the SP's entity ID.

      		SP ACS (login) URL

      Enter the SP's Assertion Consumer Service (ACS) login URL.

      Click Alternative ACS URLs to configure up to three additional ACS (login) and SLS (logout) URLs.

      		SP SLS (logout) URLEnter the SP's Single Logout Service (SLS) logout URL.
      SAML request must be signed by SPEnable this option and import the SP certificate for authentication request signing by the SP.

      Certificate type

      SP certificate: The SP request is signed by the specified certificate.

      Direct CA certificate: The SP request must contain the SP certificate fingerprint that was used to sign the request, and the certificate fingerprint must be issued by the CA specified in the configuration.

      Certificate fingerprint

      The primary certificate for verifying the SP request signature.

      Fingerprint algorithm

      Displays the detected fingerprint algorithm of the certificate fingerprint or alternative certificate fingerprint.

      Alternative certificate fingerprint

      Specify a second acceptable certificate for verifying the SP request signature. FortiAuthenticator will accept SP requests with a valid signature from either configured certificate.

      Use ACS URL from SP authentication request (override ACS URLs configured above)

      When enabled, indicates that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the pre-configured ACS URL.

      Authentication
      Authentication method

      Select one of the following:

      • Mandatory password and OTP

      • All configured password and OTP factors

      • Password-only

      • OTP-only

      • FIDO-only:

        • FIDO-only: Log in with FIDO token only (without password).

        • Password and FIDO: Log in with the password and the FIDO token.

        • Allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account: Enable to allow two-factor authentication (password and OTP) if all FIDO keys have been revoked for the user account.

      Adaptive Authentication

      Enable this option if you would like to have certain users bypass the OTP verification, so long as they belong to a trusted subnet.

      Select Configure subnets to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).

      Select All trusted subnets to add all the available trusted subnets.

      You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

      This option is only available for Mandatory password and OTP and All configured password and OTP factors authentication methods.

      Application name for FTM push notification

      Enter the client application name. This field is displayed on the FortiToken app.

      When creating a new SP or upgrading to FortiAuthenticator 6.4, the SP name is the default client application name.

      Use FIDO-only authentication if requested by the SP

      Enable to use FIDO-only authentication if requested by the SP.

      This option is not available for FIDO-only authentication method.

      Assertion Attribute Configuration
      Subject NameID

      Select the user attribute that serves as SAML assertion subject NameID.

      Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote LDAP user mS-DS ConsistencyGuid, Remote LDAP Custom attribute, Remote SAML Subject NameID, or Remote SAML Custom assertion.

      If the attribute selected is not available for a user, Username is used by default.

      FormatSelect from Unspecified, Transient, or Persistent.

      Include realm name in subject NameID

      When enabled, you can select the username/realm format to include in subject NameID.

      Assertion Attributes

      SAML Attribute

      Enter a name for the SAML attribute.

      Select Add Assertion Attribute to add the attribute.

      The following user attributes are available when creating a new assertion attribute:

      FortiAuthenticator:

      • Username

      • First Name

      • Last Name

      • Email

      • Group

      • IAM account name

      • IAM account alias

      • IAM username

      Remote LDAP server:

      • DN

      • sAMAccountName

      • userPrincipalName

      • displayName

      • objectGUID

      • mS-DS-ConsistencyGuid

      • Group
      • Custom attribute (supports multiple values)

      Remote RADIUS server:

      • RADIUS attribute

      When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:

      • Vendor: The RADIUS vendor name.

      • Attribute ID: The attribute within the vendor's RADIUS dictionary.

      Remote SAML server:

      • SAML username

      • SAML group membership

      • SAML assertion

      Other:

      • Authentication status

      • Realm (returns the realm that the end user was authenticated against)

      Debugging Options
      Do not return to service provider automatically after successful authentication, wait for user inputEnable this option to let users choose where to navigate to after they are authenticated.
      Disable this service providerDisables the SP.
    Previous
    Next