Fortinet black logo

Administration Guide

Home FortiIsolator 2.4.1 Administration Guide
2.4.1
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.4
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.2.2
1.2.1
1.2.0
1.1.0

SAML servers

SAML servers

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the XML protocol as transport.

FortiIsolator can integrate with FortiAuthenticator to provide SAML authentication logins with the user identity information that is requested from a third-party Identity Provider (IdP).

In this scenario, the FortiAuthenticator acts as a Service Provider to request user identity information from IdP. FortiIsolator can then use this information to sign the user on transparently based on what information the IdP sends.

There are two parts of the setup:

  1. Setup in FortiAuthenticator
  2. Setup in FortiIsolator

Setup in FortiAuthenticator

  1. Go to FortiAuthenticator > Authentication > SAML IdP > Service Providers > Create New.
  2. Configure the following:

    SP Name

    Name of the Service Provider

    IdP prefix

    Generate Prefix

    Server Certificate

    Fortinet_CA1_Factory

    SP Entity ID

    http://<FortiIsolator_internal_ip>/isolator/saml_metadata

    SP ACS (login) URL

    https://<FortiIsolator_internal_ip>/isolator/saml_acs

    SP SLS (logout) URL

    https://<FortiIsolator_internal_ip>/isolator/saml_sls

    Authentication method

    Password-only authentication

    Note

    If FortiIsolator is setup with only internal_IP, please use the internal_IP for FortiAuthenticator. If it is also set up with external_IP, please use the external_IP.

  3. Click OK.
  4. Click on SP Name then Edit.
  5. Add an SAML Attribute for user.

  6. Add SAML Attribute for Group

    Debugging Options should look like this:

  7. Go to Certificate Management > End Entities > Local Services and export the Fortinet_CA1_Factory certificate to later import to FortiIsolator.
  8. Go to Fortinet SSO Methods > SSO > SSO Users.
  9. Double-check that the SSO Users that FortiIsolator will use to log in are imported into FortiAuthenticator. Refer to FortiAuthenticator documents for importing Remote Users.

Setup in FortiIsolator

  1. Navigate to System > Certificates > Import
  2. Import the FortiAuthenticator certificate Fortinet_CA1_Factory to FortiIsolator.

  3. Navigate to Users > LDAP Server > Create New.
  4. Select SAML Server and click OK.
  5. Configure the following:

    Id

    1 - 4

    Enable

    Checked to enable the server

    ID URL

    		http://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/metadata/

    Signon URL

    		https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/login/

    Logout URL

    		https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/logout/

    SAML Certificate

    SAML_cert

Run Traffic through FortiIsolator with FortiAuthenticator Users

Example:

https://<FortiIsolator_internal_ip>/isolator/login/https://www.fortinet.com

Previous
Next

SAML servers

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the XML protocol as transport.

FortiIsolator can integrate with FortiAuthenticator to provide SAML authentication logins with the user identity information that is requested from a third-party Identity Provider (IdP).

In this scenario, the FortiAuthenticator acts as a Service Provider to request user identity information from IdP. FortiIsolator can then use this information to sign the user on transparently based on what information the IdP sends.

There are two parts of the setup:

  1. Setup in FortiAuthenticator
  2. Setup in FortiIsolator

Setup in FortiAuthenticator

  1. Go to FortiAuthenticator > Authentication > SAML IdP > Service Providers > Create New.
  2. Configure the following:

    SP Name

    Name of the Service Provider

    IdP prefix

    Generate Prefix

    Server Certificate

    Fortinet_CA1_Factory

    SP Entity ID

    http://<FortiIsolator_internal_ip>/isolator/saml_metadata

    SP ACS (login) URL

    https://<FortiIsolator_internal_ip>/isolator/saml_acs

    SP SLS (logout) URL

    https://<FortiIsolator_internal_ip>/isolator/saml_sls

    Authentication method

    Password-only authentication

    Note

    If FortiIsolator is setup with only internal_IP, please use the internal_IP for FortiAuthenticator. If it is also set up with external_IP, please use the external_IP.

  3. Click OK.
  4. Click on SP Name then Edit.
  5. Add an SAML Attribute for user.

  6. Add SAML Attribute for Group

    Debugging Options should look like this:

  7. Go to Certificate Management > End Entities > Local Services and export the Fortinet_CA1_Factory certificate to later import to FortiIsolator.
  8. Go to Fortinet SSO Methods > SSO > SSO Users.
  9. Double-check that the SSO Users that FortiIsolator will use to log in are imported into FortiAuthenticator. Refer to FortiAuthenticator documents for importing Remote Users.

Setup in FortiIsolator

  1. Navigate to System > Certificates > Import
  2. Import the FortiAuthenticator certificate Fortinet_CA1_Factory to FortiIsolator.

  3. Navigate to Users > LDAP Server > Create New.
  4. Select SAML Server and click OK.
  5. Configure the following:

    Id

    1 - 4

    Enable

    Checked to enable the server

    ID URL

    		http://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/metadata/

    Signon URL

    		https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/login/

    Logout URL

    		https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/logout/

    SAML Certificate

    SAML_cert

Run Traffic through FortiIsolator with FortiAuthenticator Users

Example:

https://<FortiIsolator_internal_ip>/isolator/login/https://www.fortinet.com

Previous
Next