Fortinet black logo

Administration Guide

Configuring SAML SSO in the GUI

Configuring SAML SSO in the GUI

SAML single sign-on can be configured in the GUI under User & Authentication > User Groups. The GUI wizard helps generate the service provider (SP) URLs based on the supplied SP address. The SAML object that is created can be selected when defining new user groups.

In this example, FortiGate AA is the inside firewall (172.16.200.101). The other FortiGate is the outside firewall that only does port forwarding from 172.16.116.151:55443 to 172.16.200.101:443. FortiGate AA is configured to allow full SSL VPN access to the network in port2. This SSL VPN portal allows users from the user group saml_grp and SAML server saml_test to log in. In this topology, a FortiAuthenticator acts as the SAML identity provider (IdP), while the FortiGate is the SAML SP. External users are directed to the FortiAuthenticator IdP login URL to authenticate. For more information about configuring a FortiAuthenticator as an IdP, see Service providers.

The FortiAuthenticator in this example has the following configuration:

To configure FortiGate AA as an SP:
  1. Create a new SAML server entry:
    1. Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.
    2. Enter a name (saml_test). The other fields will automatically populate based on the FortiGate's WAN IP and port.

      Tooltip

      Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    3. Click Next.
    4. Enter the FortiAuthenticator IdP details:

      IdP address

      172.18.58.93:443

      Prefix

      43211234

      IdP certificate

      REMOTE_Cert_1

    5. Enter the additional SAML attributes that will be used to verify authentication attempts:

      Attribute used to identify users

      users

      Attribute used to identify groups

      groupname

      The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

    6. Click Submit.

      The following is created in the backend:

      config user saml
          edit "saml_test"
              set cert "fgt_gui_automation"
              set entity-id "http://172.16.116.151:55443/remote/saml/metadata/"
              set single-sign-on-url "https://172.16.116.151:55443/remote/saml/login/"
              set single-logout-url "https://172.16.116.151:55443/remote/saml/logout/"
              set idp-entity-id "http://172.18.58.93:443/saml-idp/43211234/metadata/"
              set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/43211234/login/"
              set idp-single-logout-url "https://172.18.58.93:443/saml-idp/43211234/logout/"
              set idp-cert "REMOTE_Cert_1"
              set user-name "users"
              set group-name "groupname"
              set digest-method sha1
          next
      end
  2. Create the SAML group:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter a name, saml_grp.
    3. In the Remote Groups table, click Add.
    4. In the Remote Server dropdown, select saml_test and click OK.

    5. Click OK.

      The following is created in the backend:

      config user group
          edit "saml_grp"
              set member "saml_test"
          next
      end
  3. Add the SAML group in the SSL VPN settings:
    1. Go to VPN > SSL-VPN Settings.
    2. In the Authentication/Portal Mapping table, click Create New.
    3. For Users/Groups, click the + and select saml_grp.
    4. Select the Portal (testportal1).
    5. Click OK.

    6. Click Apply.
  4. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Incoming Interface

      ssl.root

      Outgoing Interface

      port2

      Source

      all, saml_grp, saml_test

    3. Configure the other settings as needed.
    4. Click OK.
  5. On the client, log in with SAML using the SSL VPN web portal.
    Note

    If you are using FortiClient for tunnel mode access, enable Enable Single Sign On (SSO) for VPN Tunnel in the SSL-VPN connection settings to use the SAML log in. See Configuring an SSL VPN connection for more information.

  6. In FortiOS, go to Dashboard > Network and click the SSL-VPN widget to expand to full view and verify the connection information.

Configuring SAML SSO in the GUI

SAML single sign-on can be configured in the GUI under User & Authentication > User Groups. The GUI wizard helps generate the service provider (SP) URLs based on the supplied SP address. The SAML object that is created can be selected when defining new user groups.

In this example, FortiGate AA is the inside firewall (172.16.200.101). The other FortiGate is the outside firewall that only does port forwarding from 172.16.116.151:55443 to 172.16.200.101:443. FortiGate AA is configured to allow full SSL VPN access to the network in port2. This SSL VPN portal allows users from the user group saml_grp and SAML server saml_test to log in. In this topology, a FortiAuthenticator acts as the SAML identity provider (IdP), while the FortiGate is the SAML SP. External users are directed to the FortiAuthenticator IdP login URL to authenticate. For more information about configuring a FortiAuthenticator as an IdP, see Service providers.

The FortiAuthenticator in this example has the following configuration:

To configure FortiGate AA as an SP:
  1. Create a new SAML server entry:
    1. Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.
    2. Enter a name (saml_test). The other fields will automatically populate based on the FortiGate's WAN IP and port.

      Tooltip

      Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    3. Click Next.
    4. Enter the FortiAuthenticator IdP details:

      IdP address

      172.18.58.93:443

      Prefix

      43211234

      IdP certificate

      REMOTE_Cert_1

    5. Enter the additional SAML attributes that will be used to verify authentication attempts:

      Attribute used to identify users

      users

      Attribute used to identify groups

      groupname

      The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

    6. Click Submit.

      The following is created in the backend:

      config user saml
          edit "saml_test"
              set cert "fgt_gui_automation"
              set entity-id "http://172.16.116.151:55443/remote/saml/metadata/"
              set single-sign-on-url "https://172.16.116.151:55443/remote/saml/login/"
              set single-logout-url "https://172.16.116.151:55443/remote/saml/logout/"
              set idp-entity-id "http://172.18.58.93:443/saml-idp/43211234/metadata/"
              set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/43211234/login/"
              set idp-single-logout-url "https://172.18.58.93:443/saml-idp/43211234/logout/"
              set idp-cert "REMOTE_Cert_1"
              set user-name "users"
              set group-name "groupname"
              set digest-method sha1
          next
      end
  2. Create the SAML group:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter a name, saml_grp.
    3. In the Remote Groups table, click Add.
    4. In the Remote Server dropdown, select saml_test and click OK.

    5. Click OK.

      The following is created in the backend:

      config user group
          edit "saml_grp"
              set member "saml_test"
          next
      end
  3. Add the SAML group in the SSL VPN settings:
    1. Go to VPN > SSL-VPN Settings.
    2. In the Authentication/Portal Mapping table, click Create New.
    3. For Users/Groups, click the + and select saml_grp.
    4. Select the Portal (testportal1).
    5. Click OK.

    6. Click Apply.
  4. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Incoming Interface

      ssl.root

      Outgoing Interface

      port2

      Source

      all, saml_grp, saml_test

    3. Configure the other settings as needed.
    4. Click OK.
  5. On the client, log in with SAML using the SSL VPN web portal.
    Note

    If you are using FortiClient for tunnel mode access, enable Enable Single Sign On (SSO) for VPN Tunnel in the SSL-VPN connection settings to use the SAML log in. See Configuring an SSL VPN connection for more information.

  6. In FortiOS, go to Dashboard > Network and click the SSL-VPN widget to expand to full view and verify the connection information.