Fortinet black logo

Cookbook

Configuring certificates for SAML SSO

Copy Link
Copy Doc ID 5ede200c-a21f-11eb-b70b-00505692583a:283942
Download PDF

Configuring certificates for SAML SSO

Because communication between the root FortiGate IdP and FortiGate SPs is secured, you must select a local server certificate in the IdP certificate option on the root FortiGate. When downstream SPs join the IdP (root FortiGate), the SP automatically obtains the certificate.

In the following SP example, the IdP certificate displays REMOTE_Cert_1, which is the root server certificate for the IdP:

It is possible to manually import a certificate from an SP to the IdP so it can be used for authentication.

To manually import an SP certificate to an IdP:
  1. Add the certificate:
    1. On the SP, go to Security Fabric > Settings.
    2. In the FortiGate Telemetry section, click Advanced Options. The SAML SSO pane opens.
    3. Enable SP certificate and select a certificate from the dropdown box.
    4. Click Download. The certificate is downloaded on the local file system.
    5. Click OK.

  2. Import the certificate:
    1. On the IdP, go to Security Fabric > Settings.
    2. In the FortiGate Telemetry section, click Advanced Options. The SAML SSO pane opens.
    3. In the Service Providers table, select the SP from step 1 and click Edit.
    4. Enable SP certificate and in the dropdown box, click Import.

      The Upload Remote Certificate window opens.

    5. Click Upload and select the certificate downloaded in step 1.
    6. Click OK. The certificate is imported.
    7. Click OK.
    8. In the IdP certificate list, select the certificate that you imported.
    9. Click OK.

Configuring certificates for SAML SSO

Because communication between the root FortiGate IdP and FortiGate SPs is secured, you must select a local server certificate in the IdP certificate option on the root FortiGate. When downstream SPs join the IdP (root FortiGate), the SP automatically obtains the certificate.

In the following SP example, the IdP certificate displays REMOTE_Cert_1, which is the root server certificate for the IdP:

It is possible to manually import a certificate from an SP to the IdP so it can be used for authentication.

To manually import an SP certificate to an IdP:
  1. Add the certificate:
    1. On the SP, go to Security Fabric > Settings.
    2. In the FortiGate Telemetry section, click Advanced Options. The SAML SSO pane opens.
    3. Enable SP certificate and select a certificate from the dropdown box.
    4. Click Download. The certificate is downloaded on the local file system.
    5. Click OK.

  2. Import the certificate:
    1. On the IdP, go to Security Fabric > Settings.
    2. In the FortiGate Telemetry section, click Advanced Options. The SAML SSO pane opens.
    3. In the Service Providers table, select the SP from step 1 and click Edit.
    4. Enable SP certificate and in the dropdown box, click Import.

      The Upload Remote Certificate window opens.

    5. Click Upload and select the certificate downloaded in step 1.
    6. Click OK. The certificate is imported.
    7. Click OK.
    8. In the IdP certificate list, select the certificate that you imported.
    9. Click OK.