profile sso
Use this command to configure connections with remote authentication servers that are an identity provider (IdP), such as FortiAuthenticator, for single sign-on (SSO) protocols.
Workflow for SAML SSO
-
On the IdP server:
-
Download its IdP metadata XML.
Alternatively, copy the URL where FortiMail can download it.
-
The email address that the user must give when they authenticate is stored in an attribute on the IdP server. This attribute has an object identifier (OID).
If this OID is different than the default setting of
remote-user-attribute-name "<attribute_str>"on FortiMail, then copy the IdP server's OID. For example:urn:oid:0.9.2342.19200300.100.1.3
-
-
On FortiMail (which is the service provider (SP)):
-
Paste the IdP metadata XML into an SSO profile.
If the IdP uses a different attribute OID than the FortiMail default, then also configure the OID.
See
idp-metadata "<idp-xml_str>"andremote-user-attribute-name "<attribute_str>". -
Enable SSO. If required, customize SP settings such as
hostname {<service_fqdn> | <service_ipv4>}andsp-entity-id "<entity-id_str>". Then save the settings.Now FortiMail automatically generates its SP metadata and ACS URL.
See system saml.
-
In the GUI, go to System > Single Sign On > Setting and click Download Metadata to download the generated SP metadata file.
-
Copy the SP entity ID, ACS URL, and metadata XML.
-
-
On the IdP server:
-
Paste the entity ID, SP metadata, and ACS URL from FortiMail.
-
Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiMail use:
urn:oid:0.9.2342.19200300.100.1.3
-
Optionally, enable and configure multi-factor authentication (MFA).
-
If required, add the FortiMail unit's certificate to the list of trusted CAs ("trust store"). (Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)
-
-
On FortiMail, configure:
-
auth-strategy {ldap | local | pki | radius | sso}andsso-profile <profile_name>(administrator accounts) -
sso-status {enable | disable}andsso-profile <profile_name>(protected domains of email users)For server mode, also create the email user accounts, either:
-
On a remote server (methods vary; see
ldap-user-profile <profile_name>,user-management-web-service-status {enable | disable}, etc.) -
On FortiMail (see config user mail)
In server mode, recipient address verification is not configurable, but happens automatically. It requires that the email user accounts exist, even though, with SSO, a local password is not being used for authentication.
-
-
-
To test SSO, authenticate on FortiMail using one of those accounts. Then access another service that also uses SSO. If successful, the other service should not prompt you to log in again.
In addition to SSO, FortiMail also supports single log off (SLO). When someone logs out of FortiMail, they will also be logged out of all services that use the same federated SSO authentication.
For server mode, also test sending email. If users can log in, but cannot send and receive email, then the problem is not with SSO. Verify the settings that you configured for the local or remote user accounts, such as the LDAP profile's user query.
Syntax
config profile sso
edit <profile_name>
set comment "<description_str>"
set remote-user-attribute-name "<attribute_str>"
set idp-metadata "<idp-xml_str>"
end
|
Variable |
Description |
Default |
|
Enter a unique name for the profile. |
|
|
|
Enter a description or comment. |
|
|
|
Enter the XML metadata that contains the X.509 server certificate, supported protocols, and entity ID of the identity provider (IdP). Note: The metadata must be unique for each SSO profile. |
|
|
|
Enter the object identifier (OID) of email addresses on the IdP server. If you do not enter an OID, then FortiMail uses the default OID |
|