Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.5.0
    6.5.0
    6.4.0
    6.3.0
    6.2.0
    6.1.0
    6.0.0
    5.5.0

    Configuring a remote SAML server

    Configuring a remote SAML server

    Some fields, including IdP entity ID, IdP single sign-on URL, and IdP certificate fingerprint, are configured based on the corresponding OneLogin settings.

    It is advised that you set up OneLogin and the SAML server simultaneously.

    See Configuring SSO on OneLogin and Configuring application parameters on OneLogin.
    To configure a remote SAML server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      The Create New Remote SAML Server window opens.

    2. Enter a name for the SAML server.
    3. Select Type as Proxy.

      The Portal URL is the SAML SP login URL.

    4. In the Entity ID dropdown, select the non-Azure IdP entity ID.
    5. In the IdP Metadata pane:
      1. In IdP entity ID, enter Issuer URL from the SSO tab in OneLogin application configurtaion.
      2. In IdP single sign-on URL, enter SAML 2.0 Endpoint (HTTP) from the SSO tab in OneLogin application configurtaion.
      3. In IdP certificate fingerprint, select Import certificate, and upload the certificate fingerprint file that you saved while configuring the application on OneLogin. See Downloading the IdP certificate fingerprint on OneLogin.

        Alternatively, select Import IdP metadata to import the IdP related URL(s) you saved from OneLogin. See Importing IdP metadata.

    6. Enable SAML single logout and in IdP single logout URL enter SLO Endpoint (HTTP) from the SSO tab in OneLogin application configuration. See View Details.
    7. In the Username pane, ensure that Obtain username from is set to the default Subject NameID SAML assertion.
    8. In the Group Membership:
      1. In Obtain group membership from, select SAML assertions.
      2. In SAML assertions, select Text-based list, and enter group.

        group is the application parameter with Value set as Memberof. See Configuring a Memberof application parameter on OneLogin.

        In the Text-based list field, any value can be used so long it is a parameter for the OneLogin application.

    9. Optionally, enable Implicit group membership when only a single group exists.
    10. Click OK.

      Once the OneLogin application is set up and a certificate is associated with the application, you can download the IdP metadata by going to More Actions > SAML Metadata in one of the tabs when configuring the application.

    Previous
    Next

    Configuring a remote SAML server

    Configuring a remote SAML server

    Some fields, including IdP entity ID, IdP single sign-on URL, and IdP certificate fingerprint, are configured based on the corresponding OneLogin settings.

    It is advised that you set up OneLogin and the SAML server simultaneously.

    See Configuring SSO on OneLogin and Configuring application parameters on OneLogin.
    To configure a remote SAML server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      The Create New Remote SAML Server window opens.

    2. Enter a name for the SAML server.
    3. Select Type as Proxy.

      The Portal URL is the SAML SP login URL.

    4. In the Entity ID dropdown, select the non-Azure IdP entity ID.
    5. In the IdP Metadata pane:
      1. In IdP entity ID, enter Issuer URL from the SSO tab in OneLogin application configurtaion.
      2. In IdP single sign-on URL, enter SAML 2.0 Endpoint (HTTP) from the SSO tab in OneLogin application configurtaion.
      3. In IdP certificate fingerprint, select Import certificate, and upload the certificate fingerprint file that you saved while configuring the application on OneLogin. See Downloading the IdP certificate fingerprint on OneLogin.

        Alternatively, select Import IdP metadata to import the IdP related URL(s) you saved from OneLogin. See Importing IdP metadata.

    6. Enable SAML single logout and in IdP single logout URL enter SLO Endpoint (HTTP) from the SSO tab in OneLogin application configuration. See View Details.
    7. In the Username pane, ensure that Obtain username from is set to the default Subject NameID SAML assertion.
    8. In the Group Membership:
      1. In Obtain group membership from, select SAML assertions.
      2. In SAML assertions, select Text-based list, and enter group.

        group is the application parameter with Value set as Memberof. See Configuring a Memberof application parameter on OneLogin.

        In the Text-based list field, any value can be used so long it is a parameter for the OneLogin application.

    9. Optionally, enable Implicit group membership when only a single group exists.
    10. Click OK.

      Once the OneLogin application is set up and a certificate is associated with the application, you can download the IdP metadata by going to More Actions > SAML Metadata in one of the tabs when configuring the application.

    Previous
    Next