Advanced option - unique SAML attribute types
The default SAML attribute type is username. When the attribute type is set to username, SSO administrator accounts created on FortiGate SPs use the login username that is provided by the user for authentication on the root FortiGate IdP.
Because user names might not be unique, cases can occur where the user name is the same for the SSO administrator and the local administrator on the FortiGate SP. As a result, you might be unable to distinguish between actions taken by the local administrator and the SSO administrator on the FortiGate SP when looking at the system log. By using a unique SAML attribute type, such as an email address, you can create unique user names to better track what actions were taken by each administrator.
To configure a unique SAML attribute using the GUI:
- On the root FortiGate (IdP), assign a unique email address to local administrator.
In this example, the local administrator name is test3.
- Go to System > Administrators, and expand the list of local users.
- Select the local user, and click Edit.
- In the Type field, select Match a user on a remote server group.
- In the Remote User Group field, select a group.
- In the Email Address field, enter the email address.
- Click OK.
- On the root FortiGate (IdP), update the SAML configuration:
- Go to Security Fabric > Settings.
- In the FortiGate Telemetry section, click Advanced Options. The SAML SSO pane opens.
- In the Service Providers table, select the FortiGate, and click Edit. The Edit Service Provider pane opens.
- For SP type, select Custom.
- In the SAML Attribute section for Type, select Email address.
- Beside Type, select Email address.
- Click OK.
After the administrator (test3) logs in to the FortiGate SP for the first time, SAML authentication occurs on FortiGate SP. A new SSO administrator account is created, and the account name is now the email address instead of the login name (test3).
To view the new SSO administrator account:
- In the SP, go to System > Administrators, and expand the list of SSO administrators.
The email address (email@example.com) is listed as the account name:
If the SAML attribute had been set to the default setting of username, the user name for the SSO administrator account would have been (test3).
To view the SSO administrator activity in the log files:
- In the SP, go to Log & Report > Events.
Because the SAML attribute is set to Custom, the SSO administrator account firstname.lastname@example.org is used as the user name on the FortiGate SP, and it appears in the log files:
To configure a unique SAML attribute using the CLI:
config system saml
set status enable
set role identity-provider
set cert "fgt_g_san_extern_new"
set server-address "172.18.60.187"
set prefix "csf_avju0tk4oiodifz3kbh2fms8dw688hn"
set sp-entity-id "http://172.18.60.185/metadata/"
set sp-single-sign-on-url "https://172.18.60.185/saml/?acs"
set sp-single-logout-url "https://172.18.60.185/saml/?sls"
set sp-portal-url "https://172.18.60.185/saml/login/"
set prefix "yxs8uhq47b5b2urq"
set sp-entity-id "http://172.18.60.180/metadata/"
set sp-single-sign-on-url "https://172.18.60.180/saml/?acs"
set sp-single-logout-url "https://172.18.60.180/saml/?sls"
set sp-portal-url "https://172.18.60.180/saml/login/"
set prefix "3dktfo0gbxtldbts"
set sp-entity-id "http://172.18.60.184/metadata/"
set sp-single-sign-on-url "https://172.18.60.184/saml/?acs"
set sp-single-logout-url "https://172.18.60.184/saml/?sls"
set sp-portal-url "https://172.18.60.184/saml/login/"
set type email
csf_172.18.60.185 service provider was automatically added when the FortiGate SP 172.18.60.185 joined the root FortiGate IdP in the Security Fabric.
sp-* options, such as
sp-portal-url, are set with default values when a service provider is created, but can be modified using the CLI or GUI.