Configuring SAML SSO
SAML Single Sign-On (SSO) can be configured from the GUI or CLI. The configurations allow administrators to set up the FortiGate as a SAML Service Provider (SP) while inputting the necessary settings for the Identity Provider (IdP).
There are many use cases for applying SAML authentication, as explained in the SAML introduction. For each use case, the configuration steps vary slightly. In general, to successfully configure SAML authentication for an application, you will need to perform the following:
-
Obtain IdP configurations from the Identity Provider. This is outside the scope of the FortiGate.
-
Create a Single Sign-On object in User & Authentication > Single Sign-On.
-
Apply the FortiGate SP URLs to the IdP.
-
Install appropriate IdP and SP certificates.
-
Configure user group with the SSO object as member.
After these steps are completed, the user group object can be applied to whatever type of policy is applicable to the use case.
Common SAML SSO settings
Configuring the IdP is outside the scope of this topic, but to successfully configure SAML on the FortiGate the following information must be obtained from the Identity Provider:
|
From IdP |
Description |
|---|---|
|
The identifier URL for the IdP used to identify the issuer of the SAML response or assertion. |
|
|
The ACS URL, sometimes called the Login URL, informs the SP and end user where to send the Login request to the IdP. |
|
|
The Single logout service URL, sometimes called the Logout URL, informs the SP and end user where to send the Logout request to the IdP. |
|
|
The certificate used to sign the SAML response originating from the IdP. This must be trusted by the SP in order to verify the identity of the messages from the IdP. To upload a remote certificate from the IdP, follow the instructions in Remote certificate. |
At the same time, to complete the configurations on the IdP, it will require information about the SP from the FortiGate. The following describes the settings configured on the FortiGate, including the information needed for the IdP configuration.
To configure the FortiGate SP settings for SSO in the GUI:
-
Go to User & Authentication > Single Sign-On and click Create new.
-
Configure the SP settings:
Setting
Description
Name
Name of the SSO object.
Address
FQDN or IP address that clients will be connecting to. If this requires a non-standard port (eg. 443), specify the port in this format <address>:<port>.
Entity ID
The identifier URL for the SP used to identify the issuer of the SAML request. This URL must be provided to the IdP.
Modifying the URL must be done in CLI.
Assertion consumer service URL
The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, informs the IdP and end user the URL to send the SAML Assertion for login to. This URL must be provided to the IdP.
Modifying the URL must be done in CLI.
Single logout service URL
The logout URL informs the IdP and end user the URL to send the request to logout to. This URL must be provided to the IdP.
Modifying the URL must be done in CLI.
Certificate
The certificate used to sign the SAML messages originating from the SP to the IdP. This is typically an optional configuration.
-
Click Next.
-
Configure the IdP settings:
Setting
Description
Type
-
Fortinet Product: If the IdP is a FortiAuthenticator or FortiTrust-ID, IdP configurations are simplified. See FortiAuthenticator Admin Guide > Authentication > SAML IdP for more information
-
Custom: If the IdP is any other vendor, or you want to configure each field manually, select this option.
Fortinet Product setup
Address
Enter the address of the FortiAuthenticator or FortiTrust-ID that users will access to authenticate to the IdP.
Prefix
Enter the prefix specified by the FortiAuthenticator or FortiTrust-ID.
Certificate
Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate.
Custom setup
Entity ID
Input the Entity ID URL from the IdP. See Entity ID.
Assertion consumer service URL
Input the ACS URL from the IdP. See Assertion consumer service (ACS) URL.
Single logout service URL
Input the Single logout service URL from the IdP. See Single logout service URL.
Certificate
Select the SAML Signing certificate from the IdP. If this is not yet uploaded, use the Import option to import the remote certificate. See SAML Signing Certificate.
Additional SAML Attributes
This setting is only available after the initial SSO object has been configured.
Enable this setting to select the attribute names based on Active Directory Federated Services (AD FS) claim types.
User claim type
Select the AD FS claim type that will be used to match the user within the SAML assertion statement.
Group claim type
Select the AD FS claim type that will be used to match the group within the SAML assertion statement.
Attribute used to identify users
Specify the name of the attribute for a user within the SAML assertion statement. This value is case sensitive.
If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.
Attribute used to identify groups
Specify the name of the attribute for a group within the SAML assertion statement. This value is case-sensitive.
If AD FS claim is enabled, this field will be auto-populated to reflect the claim type.
-
-
Click Submit.
To configure the FortiGate SP settings for SSO in the CLI:
config user saml
edit <name>
set adfs-claim [enable|disable]
set cert {string}
set clock-tolerance {integer}
set digest-method [sha1|sha256]
set entity-id {string}
set group-claim-type [email|given-name|...]
set group-name {string}
set idp-cert {string}
set idp-entity-id {string}
set idp-single-logout-url {string}
set idp-single-sign-on-url {string}
set limit-relaystate [enable|disable]
set single-logout-url {string}
set single-sign-on-url {string}
set user-claim-type [email|given-name|...]
set user-name {string}
next
end
|
Setting |
Description |
|---|---|
|
adfs-claim |
See AD FS claim. |
|
cert |
The SP certificate used to sign SAML messages. |
|
clock-tolerance |
A SAML assertion is only valid for a specific duration. When the FortiGate SP and the SAML IdP clocks are not in synchronization, use clock-tolerance to define the number of seconds that the skew in time is tolerated. The setting is only available in the CLI. |
|
digest-method |
The type of hash used to compute the hash value of the content of the SAML assertion. The setting is only available in the CLI. |
|
entity-id |
The SP Entity ID. |
|
group-claim-type |
Specify the group claim type when |
|
group-name |
The attribute used to identify a group within the SAML assertion statement. |
|
idp-cert |
The SAML Signing certificate from the IdP. |
|
idp-entity-id |
The Entity ID from the IdP. |
|
idp-single-logout-url |
The Single logout service URL from the IdP. |
|
idp-single-sign-on-url |
The ACS URL, sometimes called the Login URL, from the IdP. |
|
limit-relaystate |
Enable/disable limiting the relay-state parameter when it exceeds SAML 2.0 specification limits (80 bytes). The setting is only available in the CLI. |
|
single-logout-url |
The Single logout service URL from the SP. |
|
single-sign-on-url |
The ACS URL, sometimes referred to as the reply URL or the single sign-on URL, from the SP. |
|
user-claim-type |
Specify the user claim type when |
|
user-name |
The attribute used to identify a user within the SAML assertion statement. |
Other SAML related global settings
Authentication port
By default, the FortiGate listens on port 1003 for incoming authentication requests when traffic matches an identity based firewall policy. As a SAML SP with an identity based firewall policy configured for the SAML user group, the FortiGate will use the same port to listen for SAML authentication requests and redirect them to the IdP.
To change the default port:
config system global
set auth-https-port <port>
end
Configuring the user authentication setting
When the FortiGate receives an authentication request in an identity based firewall policy, the authentication daemon uses a local server certificate to secure the connection. The client making the authentication request must trust the certificate presented by the FortiGate that is acting as the TLS server.
In SAML authentication, when a user initiates traffic to the SP, the traffic matches the identity based firewall policy which triggers the authentication request to hit the authentication daemon. The server certificate used by the authentication daemon must be trusted by the user, otherwise they will receive a certificate warning. To avoid a certificate warning, use a custom certificate that the user trusts.
To configure a custom certificate in the GUI:
-
Go to User & Authentication > Authentication Settings.
-
Set Certificate to the custom certificate.
If the certificate is not available, click Create to create or import a new custom certificate.
The custom certificate's SAN field should have the FQDN or IP address from the SP URL.
To configure a custom certificate in the CLI:
config user setting
set auth-cert <custom certificate name>
end
Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the authentication daemon. This will override any assigned server certificate.
To assign a CA certificate:
-
Edit the user setting :
config user setting set auth-ca-cert <CA certificate name> end -
Go to System > Certificates and download the certificate.
-
Install the certificate into the client’s certificate store.