Fortinet white logo
Fortinet white logo

Administration Guide

Configuring single sign-on (SSO)

Configuring single sign-on (SSO)

Single sign-on (SSO) can save time for users by reducing the number of times that they must log in when using many network services. Once they log in, they can access all other authorized services that use SSO until their session expires.

FortiMail supports SSO for both the administrator and webmail GUI.

Note

CalDAV and WebDAV authentication

When SSO is enabled for webmail users, CalDAV and WebDAV authentication will not function. They only support simple local password authentication.

Server mode SSO

When using SSO for domain authentication in server mode, you need to configure an LDAP profile for the domain users. Otherwise even if the users can log on to FortiMail webmail, they cannot send email unless you create local users first.

After applying the LDAP profile under the domain user profile (see Managing users), FortiMail can perform proper recipient verification and accept email if the user exists. Therefore, there would be no need to create local users.

In Security Assertion Markup Language (SAML) SSO, you must configure both of these to connect and authenticate with each other:

  • FortiMail, which is the service provider (SP)
  • FortiAuthenticator or other remote authentication server, which is the identity provider (IdP)

In addition to SSO, FortiMail also supports single log off (SLO). When someone logs out of FortiMail, they will also be logged out of all services that use the same federated SSO authentication.

To configure SAML SSO

  • On the IdP server:
    1. Download its IdP metadata XML. Alternatively, copy the URL where FortiMail can download it.
    2. The email address that the user must give when they authenticate is stored in an attribute on the IdP server. This attribute has an object identifier (OID). If this OID is different than the default setting of Attribute used to identify email address on FortiMail, then copy the IdP server's OID. For example

      urn:oid:0.9.2342.19200300.100.1.3

  • On FortiMail:
    1. If you are integrating with FortiAuthenticator or Ping Identity, then on FortiMail, use the CLI to enable Security Fabric and the administrator account named admin_sso:

      config system csf

      set status enable

      end

      config system admin

      edit admin_sso

      set status enable

      end

      The admin_sso account acts as a wildcard, so that you do not need to configure all FortiMail accounts on the IdP too. The Security Fabric provides communication for this feature.
    2. Go to System > Single Sign On > Profile.
    3. Click New, or select a row and click Edit to edit an existing profile.
    4. Configure the following:

      GUI Item

      Description

      Profile name

      Enter a unique name for the profile.

      Comment

      Optional. Enter a descriptive comment.

      Metadata

      Enter the IdP metadata. To do this, either:

      • Paste the metadata XML into the text area.
      • Click Upload and select a file that contains the XML.
      • Click Retrieve from URL, and then enter the URL where FortiMail can download the XML.

      Attribute used to identify email address

      Enter the OID of user email addresses on the IdP server.

    5. Click Create or OK.Now FortiMail automatically generates its SP metadata, entity ID, and ACS URL. (You might need to navigate away from the tab and return in order for it to display.)
    6. Go to System > Single Sign On > Setting.
    7. Copy the following:

      GUI Item

      Description

      Enabled

      Enable or disable SSO.

      Entity ID

      A globally unique identifier for FortiMail when it connects to the IdP, such as:

      https://FortiMail.example.com/sp

      Signature

      The hash algorithm(for example, SHA256) that will be used by the signature.

      ACS URL

      The URL where FortiMail will receive authentication responses from the IdP (the assertion consumer service (ACS)), such as:

      https://FortiMail.example.com/sso/SAML2/POST

      Metadata

      Click Download to retrieve the FortiMail SP metadata XML file.

      Allow dynamic IP from IdP

      Enable to support dynamic client IP addresses from the IdP server within the same SAML session. And then specify the IP range. If no IP range is specified, any client IP address from the IdP server is allowed.

  • On the IdP server:
    1. Paste the entity ID, SP metadata URL, and ACS URL from FortiMail.
    2. Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiMail use:urn:oid:0.9.2342.19200300.100.1.3
    3. Optionally, enable and configure multi-factor authentication (MFA).
    4. If required, add the FortiMail unit's certificate to the list of trusted CAs ("trust store").(Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)
  • On FortiMail, go to System > Administrator > Administrator. For each administrator or protected domain (webmail users), configure Authentication type and Single sign on profile, and/or Webmail single sign on, so that person can use SAML SSO to log in. To test SSO, authenticate on FortiMail using one of those accounts. Then access another service that also uses SSO. If successful, the other service should not prompt you to log in again.

Configuring single sign-on (SSO)

Configuring single sign-on (SSO)

Single sign-on (SSO) can save time for users by reducing the number of times that they must log in when using many network services. Once they log in, they can access all other authorized services that use SSO until their session expires.

FortiMail supports SSO for both the administrator and webmail GUI.

Note

CalDAV and WebDAV authentication

When SSO is enabled for webmail users, CalDAV and WebDAV authentication will not function. They only support simple local password authentication.

Server mode SSO

When using SSO for domain authentication in server mode, you need to configure an LDAP profile for the domain users. Otherwise even if the users can log on to FortiMail webmail, they cannot send email unless you create local users first.

After applying the LDAP profile under the domain user profile (see Managing users), FortiMail can perform proper recipient verification and accept email if the user exists. Therefore, there would be no need to create local users.

In Security Assertion Markup Language (SAML) SSO, you must configure both of these to connect and authenticate with each other:

  • FortiMail, which is the service provider (SP)
  • FortiAuthenticator or other remote authentication server, which is the identity provider (IdP)

In addition to SSO, FortiMail also supports single log off (SLO). When someone logs out of FortiMail, they will also be logged out of all services that use the same federated SSO authentication.

To configure SAML SSO

  • On the IdP server:
    1. Download its IdP metadata XML. Alternatively, copy the URL where FortiMail can download it.
    2. The email address that the user must give when they authenticate is stored in an attribute on the IdP server. This attribute has an object identifier (OID). If this OID is different than the default setting of Attribute used to identify email address on FortiMail, then copy the IdP server's OID. For example

      urn:oid:0.9.2342.19200300.100.1.3

  • On FortiMail:
    1. If you are integrating with FortiAuthenticator or Ping Identity, then on FortiMail, use the CLI to enable Security Fabric and the administrator account named admin_sso:

      config system csf

      set status enable

      end

      config system admin

      edit admin_sso

      set status enable

      end

      The admin_sso account acts as a wildcard, so that you do not need to configure all FortiMail accounts on the IdP too. The Security Fabric provides communication for this feature.
    2. Go to System > Single Sign On > Profile.
    3. Click New, or select a row and click Edit to edit an existing profile.
    4. Configure the following:

      GUI Item

      Description

      Profile name

      Enter a unique name for the profile.

      Comment

      Optional. Enter a descriptive comment.

      Metadata

      Enter the IdP metadata. To do this, either:

      • Paste the metadata XML into the text area.
      • Click Upload and select a file that contains the XML.
      • Click Retrieve from URL, and then enter the URL where FortiMail can download the XML.

      Attribute used to identify email address

      Enter the OID of user email addresses on the IdP server.

    5. Click Create or OK.Now FortiMail automatically generates its SP metadata, entity ID, and ACS URL. (You might need to navigate away from the tab and return in order for it to display.)
    6. Go to System > Single Sign On > Setting.
    7. Copy the following:

      GUI Item

      Description

      Enabled

      Enable or disable SSO.

      Entity ID

      A globally unique identifier for FortiMail when it connects to the IdP, such as:

      https://FortiMail.example.com/sp

      Signature

      The hash algorithm(for example, SHA256) that will be used by the signature.

      ACS URL

      The URL where FortiMail will receive authentication responses from the IdP (the assertion consumer service (ACS)), such as:

      https://FortiMail.example.com/sso/SAML2/POST

      Metadata

      Click Download to retrieve the FortiMail SP metadata XML file.

      Allow dynamic IP from IdP

      Enable to support dynamic client IP addresses from the IdP server within the same SAML session. And then specify the IP range. If no IP range is specified, any client IP address from the IdP server is allowed.

  • On the IdP server:
    1. Paste the entity ID, SP metadata URL, and ACS URL from FortiMail.
    2. Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiMail use:urn:oid:0.9.2342.19200300.100.1.3
    3. Optionally, enable and configure multi-factor authentication (MFA).
    4. If required, add the FortiMail unit's certificate to the list of trusted CAs ("trust store").(Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)
  • On FortiMail, go to System > Administrator > Administrator. For each administrator or protected domain (webmail users), configure Authentication type and Single sign on profile, and/or Webmail single sign on, so that person can use SAML SSO to log in. To test SSO, authenticate on FortiMail using one of those accounts. Then access another service that also uses SSO. If successful, the other service should not prompt you to log in again.