SAML servers
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both parties exchange messages using the XML protocol as transport.
FortiIsolator can integrate with FortiAuthenticator to provide SAML authentication logins with the user identity information that is requested from a third-party Identity Provider (IdP).
In this scenario, the FortiAuthenticator acts as a Service Provider to request user identity information from IdP. FortiIsolator can then use this information to sign the user on transparently based on what information the IdP sends.
There are two parts of the setup:
Setup in FortiAuthenticator
- Go to FortiAuthenticator > Authentication > SAML IdP > Service Providers > Create New.
- Configure the following:
SP Name
Name of the Service Provider
IdP prefix
Generate Prefix
Server Certificate
Fortinet_CA1_Factory
SP Entity ID
http://<FortiIsolator_internal_ip>/isolator/saml_metadata
SP ACS (login) URL
https://<FortiIsolator_internal_ip>/isolator/saml_acs
SP SLS (logout) URL
https://<FortiIsolator_internal_ip>/isolator/saml_sls
Authentication method
Password-only authentication
If FortiIsolator is setup with only internal_IP, please use the internal_IP for FortiAuthenticator. If it is also set up with external_IP, please use the external_IP.
- Click OK.
- Click on SP Name then Edit.
- Add an SAML Attribute for user.
- Add SAML Attribute for Group
Debugging Options should look like this:
- Go to Certificate Management > End Entities > Local Services and export the Fortinet_CA1_Factory certificate to later import to FortiIsolator.
- Go to Fortinet SSO Methods > SSO > SSO Users.
- Double-check that the SSO Users that FortiIsolator will use to log in are imported into FortiAuthenticator. Refer to FortiAuthenticator documents for importing Remote Users.
Setup in FortiIsolator
- Navigate to System > Certificates > Import
- Import the FortiAuthenticator certificate Fortinet_CA1_Factory to FortiIsolator.
- Navigate to Users > LDAP Server > Create New.
- Select SAML Server and click OK.
- Configure the following:
Id
1 - 4
Enable
Checked to enable the server
ID URL
http://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/metadata/
Signon URL
https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/login/
Logout URL
https://<FortiAuthenticator_Port1_ip>/saml-idp/2r6ku1cxuup3emr2/logout/
SAML Certificate
SAML_cert
Run Traffic through FortiIsolator with FortiAuthenticator Users
Example:
https://<FortiIsolator_internal_ip>/isolator/login/https://www.fortinet.com