Fortinet white logo
Fortinet white logo

Administration Guide

Configuring SAML SSO

Configuring SAML SSO

SAML Single Sign-On (SSO) can be configured from the GUI or CLI. The configurations allow administrators to set up the FortiGate as a SAML Service Provider (SP) while inputting the necessary settings for the Identity Provider (IdP).

There are many use cases for applying SAML authentication, as explained in the SAML introduction. For each use case, the configuration steps vary slightly. In general, to successfully configure SAML authentication for an application, you will need to perform the following:

  1. Obtain IdP configurations from the Identity Provider. This is outside the scope of the FortiGate.

  2. Create a Single Sign-On object in User & Authentication > Single Sign-On.

  3. Apply the FortiGate SP URLs to the IdP.

  4. Install appropriate IdP and SP certificates.

  5. Configure user group with the SSO object as member.

After these steps are completed, the user group object can be applied to whatever type of policy is applicable to the use case.

Common SAML SSO settings

Configuring the IdP is outside the scope of this topic, but to successfully configure SAML on the FortiGate the following information must be obtained from the Identity Provider:

From IdP

Description

Entity ID

The identifier URL for the IdP used to identify the issuer of the SAML response or assertion.

Assertion consumer service (ACS) URL

The ACS URL, sometimes called the Login URL, informs the SP and end user where to send the Login request to the IdP.

Single logout service URL

The Single logout service URL, sometimes called the Logout URL, informs the SP and end user where to send the Logout request to the IdP.

SAML Signing Certificate

The certificate used to sign the SAML response originating from the IdP. This must be trusted by the SP in order to verify the identity of the messages from the IdP.

To upload a remote certificate from the IdP, follow the instructions in Uploading a certificate using the GUI.

At the same time, to complete the configurations on the IdP, it will require information about the SP from the FortiGate. The following describes the settings configured on the FortiGate, including the information needed for the IdP configuration.

To configure the FortiGate SP settings for SSO in the GUI:
  1. Go to User & Authentication > Single Sign-On and click Create new.

  2. Configure the SP settings:

    Setting

    Description

    Name

    Name of the SSO object.

    Address

    FQDN or IP address that clients will be connecting to. If this requires a non-standard port (eg. 443), specify the port in this format <address>:<port>.

    Entity ID

    The identifier URL for the SP used to identify the issuer of the SAML request. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Assertion consumer service URL

    The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, informs the IdP and end user the URL to send the SAML Assertion for login to. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Single logout service URL

    The logout URL informs the IdP and end user the URL to send the request to logout to. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Certificate

    The certificate used to sign the SAML messages originating from the SP to the IdP. This is typically an optional configuration.

  3. Click Next.

  4. Configure the IdP settings:

    Setting

    Description

    Type

    • Fortinet Product: If the IdP is a FortiAuthenticator or FortiTrust-ID, IdP configurations are simplified. See FortiAuthenticator Admin Guide > Authentication > SAML IdP for more information

    • Custom: If the IdP is any other vendor, or you want to configure each field manually, select this option.

    Fortinet Product setup

    Address

    Enter the address of the FortiAuthenticator or FortiTrust-ID that users will access to authenticate to the IdP.

    Prefix

    Enter the prefix specified by the FortiAuthenticator or FortiTrust-ID.

    Certificate

    Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate.

    Custom setup

    Entity ID

    Input the Entity ID URL from the IdP. See Entity ID.

    Assertion consumer service URL

    Input the ACS URL from the IdP. See Assertion consumer service (ACS) URL.

    Single logout service URL

    Input the Single logout service URL from the IdP. See Single logout service URL.

    Certificate

    Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate. See SAML Signing Certificate.

    Additional SAML Attributes

    AD FS claim

    This setting is only available after the initial SSO object has been configured.

    Enable this setting to select the attribute names based on Active Directory Federated Services (AD FS) claim types.

    User claim type

    Select the AD FS claim type that will be used to match the user within the SAML assertion statement.

    Group claim type

    Select the AD FS claim type that will be used to match the group within the SAML assertion statement.

    Attribute used to identify users

    Specify the name of the attribute for a user within the SAML assertion statement. This value is case sensitive.

    If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.

    Attribute used to identify groups

    Specify the name of the attribute for a group within the SAML assertion statement. This value is case-sensitive.

    If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.

  5. Click Submit.

To configure the FortiGate SP settings for SSO in the CLI:
config user saml
    edit <name>
        set adfs-claim [enable|disable]
        set cert {string}
        set clock-tolerance {integer}
        set digest-method [sha1|sha256]
        set entity-id {string}
        set group-claim-type [email|given-name|...]
        set group-name {string}
        set idp-cert {string}
        set idp-entity-id {string}
        set idp-single-logout-url {string}
        set idp-single-sign-on-url {string}
        set limit-relaystate [enable|disable]
        set single-logout-url {string}
        set single-sign-on-url {string}
        set user-claim-type [email|given-name|...]
        set user-name {string}
    next
end

Setting

Description

adfs-claim

See AD FS claim.

cert

The SP certificate used to sign SAML messages.

clock-tolerance

A SAML assertion is only valid for a specific duration. When the FortiGate SP and the SAML IdP clocks are not in synchronization, use clock-tolerance to define the number of seconds that the skew in time is tolerated.

The setting is only available in the CLI.

digest-method

The type of hash used to compute the hash value of the content of the SAML assertion.

The setting is only available in the CLI.

entity-id

The SP Entity ID.

group-claim-type

Specify the group claim type when adfs-claim is enabled.

group-name

The attribute used to identify a group within the SAML assertion statement.

idp-cert

The SAML Signing certificate from the IdP.

idp-entity-id

The Entity ID from the IdP.

idp-single-logout-url

The Single logout service URL from the IdP.

idp-single-sign-on-url

The ACS URL, sometimes called the Login URL, from the IdP.

limit-relaystate

Enable/disable limiting the relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

The setting is only available in the CLI.

single-logout-url

The Single logout service URL from the SP.

single-sign-on-url

The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, from the SP.

user-claim-type

Specify the user claim type when adfs-claim is enabled.

user-name

The attribute used to identify a user within the SAML assertion statement.

Other SAML related global settings

Authentication port

By default, the FortiGate listens on port 1003 for incoming authentication requests when traffic matches an identity based firewall policy. As a SAML SP with an identity based firewall policy configured for the SAML user group, the FortiGate will use the same port to listen for SAML authentication requests and redirect them to the IdP.

To change the default port:
config system global
    set auth-https-port <port>
end

Configuring the user authentication setting

When the FortiGate receives an authentication request in an identity based firewall policy, the authentication daemon uses a local server certificate to secure the connection. The client making the authentication request must trust the certificate presented by the FortiGate that is acting as the TLS server.

In SAML authentication, when a user initiates traffic to the SP, the traffic matches the identity based firewall policy which triggers the authentication request to hit the authentication daemon. The server certificate used by the authentication daemon must be trusted by the user, otherwise they will receive a certificate warning. To avoid a certificate warning, use a custom certificate that the user trusts.

To configure a custom certificate in the GUI:
  1. Go to User & Authentication > Authentication Settings.

  2. Set Certificate to the custom certificate.

    If the certificate is not available, click Create to create or import a new custom certificate.

    The custom certificate's SAN field should have the FQDN or IP address from the SP URL.

To configure a custom certificate in the CLI:
config user setting
    set auth-cert <custom certificate name>
end

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the authentication daemon. This will override any assigned server certificate.

To assign a CA certificate:
  1. Edit the user setting :

    config user setting
        set auth-ca-cert <CA certificate name>
    end
  2. Go to System > Certificates and download the certificate.

  3. Install the certificate into the client’s certificate store.

Configuring SAML SSO

Configuring SAML SSO

SAML Single Sign-On (SSO) can be configured from the GUI or CLI. The configurations allow administrators to set up the FortiGate as a SAML Service Provider (SP) while inputting the necessary settings for the Identity Provider (IdP).

There are many use cases for applying SAML authentication, as explained in the SAML introduction. For each use case, the configuration steps vary slightly. In general, to successfully configure SAML authentication for an application, you will need to perform the following:

  1. Obtain IdP configurations from the Identity Provider. This is outside the scope of the FortiGate.

  2. Create a Single Sign-On object in User & Authentication > Single Sign-On.

  3. Apply the FortiGate SP URLs to the IdP.

  4. Install appropriate IdP and SP certificates.

  5. Configure user group with the SSO object as member.

After these steps are completed, the user group object can be applied to whatever type of policy is applicable to the use case.

Common SAML SSO settings

Configuring the IdP is outside the scope of this topic, but to successfully configure SAML on the FortiGate the following information must be obtained from the Identity Provider:

From IdP

Description

Entity ID

The identifier URL for the IdP used to identify the issuer of the SAML response or assertion.

Assertion consumer service (ACS) URL

The ACS URL, sometimes called the Login URL, informs the SP and end user where to send the Login request to the IdP.

Single logout service URL

The Single logout service URL, sometimes called the Logout URL, informs the SP and end user where to send the Logout request to the IdP.

SAML Signing Certificate

The certificate used to sign the SAML response originating from the IdP. This must be trusted by the SP in order to verify the identity of the messages from the IdP.

To upload a remote certificate from the IdP, follow the instructions in Uploading a certificate using the GUI.

At the same time, to complete the configurations on the IdP, it will require information about the SP from the FortiGate. The following describes the settings configured on the FortiGate, including the information needed for the IdP configuration.

To configure the FortiGate SP settings for SSO in the GUI:
  1. Go to User & Authentication > Single Sign-On and click Create new.

  2. Configure the SP settings:

    Setting

    Description

    Name

    Name of the SSO object.

    Address

    FQDN or IP address that clients will be connecting to. If this requires a non-standard port (eg. 443), specify the port in this format <address>:<port>.

    Entity ID

    The identifier URL for the SP used to identify the issuer of the SAML request. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Assertion consumer service URL

    The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, informs the IdP and end user the URL to send the SAML Assertion for login to. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Single logout service URL

    The logout URL informs the IdP and end user the URL to send the request to logout to. This URL must be provided to the IdP.

    Modifying the URL must be done in CLI.

    Certificate

    The certificate used to sign the SAML messages originating from the SP to the IdP. This is typically an optional configuration.

  3. Click Next.

  4. Configure the IdP settings:

    Setting

    Description

    Type

    • Fortinet Product: If the IdP is a FortiAuthenticator or FortiTrust-ID, IdP configurations are simplified. See FortiAuthenticator Admin Guide > Authentication > SAML IdP for more information

    • Custom: If the IdP is any other vendor, or you want to configure each field manually, select this option.

    Fortinet Product setup

    Address

    Enter the address of the FortiAuthenticator or FortiTrust-ID that users will access to authenticate to the IdP.

    Prefix

    Enter the prefix specified by the FortiAuthenticator or FortiTrust-ID.

    Certificate

    Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate.

    Custom setup

    Entity ID

    Input the Entity ID URL from the IdP. See Entity ID.

    Assertion consumer service URL

    Input the ACS URL from the IdP. See Assertion consumer service (ACS) URL.

    Single logout service URL

    Input the Single logout service URL from the IdP. See Single logout service URL.

    Certificate

    Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate. See SAML Signing Certificate.

    Additional SAML Attributes

    AD FS claim

    This setting is only available after the initial SSO object has been configured.

    Enable this setting to select the attribute names based on Active Directory Federated Services (AD FS) claim types.

    User claim type

    Select the AD FS claim type that will be used to match the user within the SAML assertion statement.

    Group claim type

    Select the AD FS claim type that will be used to match the group within the SAML assertion statement.

    Attribute used to identify users

    Specify the name of the attribute for a user within the SAML assertion statement. This value is case sensitive.

    If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.

    Attribute used to identify groups

    Specify the name of the attribute for a group within the SAML assertion statement. This value is case-sensitive.

    If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.

  5. Click Submit.

To configure the FortiGate SP settings for SSO in the CLI:
config user saml
    edit <name>
        set adfs-claim [enable|disable]
        set cert {string}
        set clock-tolerance {integer}
        set digest-method [sha1|sha256]
        set entity-id {string}
        set group-claim-type [email|given-name|...]
        set group-name {string}
        set idp-cert {string}
        set idp-entity-id {string}
        set idp-single-logout-url {string}
        set idp-single-sign-on-url {string}
        set limit-relaystate [enable|disable]
        set single-logout-url {string}
        set single-sign-on-url {string}
        set user-claim-type [email|given-name|...]
        set user-name {string}
    next
end

Setting

Description

adfs-claim

See AD FS claim.

cert

The SP certificate used to sign SAML messages.

clock-tolerance

A SAML assertion is only valid for a specific duration. When the FortiGate SP and the SAML IdP clocks are not in synchronization, use clock-tolerance to define the number of seconds that the skew in time is tolerated.

The setting is only available in the CLI.

digest-method

The type of hash used to compute the hash value of the content of the SAML assertion.

The setting is only available in the CLI.

entity-id

The SP Entity ID.

group-claim-type

Specify the group claim type when adfs-claim is enabled.

group-name

The attribute used to identify a group within the SAML assertion statement.

idp-cert

The SAML Signing certificate from the IdP.

idp-entity-id

The Entity ID from the IdP.

idp-single-logout-url

The Single logout service URL from the IdP.

idp-single-sign-on-url

The ACS URL, sometimes called the Login URL, from the IdP.

limit-relaystate

Enable/disable limiting the relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes).

The setting is only available in the CLI.

single-logout-url

The Single logout service URL from the SP.

single-sign-on-url

The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, from the SP.

user-claim-type

Specify the user claim type when adfs-claim is enabled.

user-name

The attribute used to identify a user within the SAML assertion statement.

Other SAML related global settings

Authentication port

By default, the FortiGate listens on port 1003 for incoming authentication requests when traffic matches an identity based firewall policy. As a SAML SP with an identity based firewall policy configured for the SAML user group, the FortiGate will use the same port to listen for SAML authentication requests and redirect them to the IdP.

To change the default port:
config system global
    set auth-https-port <port>
end

Configuring the user authentication setting

When the FortiGate receives an authentication request in an identity based firewall policy, the authentication daemon uses a local server certificate to secure the connection. The client making the authentication request must trust the certificate presented by the FortiGate that is acting as the TLS server.

In SAML authentication, when a user initiates traffic to the SP, the traffic matches the identity based firewall policy which triggers the authentication request to hit the authentication daemon. The server certificate used by the authentication daemon must be trusted by the user, otherwise they will receive a certificate warning. To avoid a certificate warning, use a custom certificate that the user trusts.

To configure a custom certificate in the GUI:
  1. Go to User & Authentication > Authentication Settings.

  2. Set Certificate to the custom certificate.

    If the certificate is not available, click Create to create or import a new custom certificate.

    The custom certificate's SAN field should have the FQDN or IP address from the SP URL.

To configure a custom certificate in the CLI:
config user setting
    set auth-cert <custom certificate name>
end

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the authentication daemon. This will override any assigned server certificate.

To assign a CA certificate:
  1. Edit the user setting :

    config user setting
        set auth-ca-cert <CA certificate name>
    end
  2. Go to System > Certificates and download the certificate.

  3. Install the certificate into the client’s certificate store.