Fortinet white logo
Fortinet white logo

Administration Guide

Remote authentication - SSO

Remote authentication - SSO

If you want to use two-factor authentication, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IP server.

If you select SSO as the remote server type, the system displays additional settings to configure:

For SSO, FortiPortal supports Service Provider-initiated or Identity Provider-initiated SAML authentication. The following table describes the SSO authentication fields:

Settings

Guidelines

Allow Service Provider Usernames without Domain

Enable or Disable. If you enable this field, the user can enter their user ID without a domain qualifier, and the system will try to authenticate the user credentials in each of the domains until a match is found.

Remote Server

SSO

When you select SSO as the remote server, the system displays the View SSO Roles button. Select this button to map the SSO roles (SSO Roles) with the local roles.

Domains

Enter a domain, URL, or URN attribute and then select the + button. The new domain appears in the list below the entry box. If you do not want to provide a domain for the site administrator, select Enable for Allow Service Provider Usernames without Domain.

Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for a customer, see Add or edit a customer.

The site administrator may allow administrative users to be defined in more than one authentication domain.

SSO IDP Entity URL

IDP Entity URL (ID) or URN for SAML provided by IDP server

IDP Sign On Service Post Endpoint URL

Endpoint URL for IDP (Post) provided by IDP Server

IDP Sign On Service Redirect Endpoint URL

Endpoint URL for IDP (Redirect) provided by IDP Server

SSO Application ID

SSO application provided by IDP

SSO Audience URL

URL used for audience within assertion (format: https://<FPC_PORTAL> /fpc/saml/SSO)

Role Attribute

Attribute parameter name that maps to the corresponding role in FortiPortal

Tenant Identification Attribute

Introduced with FortiPortal Version 3.2.1, this attribute specifies a 'string' value that FortiPortal uses under SSO to map a user to a specific customer.

This feature works similar to the Tenant Identification Attribute in RADIUS, except that in SSO, FortiPortal allows you to configure the name of the attribute on the Administration Settings page.

If you configure “My Customer Id” as the attribute value, FortiPortal expects the following in the authentication response from the SSO server:

<My Customer Id>Fortinet</My Customer Id>

where Fortinet is the value returned by the SSO server.

This value must have been supplied to the “Domains” field in the Customer Add/Edit screen.

For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send “Fortinet” in the authentication response.

FortiPortal treats the attribute values from either RADIUS or SSO server equally.

SSO Error URL

(Optional) Error URL provided by IDP

IDP Logout Service Endpoint

(Optional) IDP logout URL provided by IDP

SSO Certificate

Certificate provided by IDP used by SP to decrypt the signed response

Site Attribute

Attribute parameter name that specifies which sites the customer user can access.

For example, an attribute name of "site" might have the values "site1" and "site2". A customer user assigned to "site" would be able to access "site1" and "site2".

<saml:Attribute Name="site" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xsi:type="xs:string">site1</saml:AttributeValue>

<saml:AttributeValue xsi:type="xs:string">site2</saml:AttributeValue>

</saml:Attribute>

For troubleshooting SSO configuration, FortiPortal provides the following URL for the SPUSER to authenticate locally (even if the system configured for SSO remote authentication):

https://<Portal>/fpc/adminuser/login

SSO Roles

Selecting the View SSO Roles button on the User Authentication pane displays the SSO Roles window. Here, you can configure the mapping between FortiPortal roles and SSO roles. For each SSO role, the window displays the role type (Service Provider or Customer) and a list of FortiPortal roles that map to the SSO role.

The SSO Roles window contains the following actions:

  • Add—open a dialog to add an SSO role (see immediately below)
  • Search—enter text to search for SSO role names containing that text
  • Show x entries—sets the number of entries that are displayed at once (10, 25, 30, or 50).
  • Sort—allows you to sort columns in ascending or descending order.

When you scroll over a entry in the SSO role list, the following icons appear in the Action column:

  • Edit—opens a dialog with the form to edit an existing SSO role (see below)
  • Delete—deletes the selected SSO role

The Add SSO Role and Edit SSO Role dialogs contain the following fields:

Settings

Guidelines

Role Name

Names the SSO role. The name must match a role name in the SSO server.

Role Type

Service Provider or Customer

Available FPC Roles:

Lists of available FortiPortal roles

Use the search box to filter the choices available.

Selected FPC Roles

Selects the FortiPortal roles to associate with this SSO role

Use the search box to filter your selected choices.

SSO example

Here is an example of setting up the Tenant Identification attribute for a company named Local.com that will be using SSO remote authentication:

  1. Set up the Tenant Identification attribute on the SSO server. For example, set the Tenant Identification name to

    FPC_Tenant

    and set the Tenant Identification value to

    Local.com

  2. In FortiPortal, go to Admin > Settings.
  3. In the User Authentication section, select Remote for Authentication Access and SSO for Remote Server.
  4. In the Tenant Identification Attribute field, enter FPC_Tenant.
  5. Fill out the rest of the fields and select Save.
  6. Go to Customers and select Add.
  7. In the Domains field, enter Local.com and select +.
  8. Fill out the rest of the fields and select Save.

Frequently asked questions (FAQs) about SSO configuration

How can I map the role (permission) for the IDP server user to the FortiPortal roles (permission)?

Use the following procedure to select the Role Type to make sure the right roles are mapped:

  1. Go to Admin > Settings.
  2. In the User Authentication area, select Remote for Authentication Access.
  3. Select SSO for the Remote Server.
  4. Select View SSO Roles.
    The SSO Roles window opens.
  5. Select Add.
  6. In the Add SSO Role window, enter the Role Name (This name must be an SSO role.) and then select the Role Type.
  7. Select one or more roles from the Available FPC Rolesbox. Select > to move the roles to the Selected FPC Roles box.
  8. Select Save to save your changes.
How can role mapping help maintain secured access to the system?

The site administrator can create different roles on FortiPortal by going to Admin > Roles and selecting Add. The administrator can create a read-only role or a read-write role for a specific UI page or for a specific action. After a role is created, the role can be associated with an existing role on the IDP server. When users are authenticated, the role coming from the IDP server is mapped to a role in FortiPortal and the appropriate permissions are provided to the user.

The advantage of using this mapping is that the site administrator does not need to change anything on the IDP server exclusively for FortiPortal.

How can I create custom roles (permission groups) on the FortiPortal unit?

The FortiPortal unit allows the administrative user to create different permission groups so that users can be mapped with appropriate permissions. For example, the administrative user (spuser) can create a read-only permission group and a read-write permission group for different UI objects. These permission groups are created for the administrator level, as well as the customer level.

These permission groups can be created from the UI by going to Admin > Roles.

What is the Tenant Identification Attribute field for?

The FortiPortal unit has a multitenancy feature. This feature helps different types of users to access the system. Site administrators are typically administrators of the system; by using roles/permission groups, these users can have a different type of access. Other types of users are customer users.

During authentication, the FortiPortal unit needs to identify whether each user is an administrator or a customer so that the correct user interface is loaded. The FortiPortal uses the user domain name to identify which interface should be loaded. For example if the user name in the IDP response is abc@domain.com, the system extracts domain.com from the user name field and checks if this domain is mapped to a customer or an administrator. Based on that mapping, the system displays the correct UI.

If the Tenant Identification attribute is configured in Admin > Settings and is provided in the SAML assertion, the value in the Tenant Identification Attribute field is used to match the domain name provided in the MSSP settings or in the Add Customer or Edit Customer page. If the domain provided does not match any MSSP or customer domains, an error message is displayed.

If the Tenant Identification attribute is not configured in Admin > Settings or is not provided in the SAML assertion, the domain name is taken from the username attribute.

When there is no domain name in the uid attribute, the system requires a value in the Tenant Identification Attribute field.

How can the Tenant ID attribute help maintain the appropriate privileged access to the system?

The Tenant ID attribute value is processed from the IDP response, and the value is mapped with the domain name field in the FortiPortal unit. For example, if tenant ID is map_id, FortiPortal gets the respective value for the map_id attribute from the SAML response and maps that value with the domain name listed in Add Customer or Edit Customer form or the Admin > Settings form. If the value matches with the customer domain name, the user is granted access to the customer. If the value matches with the domain name in the Admin > Settings form, FortiPortal loads the administrator UI.

How can I add a domain name to the customer?

A unique domain name identifies the customer. You can add the domain name to the customer when you add a customer or edit the customer. In the Add/Edit Customer window, there is the Domains field. Enter the domain name and select the + icon to add the name to the domain list.

The administrator can add more than one domain to a customer.

How can I add a domain name for a server provider?

After you select FortiSSO/FortiAuthenticator/FortiRADIUS as a remote server in the Settings page, you will see an option for the domain field.

Remote authentication - SSO

Remote authentication - SSO

If you want to use two-factor authentication, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IP server.

If you select SSO as the remote server type, the system displays additional settings to configure:

For SSO, FortiPortal supports Service Provider-initiated or Identity Provider-initiated SAML authentication. The following table describes the SSO authentication fields:

Settings

Guidelines

Allow Service Provider Usernames without Domain

Enable or Disable. If you enable this field, the user can enter their user ID without a domain qualifier, and the system will try to authenticate the user credentials in each of the domains until a match is found.

Remote Server

SSO

When you select SSO as the remote server, the system displays the View SSO Roles button. Select this button to map the SSO roles (SSO Roles) with the local roles.

Domains

Enter a domain, URL, or URN attribute and then select the + button. The new domain appears in the list below the entry box. If you do not want to provide a domain for the site administrator, select Enable for Allow Service Provider Usernames without Domain.

Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for a customer, see Add or edit a customer.

The site administrator may allow administrative users to be defined in more than one authentication domain.

SSO IDP Entity URL

IDP Entity URL (ID) or URN for SAML provided by IDP server

IDP Sign On Service Post Endpoint URL

Endpoint URL for IDP (Post) provided by IDP Server

IDP Sign On Service Redirect Endpoint URL

Endpoint URL for IDP (Redirect) provided by IDP Server

SSO Application ID

SSO application provided by IDP

SSO Audience URL

URL used for audience within assertion (format: https://<FPC_PORTAL> /fpc/saml/SSO)

Role Attribute

Attribute parameter name that maps to the corresponding role in FortiPortal

Tenant Identification Attribute

Introduced with FortiPortal Version 3.2.1, this attribute specifies a 'string' value that FortiPortal uses under SSO to map a user to a specific customer.

This feature works similar to the Tenant Identification Attribute in RADIUS, except that in SSO, FortiPortal allows you to configure the name of the attribute on the Administration Settings page.

If you configure “My Customer Id” as the attribute value, FortiPortal expects the following in the authentication response from the SSO server:

<My Customer Id>Fortinet</My Customer Id>

where Fortinet is the value returned by the SSO server.

This value must have been supplied to the “Domains” field in the Customer Add/Edit screen.

For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send “Fortinet” in the authentication response.

FortiPortal treats the attribute values from either RADIUS or SSO server equally.

SSO Error URL

(Optional) Error URL provided by IDP

IDP Logout Service Endpoint

(Optional) IDP logout URL provided by IDP

SSO Certificate

Certificate provided by IDP used by SP to decrypt the signed response

Site Attribute

Attribute parameter name that specifies which sites the customer user can access.

For example, an attribute name of "site" might have the values "site1" and "site2". A customer user assigned to "site" would be able to access "site1" and "site2".

<saml:Attribute Name="site" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xsi:type="xs:string">site1</saml:AttributeValue>

<saml:AttributeValue xsi:type="xs:string">site2</saml:AttributeValue>

</saml:Attribute>

For troubleshooting SSO configuration, FortiPortal provides the following URL for the SPUSER to authenticate locally (even if the system configured for SSO remote authentication):

https://<Portal>/fpc/adminuser/login

SSO Roles

Selecting the View SSO Roles button on the User Authentication pane displays the SSO Roles window. Here, you can configure the mapping between FortiPortal roles and SSO roles. For each SSO role, the window displays the role type (Service Provider or Customer) and a list of FortiPortal roles that map to the SSO role.

The SSO Roles window contains the following actions:

  • Add—open a dialog to add an SSO role (see immediately below)
  • Search—enter text to search for SSO role names containing that text
  • Show x entries—sets the number of entries that are displayed at once (10, 25, 30, or 50).
  • Sort—allows you to sort columns in ascending or descending order.

When you scroll over a entry in the SSO role list, the following icons appear in the Action column:

  • Edit—opens a dialog with the form to edit an existing SSO role (see below)
  • Delete—deletes the selected SSO role

The Add SSO Role and Edit SSO Role dialogs contain the following fields:

Settings

Guidelines

Role Name

Names the SSO role. The name must match a role name in the SSO server.

Role Type

Service Provider or Customer

Available FPC Roles:

Lists of available FortiPortal roles

Use the search box to filter the choices available.

Selected FPC Roles

Selects the FortiPortal roles to associate with this SSO role

Use the search box to filter your selected choices.

SSO example

Here is an example of setting up the Tenant Identification attribute for a company named Local.com that will be using SSO remote authentication:

  1. Set up the Tenant Identification attribute on the SSO server. For example, set the Tenant Identification name to

    FPC_Tenant

    and set the Tenant Identification value to

    Local.com

  2. In FortiPortal, go to Admin > Settings.
  3. In the User Authentication section, select Remote for Authentication Access and SSO for Remote Server.
  4. In the Tenant Identification Attribute field, enter FPC_Tenant.
  5. Fill out the rest of the fields and select Save.
  6. Go to Customers and select Add.
  7. In the Domains field, enter Local.com and select +.
  8. Fill out the rest of the fields and select Save.

Frequently asked questions (FAQs) about SSO configuration

How can I map the role (permission) for the IDP server user to the FortiPortal roles (permission)?

Use the following procedure to select the Role Type to make sure the right roles are mapped:

  1. Go to Admin > Settings.
  2. In the User Authentication area, select Remote for Authentication Access.
  3. Select SSO for the Remote Server.
  4. Select View SSO Roles.
    The SSO Roles window opens.
  5. Select Add.
  6. In the Add SSO Role window, enter the Role Name (This name must be an SSO role.) and then select the Role Type.
  7. Select one or more roles from the Available FPC Rolesbox. Select > to move the roles to the Selected FPC Roles box.
  8. Select Save to save your changes.
How can role mapping help maintain secured access to the system?

The site administrator can create different roles on FortiPortal by going to Admin > Roles and selecting Add. The administrator can create a read-only role or a read-write role for a specific UI page or for a specific action. After a role is created, the role can be associated with an existing role on the IDP server. When users are authenticated, the role coming from the IDP server is mapped to a role in FortiPortal and the appropriate permissions are provided to the user.

The advantage of using this mapping is that the site administrator does not need to change anything on the IDP server exclusively for FortiPortal.

How can I create custom roles (permission groups) on the FortiPortal unit?

The FortiPortal unit allows the administrative user to create different permission groups so that users can be mapped with appropriate permissions. For example, the administrative user (spuser) can create a read-only permission group and a read-write permission group for different UI objects. These permission groups are created for the administrator level, as well as the customer level.

These permission groups can be created from the UI by going to Admin > Roles.

What is the Tenant Identification Attribute field for?

The FortiPortal unit has a multitenancy feature. This feature helps different types of users to access the system. Site administrators are typically administrators of the system; by using roles/permission groups, these users can have a different type of access. Other types of users are customer users.

During authentication, the FortiPortal unit needs to identify whether each user is an administrator or a customer so that the correct user interface is loaded. The FortiPortal uses the user domain name to identify which interface should be loaded. For example if the user name in the IDP response is abc@domain.com, the system extracts domain.com from the user name field and checks if this domain is mapped to a customer or an administrator. Based on that mapping, the system displays the correct UI.

If the Tenant Identification attribute is configured in Admin > Settings and is provided in the SAML assertion, the value in the Tenant Identification Attribute field is used to match the domain name provided in the MSSP settings or in the Add Customer or Edit Customer page. If the domain provided does not match any MSSP or customer domains, an error message is displayed.

If the Tenant Identification attribute is not configured in Admin > Settings or is not provided in the SAML assertion, the domain name is taken from the username attribute.

When there is no domain name in the uid attribute, the system requires a value in the Tenant Identification Attribute field.

How can the Tenant ID attribute help maintain the appropriate privileged access to the system?

The Tenant ID attribute value is processed from the IDP response, and the value is mapped with the domain name field in the FortiPortal unit. For example, if tenant ID is map_id, FortiPortal gets the respective value for the map_id attribute from the SAML response and maps that value with the domain name listed in Add Customer or Edit Customer form or the Admin > Settings form. If the value matches with the customer domain name, the user is granted access to the customer. If the value matches with the domain name in the Admin > Settings form, FortiPortal loads the administrator UI.

How can I add a domain name to the customer?

A unique domain name identifies the customer. You can add the domain name to the customer when you add a customer or edit the customer. In the Add/Edit Customer window, there is the Domains field. Enter the domain name and select the + icon to add the name to the domain list.

The administrator can add more than one domain to a customer.

How can I add a domain name for a server provider?

After you select FortiSSO/FortiAuthenticator/FortiRADIUS as a remote server in the Settings page, you will see an option for the domain field.