Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.5.0
    6.5.0
    6.4.0
    6.3.0
    6.2.0
    6.1.0
    6.0.0
    5.5.0

    SAML IdP and SP configurations

    SAML IdP and SP configurations

    Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that will be used by the client endpoint to connect to the IdP and SP.

    In this topology, the IP addresses and ports used by the client endpoint are:

    FortiAuthenticator (IdP) – 10.0.3.7:443

    FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port for SSL VPN. Change this accordingly when listening on a different port)

    In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:

    Settings

    FortiGate CLI setting

    URL format

    SP Entity ID

    entity-id

    http://<SP_IP>:<port>/remote/saml/metadata/

    SP Assertion consumer service (login) URL

    single-sign-on-url

    https://<SP_IP>:<port>/remote/saml/login/

    SP Single logout service URL

    single-logout-url

    https://<SP_IP>:<port>/remote/saml/logout/

    IdP Entity ID

    idp-entity-id

    http://<IdP_IP>:<port>/saml-idp/<prefix>/metadata/

    IdP Assertion consumer service URL (Single sign-on URL)

    idp-single-sign-on-url

    https://<IdP_IP>:<port>/saml-idp/<prefix>/login/

    IdP Single logout service URL (single logout URL)

    idp-single-logout-url

    https://<IdP_IP>:<port>/saml-idp/<prefix>/logout/
    To configure general SAML IdP settings on FortiAuthenticator:
    1. Go to Authentication > SAML IdP > General.
    2. Enable SAML Identity Provider portal.
    3. Enter the server address. This address must be accessible by the client endpoint.
    4. In Realms, select Add a realm and select the recently created realm from the dropdown.
    5. In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
    6. In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities > Local Services. See Generating a server certificate.
    7. Click OK.

    To configure service provider SAML settings on FortiAuthenticator
    1. Go to Authentication > SAML IdP > Service Providers and select Create New.
    2. Enter an SP name.
    3. Enter an IdP prefix. This prefix will appear in the IdP URLs.
    4. In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local Services. See Generating a server certificate.
    5. Store the IdP URLs on Notepad as they are needed on FortiGate.
    6. Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
    7. In Assertion Attributes, select Add Assertion Attribute:
      1. In SAML attribute, enter username.
      2. In User attribute dropdown, select FortiAuthenticator > Username.
    8. Select Add Assertion Attribute:
      1. In SAML attribute, enter group.
      2. In User attribute dropdown, select Remote LDAP server > Group.

        This is equivalent to returning the groups from the memberOf attribute.

      3. Click OK.

    To configure SAML Single Sign-On settings on the FortiGate:

    SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created. Therefore, the following instructions show how to configure the SAML settings from CLI instead.

    1. In the CLI console, enter the following commands:

      config user saml

      edit "fac_saml_idp-sslvpn"

      set cert "saml_sp.fortiad.info"

      set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"

      set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"

      set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"

      set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"

      set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"

      set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"

      set idp-cert "saml_idp.fortiad.info"

      set user-name "username"

      set group-name "group"

      set digest-method sha1

      next

      end

    • The setting set cert <certificate> corresponds to the SP certificate imported to the FortiGate as a local certificate earlier in the example.

    • The setting set idp-cert <certificate> corresponds to the IdP certificate imported to the FortiGate as a remote certificate earlier in the example.
    Previous
    Next

    SAML IdP and SP configurations

    SAML IdP and SP configurations

    Before configuring the IdP and SP settings, quickly note down the IP addresses and ports that will be used by the client endpoint to connect to the IdP and SP.

    In this topology, the IP addresses and ports used by the client endpoint are:

    FortiAuthenticator (IdP) – 10.0.3.7:443

    FortiGate (SP) – 10.0.3.254:10443 (10443 is used for access related to SSL VPN based on the default listening port for SSL VPN. Change this accordingly when listening on a different port)

    In general, the URLs used for the SP and IdP configurations in a SSL VPN scenario are in the following format:

    Settings

    FortiGate CLI setting

    URL format

    SP Entity ID

    entity-id

    http://<SP_IP>:<port>/remote/saml/metadata/

    SP Assertion consumer service (login) URL

    single-sign-on-url

    https://<SP_IP>:<port>/remote/saml/login/

    SP Single logout service URL

    single-logout-url

    https://<SP_IP>:<port>/remote/saml/logout/

    IdP Entity ID

    idp-entity-id

    http://<IdP_IP>:<port>/saml-idp/<prefix>/metadata/

    IdP Assertion consumer service URL (Single sign-on URL)

    idp-single-sign-on-url

    https://<IdP_IP>:<port>/saml-idp/<prefix>/login/

    IdP Single logout service URL (single logout URL)

    idp-single-logout-url

    https://<IdP_IP>:<port>/saml-idp/<prefix>/logout/
    To configure general SAML IdP settings on FortiAuthenticator:
    1. Go to Authentication > SAML IdP > General.
    2. Enable SAML Identity Provider portal.
    3. Enter the server address. This address must be accessible by the client endpoint.
    4. In Realms, select Add a realm and select the recently created realm from the dropdown.
    5. In Groups, enable Filter, and choose the Finance and Sales user groups that you recently created.
    6. In Default IdP certificate dropdown, select the IdP certificate created in Certificate Management > End Entities > Local Services. See Generating a server certificate.
    7. Click OK.

    To configure service provider SAML settings on FortiAuthenticator
    1. Go to Authentication > SAML IdP > Service Providers and select Create New.
    2. Enter an SP name.
    3. Enter an IdP prefix. This prefix will appear in the IdP URLs.
    4. In Server certificate, choose the SAML IdP certificate created under Certificate Management > End Entities > Local Services. See Generating a server certificate.
    5. Store the IdP URLs on Notepad as they are needed on FortiGate.
    6. Enter the SP entity ID, SP ACS (login) URL, SP SLS (logout) URL as recommended in the table above.
    7. In Assertion Attributes, select Add Assertion Attribute:
      1. In SAML attribute, enter username.
      2. In User attribute dropdown, select FortiAuthenticator > Username.
    8. Select Add Assertion Attribute:
      1. In SAML attribute, enter group.
      2. In User attribute dropdown, select Remote LDAP server > Group.

        This is equivalent to returning the groups from the memberOf attribute.

      3. Click OK.

    To configure SAML Single Sign-On settings on the FortiGate:

    SAML settings can be configured from the GUI, but the default SP URLs must be changed after they are created. Therefore, the following instructions show how to configure the SAML settings from CLI instead.

    1. In the CLI console, enter the following commands:

      config user saml

      edit "fac_saml_idp-sslvpn"

      set cert "saml_sp.fortiad.info"

      set entity-id "http://10.0.3.254:10443/remote/saml/metadata/"

      set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login/"

      set single-logout-url "https://10.0.3.254:10443/remote/saml/logout/"

      set idp-entity-id "http://10.0.3.7/saml-idp/fgt2/metadata/"

      set idp-single-sign-on-url "https://10.0.3.7/saml-idp/fgt2/login/"

      set idp-single-logout-url "https://10.0.3.7/saml-idp/fgt2/logout/"

      set idp-cert "saml_idp.fortiad.info"

      set user-name "username"

      set group-name "group"

      set digest-method sha1

      next

      end

    • The setting set cert <certificate> corresponds to the SP certificate imported to the FortiGate as a local certificate earlier in the example.

    • The setting set idp-cert <certificate> corresponds to the IdP certificate imported to the FortiGate as a remote certificate earlier in the example.
    Previous
    Next