Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Examples

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring FortiManager to deploy SAML certificates

    Configuring FortiManager to deploy SAML certificates

    This topic provides the steps required to generate certificates used for SAML authentication using FortiAuthenticator (version 6.6.0).

    These certificates are then used manually to configure SAML authentication using FortiAuthenticator as the Identity Provider (IdP) and a FortiManager (version 7.4.2) as the Service Provider (SP). Then, FortiManager is used to configure a FortiGate (version 7.4.2) to use the FortiAuthenticator as an IdP.

    In this example, FortiAuthenticator is used to create two certificates:

    • Root CA certificate: Used to sign all additional certificates.

    • IdP certificate: Used in SAML.

    More information can also be found in the following guides on the Fortinet Document Library:

    Create a local CA on the FortiAuthenticator

    This certificate will be used to create further certificates used to verify identity between IdP and Service Providers (SP).

    To create a local CA on the FortiAuthenticator:
    1. Navigate to Certificate Management > Certificate Authorities > Local CAs.
    2. Select Create New.
    3. Provide the following info. Optional fields are not specified.

      Field

      Value

      Note

      Certificate IDFAC_ROOT_CAThis is the name of the certificate.
      Certificate TypeRoot CANo other certificate may sign this certificate.

      CN

      FAC ROOT CA

      This should reflect the certificate's usage.

    4. Click Save.

    Create the Identity Provider (IdP) certificate used in SAML

    This certificate will be signed by the CA created in the previous step. Therefore it is also necessary that the SPs trust this CA. This involves installing the root CA on the SPs to create the needed trust.

    To create a local certificate on FortiAuthenticator to be used by the IdP:

    1. Navigate to Certificate Management > End Entities > Local Services.

    2. Select Create New.

    3. Provide the following info. Optional fields are not specified.

      Field

      Value

      Note
      Certificate ID IDP_certificate. This is the name of the certificate.
      Issuer Local CA

      Certificate Authority

      FAC_ROOT_CA | CN=FAC ROOT CA

      This is the certificate created in the previous step.

      Name (CN)

      fac.robertsbp.com

      This should match the identity provider's name.

    4. At the bottom, expand Advanced Options: Key Usages.

    5. Add all Key Usages and Extended Key Usages.

    6. Click OK when finished.

    Export the certificate so that it can be installed on the SP (and IdP when necessary).

    To export the certificate:

    1. From the same menu as before, select the created certificate using the checkbox on the left.

    2. Select Export Certificate from the top navigation bar.

    3. The certificate will download locally. In this example, the certificate is downloaded as IDP_certificate.cer.

    Create the IdP portal on FortiAuthenticator

    These steps cover the IdP settings which determine whose identity it may verify, as well as the eligible service providers. This example uses FortiAuthenticator as the IdP. As a result, the IdP already has access to the certificate that will be used. If you are using another IdP, you will need to upload the certificate first.

    To configure IdP settings:

    1. Navigate to Authentication > SAML IdP > General.

    2. Enable the SAML Identity Provider Portal.

    3. Provide the following information:

      1. Server address: fac.robertsbp.com.

      2. Realms: local | Local users

      3. Default IdP certificate: IDP_certificate | CN=fac.robertsbp.com

    4. Select Save.

    For this example, FortiManager is added as a service provider within the IdP.

    To configure SP settings:

    1. Navigate to Authentication > SAML IdP > Service Providers.

    2. Select Create New and provide the following:

      Field

      Value

      Note
      SP name FMG_SP
      Create an identifier for this IdP fac Use the + icon to provide this value.

    3. Click Save, and notice how the SP Metadata field appears.

    4. Remain in this menu. To complete the SP settings on the IdP, we need to provide the SP entity ID, SP ACS (login) URL, and the SP SLS (logout) URL. These are generated in the upcoming Defining SAML SP Settings on FortiManager section, and added in the IdP portal SP settings continued section.

    Allowing IdP service on FortiAuthenticator

    To allow connections to make the SAML request, FortiAuthenticator must be configured to receive these requests.

    To allow IdP service on FortiAuthenticator:

    1. Navigate to System > Network > Interfaces, and edit the interface that will be used for SAML authentication requests.

    2. Enable Services > HTTPS, then enable SAML IdP (/saml-idp).

    3. Click Save.

    Defining a local user on the FortiAuthenticator

    In order to validate the SAML configuration, we need to define a local user on the FortiAuthenticator, as that is the realm type we specified earlier.

    To define a local user on the FortiAuthenticator:

    1. Navigate to Authentication > User Management > Local Users.

    2. Select Create New at the top.

    3. Provide a username, such as Robert, and specify a password.

    4. Click Save.

    Defining SAML SP settings on FortiManager

    Similarly to how we defined the IdP portal on the FortiAuthenticator, we must provide the matching settings on the Service Provider. The following configuration is done on the FortiManager.

    To define SAML SP settings on FortiManager:

    1. Navigate to System Settings > SAML SSL.

    2. Specify the Server Address, such as fmg.example.com.

    3. Select Service Provider (SP).

    4. Copy the three generated URLs to a notepad: SP Entity ID, SP ACS (Login) URL, SP SLS (Logout) URL.

    5. Enable Auto Create Admin. This will create an account after a successful SAML authentication.

    6. Specify a Default Admin Profile for the accounts created through SAML authentication.

    7. Leave the IdP Type as Fortinet.

    8. For IdP Address, enter fac.robertsbp.com.

    9. Enter the Prefix which you created on the FAC (fac).

    10. Next to IdP Certificate, select Import to upload the IDP_certificate.cer generated on the FAC, then use the dropdown to select this certificate.

    11. Select Apply to save.

    Note

    Hover your mouse over the (i) next to IdP Settings. Note that it mentions “IdP must send the “username” assertion attribute. This will be important later.

    IdP portal SP settings continued

    After generating the SP settings, you can provide them to the IdP (FortiAuthenticator in this example) to complete the configuration. Switch back to FortiAuthenticator to resume the IdP portal configuration.

    To provide the IdP with the SP settings:

    1. In the SP Metadata section, provide the three fields copied from the FortiManager:

      • SP entity ID

      • SP ACS (login) URL

      • SP SLS (logout) URL

    2. Find the Assertion Attributes Configuration section. Notice what configuration already exists.

      • In other products, you will need to ensure that username is provided here.

    3. Select Save.

    Testing the configuration

    To verify the SAML configuration, attempt to log in to the FortiManager using the local account created on the FortiAuthenticator.

    To test the configuration:

    1. Navigate to the FortiManager login page.

    2. Select Login with Single Sign-On.

      The webpage redirects to the FortiAuthenticator address and presents the FortiAuthenticator login menu.

    3. Authenticate with the local user you created on FortiAuthenticator.

    4. Once successful, the username in the top right shows SSO in the user avatar.

    Using FortiManager to provision the SAML certificates to FortiGates

    Now that we have a good understanding of the certificates used by the IdP and SP in SAML authentication, we will use FortiManager to configure FortiGates to support SAML. These steps assume you have a managed FortiGate which is synchronized with FortiManager.

    To add FortiGate as a Service Provider in the IdP (FortiAuthenticator)

    1. Navigate to Authentication > SAML IdP > Service Providers, and select Create New.

    2. Provide a SP name, such as FortiGate.

    3. Create an identifier for this IdP: fac2.

    4. Select Save.

    5. Add the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL for the FortiGate. These will be similar to the following:

      • entity-id http://<IP-or-FQDN>:<port*>/saml/metadata/

      • single-sign-on-url https://<IP-or-FQDN>:<port*>/saml/?acs

      • single-logout-url https://<IP-or-FQDN>:<port*>/saml/?sls

    6. Make sure to specify the port if you are using non-standard HTTP/S ports.

    7. Use the dropdown next to Select an identifier to display IdP info to select fac2.

    8. Copy the three IdP URLs provided to a text editor.

    9. Select Save.

    Configure FortiManager to install SAML configuration on the FortiGate

    Here we will add the configuration to the FortiManager so it may be pushed to the FortiGate.

    To upload the IdP Certificate to FortiManager:

    1. On the FortiManager, navigate to Policy & Objects > Advanced > CLI Configurations > VPN > Certificate > Remote.

      Note

      If the CLI Only Objects are not visible under the current view, enable the option Tools > Feature Visibility.

    2. Select Create New.

    3. Provide a name, such as IDP_Certificate.

    4. Change the range to global.

    5. Open the certificate file IDP_certificate.cer downloaded from FortiAuthenticator earlier, and open it with a text editor.

    6. Copy the contents of the certificate into the remote field on the FortiManager.

    7. Click OK.

    To configure the managed FortiGate to use SAML for admin sign-on:

    1. Navigate to Device Manager > Device & Groups, and select the FortiGate you will be adding SAML authentication to.

    2. Select CLI Configurations from the top menu bar.

    3. Use the search bar and enter “saml” to select system > saml, and provide the following:

      default-profile

      super_admin (or your choice)

      entity-id

      http://fgt.robertsbp.com/metadata/

      idp-cert

      IDP_Certificate

      idp-entity-id

      http://fac.robertsbp.com/saml-idp/fac2/metadata/

      idp-single-logout-url

      https://fac.robertsbp.com/saml-idp/fac2/login/

      idp-single-sign-on-url

      https://fac.robertsbp.com/saml-idp/fac2/login/

      role

      service-provider

      server-address

      fgt.robertsbp.com

    4. Select Apply.

    5. Select Install Wizard from the top of the screen.

    6. Install the changes to the FortiGate.

    Testing the configuration

    To verify the configuration:
    1. To verify the configuration, navigate to the FortiGate’s GUI admin page.

    2. Select Sign in with Security Fabric.
      Your browser redirects you to a new login page, and the URL of this login page is the FortiAuthenticator.

    3. Provide the username and password of the local user that was created on the FortiAuthenticator earlier.

    4. A window is displayed confirming that an account with the same username was created on the FortiGate. Click Continue.

    5. Select Login Read-Only, as the FortiGate is managed by FortiManager.
      The username in the top right shows (SSO) next to the username.

    Previous
    Next

    Configuring FortiManager to deploy SAML certificates

    Configuring FortiManager to deploy SAML certificates

    This topic provides the steps required to generate certificates used for SAML authentication using FortiAuthenticator (version 6.6.0).

    These certificates are then used manually to configure SAML authentication using FortiAuthenticator as the Identity Provider (IdP) and a FortiManager (version 7.4.2) as the Service Provider (SP). Then, FortiManager is used to configure a FortiGate (version 7.4.2) to use the FortiAuthenticator as an IdP.

    In this example, FortiAuthenticator is used to create two certificates:

    • Root CA certificate: Used to sign all additional certificates.

    • IdP certificate: Used in SAML.

    More information can also be found in the following guides on the Fortinet Document Library:

    Create a local CA on the FortiAuthenticator

    This certificate will be used to create further certificates used to verify identity between IdP and Service Providers (SP).

    To create a local CA on the FortiAuthenticator:
    1. Navigate to Certificate Management > Certificate Authorities > Local CAs.
    2. Select Create New.
    3. Provide the following info. Optional fields are not specified.

      Field

      Value

      Note

      Certificate IDFAC_ROOT_CAThis is the name of the certificate.
      Certificate TypeRoot CANo other certificate may sign this certificate.

      CN

      FAC ROOT CA

      This should reflect the certificate's usage.

    4. Click Save.

    Create the Identity Provider (IdP) certificate used in SAML

    This certificate will be signed by the CA created in the previous step. Therefore it is also necessary that the SPs trust this CA. This involves installing the root CA on the SPs to create the needed trust.

    To create a local certificate on FortiAuthenticator to be used by the IdP:

    1. Navigate to Certificate Management > End Entities > Local Services.

    2. Select Create New.

    3. Provide the following info. Optional fields are not specified.

      Field

      Value

      Note
      Certificate ID IDP_certificate. This is the name of the certificate.
      Issuer Local CA

      Certificate Authority

      FAC_ROOT_CA | CN=FAC ROOT CA

      This is the certificate created in the previous step.

      Name (CN)

      fac.robertsbp.com

      This should match the identity provider's name.

    4. At the bottom, expand Advanced Options: Key Usages.

    5. Add all Key Usages and Extended Key Usages.

    6. Click OK when finished.

    Export the certificate so that it can be installed on the SP (and IdP when necessary).

    To export the certificate:

    1. From the same menu as before, select the created certificate using the checkbox on the left.

    2. Select Export Certificate from the top navigation bar.

    3. The certificate will download locally. In this example, the certificate is downloaded as IDP_certificate.cer.

    Create the IdP portal on FortiAuthenticator

    These steps cover the IdP settings which determine whose identity it may verify, as well as the eligible service providers. This example uses FortiAuthenticator as the IdP. As a result, the IdP already has access to the certificate that will be used. If you are using another IdP, you will need to upload the certificate first.

    To configure IdP settings:

    1. Navigate to Authentication > SAML IdP > General.

    2. Enable the SAML Identity Provider Portal.

    3. Provide the following information:

      1. Server address: fac.robertsbp.com.

      2. Realms: local | Local users

      3. Default IdP certificate: IDP_certificate | CN=fac.robertsbp.com

    4. Select Save.

    For this example, FortiManager is added as a service provider within the IdP.

    To configure SP settings:

    1. Navigate to Authentication > SAML IdP > Service Providers.

    2. Select Create New and provide the following:

      Field

      Value

      Note
      SP name FMG_SP
      Create an identifier for this IdP fac Use the + icon to provide this value.

    3. Click Save, and notice how the SP Metadata field appears.

    4. Remain in this menu. To complete the SP settings on the IdP, we need to provide the SP entity ID, SP ACS (login) URL, and the SP SLS (logout) URL. These are generated in the upcoming Defining SAML SP Settings on FortiManager section, and added in the IdP portal SP settings continued section.

    Allowing IdP service on FortiAuthenticator

    To allow connections to make the SAML request, FortiAuthenticator must be configured to receive these requests.

    To allow IdP service on FortiAuthenticator:

    1. Navigate to System > Network > Interfaces, and edit the interface that will be used for SAML authentication requests.

    2. Enable Services > HTTPS, then enable SAML IdP (/saml-idp).

    3. Click Save.

    Defining a local user on the FortiAuthenticator

    In order to validate the SAML configuration, we need to define a local user on the FortiAuthenticator, as that is the realm type we specified earlier.

    To define a local user on the FortiAuthenticator:

    1. Navigate to Authentication > User Management > Local Users.

    2. Select Create New at the top.

    3. Provide a username, such as Robert, and specify a password.

    4. Click Save.

    Defining SAML SP settings on FortiManager

    Similarly to how we defined the IdP portal on the FortiAuthenticator, we must provide the matching settings on the Service Provider. The following configuration is done on the FortiManager.

    To define SAML SP settings on FortiManager:

    1. Navigate to System Settings > SAML SSL.

    2. Specify the Server Address, such as fmg.example.com.

    3. Select Service Provider (SP).

    4. Copy the three generated URLs to a notepad: SP Entity ID, SP ACS (Login) URL, SP SLS (Logout) URL.

    5. Enable Auto Create Admin. This will create an account after a successful SAML authentication.

    6. Specify a Default Admin Profile for the accounts created through SAML authentication.

    7. Leave the IdP Type as Fortinet.

    8. For IdP Address, enter fac.robertsbp.com.

    9. Enter the Prefix which you created on the FAC (fac).

    10. Next to IdP Certificate, select Import to upload the IDP_certificate.cer generated on the FAC, then use the dropdown to select this certificate.

    11. Select Apply to save.

    Note

    Hover your mouse over the (i) next to IdP Settings. Note that it mentions “IdP must send the “username” assertion attribute. This will be important later.

    IdP portal SP settings continued

    After generating the SP settings, you can provide them to the IdP (FortiAuthenticator in this example) to complete the configuration. Switch back to FortiAuthenticator to resume the IdP portal configuration.

    To provide the IdP with the SP settings:

    1. In the SP Metadata section, provide the three fields copied from the FortiManager:

      • SP entity ID

      • SP ACS (login) URL

      • SP SLS (logout) URL

    2. Find the Assertion Attributes Configuration section. Notice what configuration already exists.

      • In other products, you will need to ensure that username is provided here.

    3. Select Save.

    Testing the configuration

    To verify the SAML configuration, attempt to log in to the FortiManager using the local account created on the FortiAuthenticator.

    To test the configuration:

    1. Navigate to the FortiManager login page.

    2. Select Login with Single Sign-On.

      The webpage redirects to the FortiAuthenticator address and presents the FortiAuthenticator login menu.

    3. Authenticate with the local user you created on FortiAuthenticator.

    4. Once successful, the username in the top right shows SSO in the user avatar.

    Using FortiManager to provision the SAML certificates to FortiGates

    Now that we have a good understanding of the certificates used by the IdP and SP in SAML authentication, we will use FortiManager to configure FortiGates to support SAML. These steps assume you have a managed FortiGate which is synchronized with FortiManager.

    To add FortiGate as a Service Provider in the IdP (FortiAuthenticator)

    1. Navigate to Authentication > SAML IdP > Service Providers, and select Create New.

    2. Provide a SP name, such as FortiGate.

    3. Create an identifier for this IdP: fac2.

    4. Select Save.

    5. Add the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL for the FortiGate. These will be similar to the following:

      • entity-id http://<IP-or-FQDN>:<port*>/saml/metadata/

      • single-sign-on-url https://<IP-or-FQDN>:<port*>/saml/?acs

      • single-logout-url https://<IP-or-FQDN>:<port*>/saml/?sls

    6. Make sure to specify the port if you are using non-standard HTTP/S ports.

    7. Use the dropdown next to Select an identifier to display IdP info to select fac2.

    8. Copy the three IdP URLs provided to a text editor.

    9. Select Save.

    Configure FortiManager to install SAML configuration on the FortiGate

    Here we will add the configuration to the FortiManager so it may be pushed to the FortiGate.

    To upload the IdP Certificate to FortiManager:

    1. On the FortiManager, navigate to Policy & Objects > Advanced > CLI Configurations > VPN > Certificate > Remote.

      Note

      If the CLI Only Objects are not visible under the current view, enable the option Tools > Feature Visibility.

    2. Select Create New.

    3. Provide a name, such as IDP_Certificate.

    4. Change the range to global.

    5. Open the certificate file IDP_certificate.cer downloaded from FortiAuthenticator earlier, and open it with a text editor.

    6. Copy the contents of the certificate into the remote field on the FortiManager.

    7. Click OK.

    To configure the managed FortiGate to use SAML for admin sign-on:

    1. Navigate to Device Manager > Device & Groups, and select the FortiGate you will be adding SAML authentication to.

    2. Select CLI Configurations from the top menu bar.

    3. Use the search bar and enter “saml” to select system > saml, and provide the following:

      default-profile

      super_admin (or your choice)

      entity-id

      http://fgt.robertsbp.com/metadata/

      idp-cert

      IDP_Certificate

      idp-entity-id

      http://fac.robertsbp.com/saml-idp/fac2/metadata/

      idp-single-logout-url

      https://fac.robertsbp.com/saml-idp/fac2/login/

      idp-single-sign-on-url

      https://fac.robertsbp.com/saml-idp/fac2/login/

      role

      service-provider

      server-address

      fgt.robertsbp.com

    4. Select Apply.

    5. Select Install Wizard from the top of the screen.

    6. Install the changes to the FortiGate.

    Testing the configuration

    To verify the configuration:
    1. To verify the configuration, navigate to the FortiGate’s GUI admin page.

    2. Select Sign in with Security Fabric.
      Your browser redirects you to a new login page, and the URL of this login page is the FortiAuthenticator.

    3. Provide the username and password of the local user that was created on the FortiAuthenticator earlier.

    4. A window is displayed confirming that an account with the same username was created on the FortiGate. Click Continue.

    5. Select Login Read-Only, as the FortiGate is managed by FortiManager.
      The username in the top right shows (SSO) next to the username.

    Previous
    Next