Fortinet white logo
Fortinet white logo

Administration Guide

Single Sign-On

Single Sign-On

Go to System > Single sign-on to allow administrators to log into FortiDeceptor with a single ID. User information is stored in a remote Identity Provider (IdP) server. No user information is stored locally. Instead, FortiDeceptor acts as a Service Provider (SP). When a login request is received, FortiDeceptor redirects the request via SAML protocol to the IdP to complete the authentication.

To enable Single Sign-On:
  1. Go to System > Single sign-on and click Enable . The Single Sign-On settings are displayed.
  2. Configure the Single Sign-On settings and click Apply.
Service Provider Configuration
Address The address the identify provider will send SAML authentication requests to.
Entity ID Click the Copy icon to copy the Entity ID.
Assertion consumer service URL Click the Copy icon to copy the URL.
Single logout service URL Click the Copy icon to copy the URL.
Enable Certificate Service provider will use this certificate to sign or encrypt the request. When this option is disabled , the request will not be signed or encrypted.
Certificate Allow the service provider to sign or encrypt the request. Select the certificate to use from the list. You can also download the public key of the certificate and upload it to the identity provider to verify and decrypt the request.
Identity Provider Configuration
Entity ID Enter the entity ID of identity provider
Single sign-on service URL Enter the identity provider's sign on URL.

Single logout service URL

Enter the identity provider's logout URL.

Certificate

Upload the public X.509 certificate of the identity provider .

Additional SAML Attributes

Attribute used to identify users

The identity provider will use this attribute in the request to report the sign-on user name.

Configuring SSO with Azure

Configuring SSO with Azure requires a Claim Attribute. This section provides an overview on how to configure a new Claim Attribute in Azure and where to enter it in FortiDeceptor. For more information about Claim Attributes, see the Azure product help.

Tooltip

As SSO is a standard method, setting Claim Attribute on the IDP side can be applied to any IDP servers.

To configure SSO for Azure:
  1. In Azure, go to Identity > Applications > Enterprise applications > All applications.
  2. Select the application, select Single sign-on in the left-hand menu, and then select Edit in the Attributes & Claims section.

  3. Go to Manage Claim.
  4. Go to Manage > Single-Sign On.

  5. Specify the attribute Name and the Source Attribute.

  6. In FortiDeceptor enter the attribute claim in the Attribute used to identify users field.

Single Sign-On

Single Sign-On

Go to System > Single sign-on to allow administrators to log into FortiDeceptor with a single ID. User information is stored in a remote Identity Provider (IdP) server. No user information is stored locally. Instead, FortiDeceptor acts as a Service Provider (SP). When a login request is received, FortiDeceptor redirects the request via SAML protocol to the IdP to complete the authentication.

To enable Single Sign-On:
  1. Go to System > Single sign-on and click Enable . The Single Sign-On settings are displayed.
  2. Configure the Single Sign-On settings and click Apply.
Service Provider Configuration
Address The address the identify provider will send SAML authentication requests to.
Entity ID Click the Copy icon to copy the Entity ID.
Assertion consumer service URL Click the Copy icon to copy the URL.
Single logout service URL Click the Copy icon to copy the URL.
Enable Certificate Service provider will use this certificate to sign or encrypt the request. When this option is disabled , the request will not be signed or encrypted.
Certificate Allow the service provider to sign or encrypt the request. Select the certificate to use from the list. You can also download the public key of the certificate and upload it to the identity provider to verify and decrypt the request.
Identity Provider Configuration
Entity ID Enter the entity ID of identity provider
Single sign-on service URL Enter the identity provider's sign on URL.

Single logout service URL

Enter the identity provider's logout URL.

Certificate

Upload the public X.509 certificate of the identity provider .

Additional SAML Attributes

Attribute used to identify users

The identity provider will use this attribute in the request to report the sign-on user name.

Configuring SSO with Azure

Configuring SSO with Azure requires a Claim Attribute. This section provides an overview on how to configure a new Claim Attribute in Azure and where to enter it in FortiDeceptor. For more information about Claim Attributes, see the Azure product help.

Tooltip

As SSO is a standard method, setting Claim Attribute on the IDP side can be applied to any IDP servers.

To configure SSO for Azure:
  1. In Azure, go to Identity > Applications > Enterprise applications > All applications.
  2. Select the application, select Single sign-on in the left-hand menu, and then select Edit in the Attributes & Claims section.

  3. Go to Manage Claim.
  4. Go to Manage > Single-Sign On.

  5. Specify the attribute Name and the Source Attribute.

  6. In FortiDeceptor enter the attribute claim in the Attribute used to identify users field.