Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.5.5 Administration Guide
    6.5.5
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    General

    General

    To configure general SAML IdP portal settings:
    1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

    2. Configure the following settings:
      Device FQDNTo configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
      Server addressEnter the IP address or FQDN of the FortiAuthenticator device.
      IdP-initiated login URL

      The URL used to access the IdP portal in an IdP-initiated login scenario.

      SPs configured in FortiAuthenticator must have the option Support IdP-initiated assertion response enabled in order to be listed in the portal.

      Username input format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      Captcha

      The state of the optional IP lockout CAPTCHA settings.

      Note: The option is read-only.

      Select the pen icon to edit the IP lockout CAPTCHA settings in Lockouts.

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Select Add a realm to add the default local realm to which the users will be associated.

      Use Groups and Filter to add specific user groups.

      The maximum number of allowed realms is equal to the maximum number of realms in the legacy self-service portal plus the realms in SAML IdP.

      A maximum of 100 realms can be added.

      Legacy login sequence

      When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

      The option is disabled by default.

      When doing IdP proxy to multiple remote SAML IdP servers, keep this option disabled.

      IAM login

      Enable to allow IAM login.

      Note: The option is now only available when Legacy login sequence is enabled.

      Trusted endpoint single sign-on

      When enabled, SSOMA endpoints can log in without reentering username and password.

      The username login page includes a Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints.

      The legacy login page does not offer the Trusted Endpoint Single Sign-On button.

      The option is disabled by default.

      Note: Trusted endpoint single sign-on and Legacy login sequence options are mutually exclusive.

      Listening port

      Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator (default = 8008).

      Enforce MFA

      When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on.

      When disabled, token-based verification is bypassed for trusted endpoints.

      Note: The option is only available when Trusted endpoint single sign-on is enabled.

      Enforce IP matching

      When enabled, the source IP address of the endpoint connecting to the listening port must match one of the IP addresses reported by the SSOMA to do a successful trusted endpoint authentication. For example, if the endpoint is on a private network and its connection to the FortiAuthenticator is being NAT'ed, this option should be disabled.

      Login session timeoutSet the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).
      Default IdP certificateSelect a default certificate the IdP uses to sign SAML assertions from the dropdown menu.

      Automatically switch IdP certificate before its expiry time

      Enable and select a New default IdP certificate from the dropdown.

      Switch at

      Enter a date (YYYY-MM-DD) and time when the new default IdP certificate applies.

      Alternatively:

      Use the calendar icon to select a date. For changing time, select the clock icon and choose a time from the list.

      Select Today to switch to today's date or select Now to switch to the time now.

      Default signing algorithm

      Select a default signing algorithm from the dropdown.

      Get nested groups for user

      Enable to get nested groups for Windows AD users.

      Use geolocation in FortiToken Mobile push notifications

      Enable to use geolocation in FortiToken Mobile push notifications.

    3. Select Save to apply any changes that you have made.
    Previous
    Next

    General

    General

    To configure general SAML IdP portal settings:
    1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

    2. Configure the following settings:
      Device FQDNTo configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
      Server addressEnter the IP address or FQDN of the FortiAuthenticator device.
      IdP-initiated login URL

      The URL used to access the IdP portal in an IdP-initiated login scenario.

      SPs configured in FortiAuthenticator must have the option Support IdP-initiated assertion response enabled in order to be listed in the portal.

      Username input format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      Captcha

      The state of the optional IP lockout CAPTCHA settings.

      Note: The option is read-only.

      Select the pen icon to edit the IP lockout CAPTCHA settings in Lockouts.

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Select Add a realm to add the default local realm to which the users will be associated.

      Use Groups and Filter to add specific user groups.

      The maximum number of allowed realms is equal to the maximum number of realms in the legacy self-service portal plus the realms in SAML IdP.

      A maximum of 100 realms can be added.

      Legacy login sequence

      When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

      The option is disabled by default.

      When doing IdP proxy to multiple remote SAML IdP servers, keep this option disabled.

      IAM login

      Enable to allow IAM login.

      Note: The option is now only available when Legacy login sequence is enabled.

      Trusted endpoint single sign-on

      When enabled, SSOMA endpoints can log in without reentering username and password.

      The username login page includes a Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints.

      The legacy login page does not offer the Trusted Endpoint Single Sign-On button.

      The option is disabled by default.

      Note: Trusted endpoint single sign-on and Legacy login sequence options are mutually exclusive.

      Listening port

      Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator (default = 8008).

      Enforce MFA

      When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on.

      When disabled, token-based verification is bypassed for trusted endpoints.

      Note: The option is only available when Trusted endpoint single sign-on is enabled.

      Enforce IP matching

      When enabled, the source IP address of the endpoint connecting to the listening port must match one of the IP addresses reported by the SSOMA to do a successful trusted endpoint authentication. For example, if the endpoint is on a private network and its connection to the FortiAuthenticator is being NAT'ed, this option should be disabled.

      Login session timeoutSet the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).
      Default IdP certificateSelect a default certificate the IdP uses to sign SAML assertions from the dropdown menu.

      Automatically switch IdP certificate before its expiry time

      Enable and select a New default IdP certificate from the dropdown.

      Switch at

      Enter a date (YYYY-MM-DD) and time when the new default IdP certificate applies.

      Alternatively:

      Use the calendar icon to select a date. For changing time, select the clock icon and choose a time from the list.

      Select Today to switch to today's date or select Now to switch to the time now.

      Default signing algorithm

      Select a default signing algorithm from the dropdown.

      Get nested groups for user

      Enable to get nested groups for Windows AD users.

      Use geolocation in FortiToken Mobile push notifications

      Enable to use geolocation in FortiToken Mobile push notifications.

    3. Select Save to apply any changes that you have made.
    Previous
    Next