When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for firewall authentication.
You must use the identity provider's (IdP) remote certificate on the SPs.
The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:
- Configure the FortiGate SP to be a SAML user:
config user saml edit "fac-firewall" set entity-id "http://10.2.2.2:1000/saml/metadata/" set single-sign-on-url "https://10.2.2.2:1003/saml/login/" set single-logout-url "https://10.2.2.2:1003/saml/logout/" set idp-entity-id "http://172.18.58.93:443/saml-idp/bbbbbb/metadata/" set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/bbbbbb/login/" set idp-single-logout-url "https://172.18.58.93:443/saml-idp/bbbbbb/logout/" set idp-cert "REMOTE_Cert_3" set user-name "username" set group-name "group" next end
- Add the SAML user to the user group (optionally, you can configure group matching):
config user group edit "saml_firewall" set member "fac-firewall" config match edit 1 set server-name "fac-firewall" set group-name "user_group1" next end next end
- Add the SAML user group to a firewall policy:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "pc4" set action accept set schedule "always" set service "ALL" set logtraffic all set fsso disable set groups "saml_firewall" "group_local" set users "first" set nat enable next end
- Configure the FortiAuthenticator IdP as needed.
- Run HTTP/HTTPS authentication for a remote user. The SAML login page appears: