Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.6.0 Administration Guide
    6.6.0
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    SAML

    SAML

    To add a remote SAML Server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      2. The Create New Remote SAML Server window appears.

    2. Enter the following information:
      NameEnter a name for the remote SAML server.
      DescriptionEnter a description for the remote SAML server.
      Device FQDNThe FQDN of the configured device from the system dashboard.

      Type

      Select FSSO or Proxy as the remote SAML server type.

      URL Nomenclature

      Select the method to determine the URL path of the SAML service provider.

      • Individualize:Enable to include the name of the SAML service provider in the URL path.
      • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
      Portal URL

      The SAML service provider login URL.

      Entity ID

      The SAML service provider Entity ID.

      ACS (login) URL

      The SAML service provider Assertion Consumer Service (ACS) login URL.

      Import IDP metadata/certificate

      Select to import the SAML IdP metadata or certificate file.

      IDP entity ID

      Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

      https://idp_name.example.edu/idp

      IDP single sign-on URLEnter the identity provider portal URL you want to use for SSO.
      IDP certificate fingerprint

      Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

      Use the following OpenSSL command:

      $ openssl x509 -noout -fingerprint -in "server.crt"

      Example result, showing the fingerprint:

      SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

      Fingerprint algorithmThe SAML portal by default uses SHA-256.

      Certificate issuer

      Displays the certificate issuer.

      Certificate subject

      Displays the certificate subject.

      Validity period

      Displays the certificate validity period.

      Authentication context

      Select the authentication context value for the "RequestedAuthnContext" assertion.

      • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
      • MFA: Enforces MFA on the remote SAML IdP server.

        When selected, FortiAuthenticator indicates in the SAML authentication requests to the remote SAML IdP server that MFA is required.

        • When MFA enforcement is enabled, and a non-MFA authentication context is included in the IdP response, the authentication fails with Error 401 Unauthorized.

      • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.

      Attempt token-based authentication locally if external IdP does password-only authentication

      Enable to attempt token-based authentication locally if external IdP does password-only authentication.

      Note: The option is only available when the Type is Proxy and Authentication context is MFA.

      Send username in this parameter

      Specify the parameter name in which the remote IdP receives the username so as to prefill the username login field (default = username).

      Strip realm from username before sending

      Enable to strip realm from the username before sending.

      The option is enabled by default.

      Enable IdP-initiated assertion responseAllows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.

      Send AuthnRequest with HTTP-POST binding

      If enabled, HTTP-POST binding is used for authentication requests. Otherwise, HTTP-Redirect binding is used by default.

      Sign SAML requests with a local certificateSelect to choose a local SAML certificate.
      Single Logout
      Enable SAML single logoutSelect to enable SLS (logout) URL and set IDP single logout URL.
      Username

      Obtain username from

      Select the method to extract usernames:

      • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
      • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
      Group Membership

      Obtain group membership from

      Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

      Select the method to extract usernames:

      • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
      • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
      • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      Implicit group membershipSelect to choose a local group the retrieved SAML users are placed into.
    3. Select Save to add the remote SAML server.
    Previous
    Next

    SAML

    SAML

    To add a remote SAML Server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      2. The Create New Remote SAML Server window appears.

    2. Enter the following information:
      NameEnter a name for the remote SAML server.
      DescriptionEnter a description for the remote SAML server.
      Device FQDNThe FQDN of the configured device from the system dashboard.

      Type

      Select FSSO or Proxy as the remote SAML server type.

      URL Nomenclature

      Select the method to determine the URL path of the SAML service provider.

      • Individualize:Enable to include the name of the SAML service provider in the URL path.
      • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
      Portal URL

      The SAML service provider login URL.

      Entity ID

      The SAML service provider Entity ID.

      ACS (login) URL

      The SAML service provider Assertion Consumer Service (ACS) login URL.

      Import IDP metadata/certificate

      Select to import the SAML IdP metadata or certificate file.

      IDP entity ID

      Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

      https://idp_name.example.edu/idp

      IDP single sign-on URLEnter the identity provider portal URL you want to use for SSO.
      IDP certificate fingerprint

      Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

      Use the following OpenSSL command:

      $ openssl x509 -noout -fingerprint -in "server.crt"

      Example result, showing the fingerprint:

      SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

      Fingerprint algorithmThe SAML portal by default uses SHA-256.

      Certificate issuer

      Displays the certificate issuer.

      Certificate subject

      Displays the certificate subject.

      Validity period

      Displays the certificate validity period.

      Authentication context

      Select the authentication context value for the "RequestedAuthnContext" assertion.

      • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
      • MFA: Enforces MFA on the remote SAML IdP server.

        When selected, FortiAuthenticator indicates in the SAML authentication requests to the remote SAML IdP server that MFA is required.

        • When MFA enforcement is enabled, and a non-MFA authentication context is included in the IdP response, the authentication fails with Error 401 Unauthorized.

      • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.

      Attempt token-based authentication locally if external IdP does password-only authentication

      Enable to attempt token-based authentication locally if external IdP does password-only authentication.

      Note: The option is only available when the Type is Proxy and Authentication context is MFA.

      Send username in this parameter

      Specify the parameter name in which the remote IdP receives the username so as to prefill the username login field (default = username).

      Strip realm from username before sending

      Enable to strip realm from the username before sending.

      The option is enabled by default.

      Enable IdP-initiated assertion responseAllows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.

      Send AuthnRequest with HTTP-POST binding

      If enabled, HTTP-POST binding is used for authentication requests. Otherwise, HTTP-Redirect binding is used by default.

      Sign SAML requests with a local certificateSelect to choose a local SAML certificate.
      Single Logout
      Enable SAML single logoutSelect to enable SLS (logout) URL and set IDP single logout URL.
      Username

      Obtain username from

      Select the method to extract usernames:

      • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
      • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
      Group Membership

      Obtain group membership from

      Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

      Select the method to extract usernames:

      • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
      • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
      • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      Implicit group membershipSelect to choose a local group the retrieved SAML users are placed into.
    3. Select Save to add the remote SAML server.
    Previous
    Next