Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiGuest 1.3.0 User Guide
    1.3.0
    1.3.1
    1.3.0
    1.2.0
    1.1.0
    1.0.0

    Security Assertion Markup Language (SAML) Support

    Security Assertion Markup Language (SAML) Support

    You can configure an authentication server that supports the SAML protocol to access FortiGuest. A SAML supporting authentication server is the Identity Provider and FortiGuest is the Service Provider. When the SAML authentication server is configured, the FortiGuest login page provides an option to login using SAML. Users can authenticate to the captive portal using their SAML credentials from a trusted IDP.

    1. Select Microsoft ADFS SAML or Generic SAML IDP as the Server Type.
    2. Configure the SAML settings for the Identity Provider.

      These settings configure the data that FortiGuest requires to connect to the authentication server.

      Field

      Description

      ServerThe IDP server hostname or IP address.
      Entity IDThe identifier of the IDP server.
      Single SignOn Service EndPointThe target URL where authentication request from FortiGuest is sent.
      Single LogOut Service EndPointThe URL where log out request from FortiGuest is sent.
      Select Identity Provider Signing CertificateSAML response validators issued by the IDP servers. To use the signing certificate for encryption, do not updated the Select Identity Provider Encryption Certificate field.
      Select Identity Provider Encryption Certificate
    3. Configure the SAML settings for the Service Provider. These settings configure the data that the IDP requires to connect to FortiGuest.

      Field

      Description

      Entity IDThe identifier of the FortiGuest.
      Assertion Consumer Service EndpointThe target URL of FortiGuest server to which the IDP will send the SAML response or SAML assertion after authentication.
      Single Logout Service EndpointThe target URL of FortiGuest server to which the IDP will send the SAML log out response.
      Select NameID FormatThe name identifier of the user.
      Select Signature Algorithm For Party TrustThe signature algorithm user in the sign‐on process.
      Select Digest Algorithm For Party TrustThe digest algorithm used in the digest process.
    4. Configure additional SAML attributes. FortiGuest looks for these attributes to verify authentication attempts.

      1. Specify the additional attributes that you want to authenticate against.

      2. Configure your Identity Provider to include them in the SAML attribute statement.

      3. Map the attributes from your IDP to the attributes in your SAML profile on FortiGuest.

      FieldDescription
      Attribute used to identify usernameThe username attribute.
      Attribute used to identify emailThe email attribute.
      Attribute used to identify groupsThe groups attribute.

    5. Once SAML server is added, select a user realm and click Next.

    6. Add mapping rules to accept or refuse connection, assign usage profile and account group based on the group attribute values.

    To add SAML authentication to the guest portal, configure the SAML server in the Realm policy, see Realm Policy. Preview the portal and ensure that Login with SAML option is enabled.

    Note: Navigate to the SAML Settings to export the meta data file after adding the SAML server.

    Previous
    Next

    Security Assertion Markup Language (SAML) Support

    Security Assertion Markup Language (SAML) Support

    You can configure an authentication server that supports the SAML protocol to access FortiGuest. A SAML supporting authentication server is the Identity Provider and FortiGuest is the Service Provider. When the SAML authentication server is configured, the FortiGuest login page provides an option to login using SAML. Users can authenticate to the captive portal using their SAML credentials from a trusted IDP.

    1. Select Microsoft ADFS SAML or Generic SAML IDP as the Server Type.
    2. Configure the SAML settings for the Identity Provider.

      These settings configure the data that FortiGuest requires to connect to the authentication server.

      Field

      Description

      ServerThe IDP server hostname or IP address.
      Entity IDThe identifier of the IDP server.
      Single SignOn Service EndPointThe target URL where authentication request from FortiGuest is sent.
      Single LogOut Service EndPointThe URL where log out request from FortiGuest is sent.
      Select Identity Provider Signing CertificateSAML response validators issued by the IDP servers. To use the signing certificate for encryption, do not updated the Select Identity Provider Encryption Certificate field.
      Select Identity Provider Encryption Certificate
    3. Configure the SAML settings for the Service Provider. These settings configure the data that the IDP requires to connect to FortiGuest.

      Field

      Description

      Entity IDThe identifier of the FortiGuest.
      Assertion Consumer Service EndpointThe target URL of FortiGuest server to which the IDP will send the SAML response or SAML assertion after authentication.
      Single Logout Service EndpointThe target URL of FortiGuest server to which the IDP will send the SAML log out response.
      Select NameID FormatThe name identifier of the user.
      Select Signature Algorithm For Party TrustThe signature algorithm user in the sign‐on process.
      Select Digest Algorithm For Party TrustThe digest algorithm used in the digest process.
    4. Configure additional SAML attributes. FortiGuest looks for these attributes to verify authentication attempts.

      1. Specify the additional attributes that you want to authenticate against.

      2. Configure your Identity Provider to include them in the SAML attribute statement.

      3. Map the attributes from your IDP to the attributes in your SAML profile on FortiGuest.

      FieldDescription
      Attribute used to identify usernameThe username attribute.
      Attribute used to identify emailThe email attribute.
      Attribute used to identify groupsThe groups attribute.

    5. Once SAML server is added, select a user realm and click Next.

    6. Add mapping rules to accept or refuse connection, assign usage profile and account group based on the group attribute values.

    To add SAML authentication to the guest portal, configure the SAML server in the Realm policy, see Realm Policy. Preview the portal and ensure that Login with SAML option is enabled.

    Note: Navigate to the SAML Settings to export the meta data file after adding the SAML server.

    Previous
    Next