Configuring certificates for SAML SSO
Because communication between the root FortiGate IdP and FortiGate SPs is secured, you must select a local server certificate in the IdP certificate option on the root FortiGate. When downstream SPs join the IdP (root FortiGate), the SP automatically obtains the certificate.
In the following SP example, the IdP certificate displays REMOTE_Cert_2, which is the root server certificate for the IdP:
It is possible to manually import a certificate from an SP to the IdP so it can be used for authentication.
To manually import an SP certificate to an IdP:
- Add the certificate:
- On the SP, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- Click Advanced Options. The SAML SSO pane opens.
- Enable SP certificate and select a certificate from the dropdown box.
- Click Download. The certificate is downloaded on the local file system.
- Click OK to close the SAML SSO pane.
- Click OK to close the Security Fabric Setup card.
- Import the certificate:
- On the IdP, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- Click Advanced Options. The SAML SSO pane opens.
- In the Service Providers table, select the SP from step 1 and click Edit.
- Enable SP certificate and in the dropdown box, click Import.
The Upload Remote Certificate window opens.
- Click Upload and select the certificate downloaded in step 1.
- Select REMOTE_Cert_2.
- Click OK. The certificate is imported.
- In the IdP certificate list, select the certificate that you imported.
- Click OK to close the SAML SSO pane.
- Click OK to close the Security Fabric Setup card.