Outbound firewall authentication for a SAML user

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for firewall authentication.


You must use the identity provider's (IdP) remote certificate on the SPs.

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure firewall authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-firewall"
            set entity-id ""
            set single-sign-on-url ""
            set single-logout-url ""
            set idp-entity-id ""
            set idp-single-sign-on-url ""
            set idp-single-logout-url ""
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
            set group-name "group"
  2. Add the SAML user to the user group (optionally, you can configure group matching):
    config user group
        edit "saml_firewall"
            set member "fac-firewall"
            config match
                edit 1
                    set server-name "fac-firewall"
                    set group-name "user_group1"
  3. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "pc4"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set fsso disable
            set groups "saml_firewall" "group_local"
            set users "first"
            set nat enable
  4. Configure the FortiAuthenticator IdP as needed.
  5. Run HTTP/HTTPS authentication for a remote user. The SAML login page appears: