SAML SSO with AD FS as IdP
You can configure a single sign on (SSO) connection with Active Directory Federation Services (AD FS), where AD FS is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows users to log in to EMS by logging in with their AD FS credentials.
The following instructions assume that you have already installed and configured AD FS.
To configure SAML SSO with AD FS as IdP:
- In FortiClient EMS, go to Administration > SAML SSO. Service Provider Settings displays the SP Address, SP Entity ID, and SP ACS (login) URL fields. You use these values to configure FortiClient EMS as an SP in AD FS. Copy these values.
- Create and configure your FortiClient EMS environment in AD FS:
- Open AD FS Management and right-click Relying Party Trusts and select Add Relying Party Trust. This launches the Add Relying Party Trust Wizard. Select Claims Aware and click Next.
- In Select Data Source, select Enter data about the relying party manually and click Next.
- Enter a Display name and click Next.
- In Configure Certificate, leave the certificate settings at their default values. Click Next.
- In Configure URL, select Enable Support for the SAML 2.0 WebSSO protocol, then enter the SAML SSO URL obtained from EMS (SP ACS (login) URL).
- In Configure Identifiers, enter the Relying party trust identifier URL obtained from EMS (SP Entity ID), then click Add and Next.
- In Choose Access Control Policy, leave the default value (Permit everyone) and click Next.
- In Ready to Add Trust, review your settings, click Next.
- In Finish, select Configure claims issuance policy for this application, then click Close.
- Create claim rules:
- In the Issuance Transform Rules tab of the Claim Rules editor, click Add Rule.
- In Choose Rule Type, select Send LDAP Attributes as Claims from the dropdown list, then click Next.
- In Configure Claim Rule, enter a Claim Rule Name, select Active Directory as the Attribute Store, then add the following mapping: from the LDAP Attribute column, select SAM-Account-Name. In the Outgoing Claim Type column, enter Name ID, then click Finish to add the rule. Click OK.
- Export the IdP certificate, which you must later upload to EMS to finish SAML configuration:
- Open the AD FS management snap-in, select AD FS > Service > Certificates, then double-click the certificate under Token-signing. You can also right-click the field, then select View Certificate in the context menu.
- In Certificate, open the Details tab, then select Copy to File and click OK.
- In Certificate Export Wizard, click Next.
- Select Base-64 encoded X.509 (.CER), then click Next.
- In Certificate Export Wizard, select Browse to specify the location to export the IdP certificate to, then specify the file name and click Next.
- In Completing the Certificate Export Wizard, click Finish, then click OK to confirm the export succeeded.
- Configure the IdP information in FortiClient EMS:
- Export the metadata from AD FS by appending FederationMetadata/2007-06/FederationMetadata.xml to the AD FS server root URL. See the following example: https://adfs.domain.com/federationmetadata/2007-06/FederationMetadata.xml. The following shows an example on a local AD FS server: https://localhost/FederationMetadata/2007-06/FederationMetadata.xml.
- Obtain the IdP single sign-on URL and entity ID from the metadata. The following shows example values: IdP entity ID: http:/adfs.domain.com/adfs/services/trust IdP single sign-on URL: https:/adfs.domain.com/adfs/ls/
- In EMS, under Identity Provider Settings, paste the values obtained from the metadata in the IdP Entity ID and IdP single sign-on URL fields.
- Provide the certificate extracted in previous steps.
- (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
- Save the configuration.