Fortinet black logo

Administration Guide

Home FortiIsolator 2.3.4 Administration Guide
2.3.4
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.4
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.2.2
1.2.1
1.2.0
1.1.0

SAML Servers

SAML Servers

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the XML protocol as transport.

FortiIsolator can integrate with FortiAuthenticator to provide SAML authentication logins with the user identity information that is requested from a third-party Identity Provider (IdP).

In this scenario, the FortiAuthenticator acts as a Service Provider to request user identity information from IdP. FortiIsolator can then use this information to sign the user on transparently based on what information the IdP sends.

There are two parts of the setup:

  1. Setup in FortiAuthenticator
  2. Setup in FortiIsolator

Setup in FortiAuthenticator

  1. Go to FortiAuthenticator > Authentication > SAML IdP > Service Providers > Create New
  2. Configure the following:
    SP Name Name of the Service Provider
    IdP prefix Generate Prefix
    Server Certificate Fortinet_CA1_Factory
    SP Entity ID http://<FortiIsolator_internal_ip>/isolator/saml_metadata
    SP ACS (login) URL https://<FortiIsolator_internal_ip>/isolator/saml_acs
    SP SLS (logout) URL https://<FortiIsolator_internal_ip>/isolator/saml_sls
    Authentication method Password-only authentication

    Note:If FortiIsolator is setup with only internal_IP, please use the internal_IP for FortiAuthenticator. If it is also set up with external_IP, please use the external_IP.

  3. Click OK
  4. Click on SP Name then Edit.
  5. Add an SAML Attribute for user

  6. Add SAML Attribute for Group

    Debugging Options should look like this:

  7. Go to Certificate Management > End Entities > Local Services and export the Fortinet_CA1_Factory certificate to later import to FortiIsolator.
  8. Go to Fortinet SSO Methods > SSO > SSO Users
  9. Double-check that the SSO Users that FortiIsolator will use to log in are imported into FortiAuthenticator. Refer to FortiAuthenticator documents for importing Remote Users.

Setup in FortiIsolator

  1. Navigate to System > Certificates > Import
  2. Import the FortiAuthenticator certificate Fortinet_CA1_Factory to FortiIsolator

  3. Navigate to Users > LDAP Server > Create New
  4. Select SAML Server and click OK
  5. Configure the following:
    Id 1 - 4
    Enable Checked to enable the server
    ID URL http://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/metadata/
    Signon URL https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/login/
    Logout URL https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/logout/

    SAML Certificate

    SAML_cert
Run Traffic through FortiIsolator with FortiAuthenticator Users

Example:

https://<FortiIsolator_internal_ip>/isolator/login/https://www.fortinet.com

Previous
Next

SAML Servers

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the XML protocol as transport.

FortiIsolator can integrate with FortiAuthenticator to provide SAML authentication logins with the user identity information that is requested from a third-party Identity Provider (IdP).

In this scenario, the FortiAuthenticator acts as a Service Provider to request user identity information from IdP. FortiIsolator can then use this information to sign the user on transparently based on what information the IdP sends.

There are two parts of the setup:

  1. Setup in FortiAuthenticator
  2. Setup in FortiIsolator

Setup in FortiAuthenticator

  1. Go to FortiAuthenticator > Authentication > SAML IdP > Service Providers > Create New
  2. Configure the following:
    SP Name Name of the Service Provider
    IdP prefix Generate Prefix
    Server Certificate Fortinet_CA1_Factory
    SP Entity ID http://<FortiIsolator_internal_ip>/isolator/saml_metadata
    SP ACS (login) URL https://<FortiIsolator_internal_ip>/isolator/saml_acs
    SP SLS (logout) URL https://<FortiIsolator_internal_ip>/isolator/saml_sls
    Authentication method Password-only authentication

    Note:If FortiIsolator is setup with only internal_IP, please use the internal_IP for FortiAuthenticator. If it is also set up with external_IP, please use the external_IP.

  3. Click OK
  4. Click on SP Name then Edit.
  5. Add an SAML Attribute for user

  6. Add SAML Attribute for Group

    Debugging Options should look like this:

  7. Go to Certificate Management > End Entities > Local Services and export the Fortinet_CA1_Factory certificate to later import to FortiIsolator.
  8. Go to Fortinet SSO Methods > SSO > SSO Users
  9. Double-check that the SSO Users that FortiIsolator will use to log in are imported into FortiAuthenticator. Refer to FortiAuthenticator documents for importing Remote Users.

Setup in FortiIsolator

  1. Navigate to System > Certificates > Import
  2. Import the FortiAuthenticator certificate Fortinet_CA1_Factory to FortiIsolator

  3. Navigate to Users > LDAP Server > Create New
  4. Select SAML Server and click OK
  5. Configure the following:
    Id 1 - 4
    Enable Checked to enable the server
    ID URL http://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/metadata/
    Signon URL https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/login/
    Logout URL https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/logout/

    SAML Certificate

    SAML_cert
Run Traffic through FortiIsolator with FortiAuthenticator Users

Example:

https://<FortiIsolator_internal_ip>/isolator/login/https://www.fortinet.com

Previous
Next