Unique SAML attribute types
The default SAML attribute type is username. When the attribute type is set to username, SSO administrator accounts created on FortiGate SPs use the login username that is provided by the user for authentication on the root FortiGate IdP.
Because usernames might not be unique, cases can occur where the username is the same for the SSO administrator and the local administrator on the FortiGate SP. As a result, you might be unable to distinguish between actions taken by the local administrator and the SSO administrator on the FortiGate SP when looking at the system log. By using a unique SAML attribute type, such as an email address, you can create unique usernames to better track what actions were taken by each administrator.
To configure a unique SAML attribute using the GUI:
- On FortiGate IdP, assign a unique email address to local administrator.
In this example, the local administrator name is test3.
- Go to System > Administrators, and expand the list of local users.
- Select the local user, and click Edit.
- In the Type list, select Match a user on a remote server group.
- In the Email Address box, type the email address, and click OK.
- On FGT IdP, update the SAML configuration:
- Go to User & Device > SAML SSO.
- Select the FortiGate, and click Edit.
- Beside SP type, select Custom.
- Under SAML Attribute and beside Name, select username.
- Beside Type, select Email address, and click OK.
After the administrator (test3) logs in to FortiGate SP for the first time, SAML authentication occurs on FortiGate SP. A new SSO administrator account is created, and the account name is the email address instead of the login name (test3).
If the SAML attribute had been set to the default setting of username, the username for the SSO administrator account would have been test3, which is the same username as the local administrator account. With the SAML attribute set to custom, the SSO administrator account firstname.lastname@example.org is used as the username on the FortiGate SP, and it appears in the log files.
To configure a unique SAML attribute using the CLI:
config system saml
set status enable
set role identity-provider
set cert "fgt_g_san_extern_new"
set server-address "172.18.60.187"
set prefix "csf_avju0tk4oiodifz3kbh2fms8dw688hn"
set sp-entity-id "http://172.18.60.185/metadata/"
set sp-single-sign-on-url "https://172.18.60.185/saml/?acs"
set sp-single-logout-url "https://172.18.60.185/saml/?sls"
set sp-portal-url "https://172.18.60.185/saml/login/"
set prefix "yxs8uhq47b5b2urq"
set sp-entity-id "http://172.18.60.180/metadata/"
set sp-single-sign-on-url "https://172.18.60.180/saml/?acs"
set sp-single-logout-url "https://172.18.60.180/saml/?sls"
set sp-portal-url "https://172.18.60.180/saml/login/"
set prefix "3dktfo0gbxtldbts"
set sp-entity-id "http://172.18.60.184/metadata/"
set sp-single-sign-on-url "https://172.18.60.184/saml/?acs"
set sp-single-logout-url "https://172.18.60.184/saml/?sls"
set sp-portal-url "https://172.18.60.184/saml/login/"
set type email
csf_172.18.60.185 service provider was automatically added when FortiGate SP 172.18.60.185 joined root FortiGate IdP in the Security Fabric.
sp-* options, such as
sp-portal-url, are set with default values when a service provider is created, but can be modified by using the CLI or GUI.
A FortiGate SP that is not a member of the Security Fabric can also be configured for SAML SSO services provided by root FortiGate IdP in a Security Fabric. However, this scenario requires manual configuration on root FortiGate IdP and on the FortiGate SP.