Remote authentication - SSO
If you want to use two-factor authentication, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IDP server. |
For SSO, FortiPortal supports Service Provider-initiated or Identity Provider-initiated SAML authentication.
For troubleshooting SSO configuration, FortiPortal provides the following URL for the SPUSER to authenticate locally (even if the system is configured for SSO remote authentication):
https://<Portal>/fpc/app/admin
SSO example
Here is an example of setting up the Tenant Identification Attribute for a company named Local.com that will be using SSO remote authentication:
- Set up the Tenant Identification Attribute on the SSO server. For example, set the Tenant Identification name to
and set the Tenant Identification Value toFPC_Tenant
Local.com
- In FortiPortal, go to System > Settings > Authentication.
- Select Remote for Authentication Access and SSO for Remote Server.
- In Tenant Identification Attribute, enter
FPC_Tenant
. - Fill out the rest of the fields and select Save.
- Go to Organizations and select Create.
- In the General tab, for Domains, enter
Local.com
and press enter. - Fill out the rest of the fields as shown in Create or edit an organization and click Save.
Frequently asked questions (FAQs) about SSO configuration
How can I map the role (permission) for the IDP server user to the FortiPortal roles (permission)?
To map SSO roles to FortiPortal roles:
- Go to System > Settings > Authentication.
- In Authentication Access, select Remote.
- In the Remote Server dropdown, select SSO.
- Select View SSO Roles.
The SSO Roles window opens. - Select Create.
- In the Create Role window, enter the Role Name (this name must be an SSO role). Select the Role Type.
- Select an FPC role to associate with this SSO role.
- Click Save.
How can role mapping help maintain secure access to the system?
The site administrator can create different roles on FortiPortal by going to System > Profiles and selecting Create.
The administrator can create a read-only role or a read-write role for a specific UI page or for a specific action. After a role is created, the role can be associated with an existing role on the IDP server. When users are authenticated, the role coming from the IDP server is mapped to a role in FortiPortal and the appropriate permissions are provided to the user.
The advantage of using this mapping is that the site administrator does not need to change anything on the IDP server exclusively for FortiPortal.
How can I create custom roles (permission groups) on the FortiPortal unit?
The FortiPortal unit allows the administrative user to create different permission groups so that users can be mapped with appropriate permissions. For example, the administrative user (spuser) can create a read-only permission group and a read-write permission group for different UI objects. These permission groups are created for the administrator level, as well as the organization level.
These permission groups can be created from the UI by going to System > Profiles.
What is the Tenant Identification Attribute field for?
The FortiPortal unit has a multitenancy feature. This feature helps different types of users to access the system. Site administrators are typically administrators of the system; by using roles/permission groups, these users can have a different type of access. Other types of users are organization users.
During authentication, the FortiPortal unit needs to identify whether each user is an administrator or an organization so that the correct user interface is loaded. The FortiPortal uses the user domain name to identify which interface should be loaded. For example, if the user name in the IDP response is abc@domain.com, the system extracts domain.com from the user name field and checks if this domain is mapped to an organization or an administrator. Based on that mapping, the system displays the correct UI.
If the Tenant Identification Attribute is configured in System > Settings > Authentication and is provided in the SAML assertion, the value in the Tenant Identification Attribute is used to match the domain name provided in the MSSP settings or in General. If the domain provided does not match any MSSP or organization domains, an error message is displayed.
If the Tenant Identification Attribute is not configured in System > Settings > Authentication or is not provided in the SAML assertion, the domain name is taken from the username attribute.
When there is no domain name in the uid attribute, the system requires a value in Tenant Identification Attribute.
How can the Tenant ID attribute help maintain the appropriate privileged access to the system?
The Tenant ID Attribute value is processed from the IDP response, and the value is mapped with the domain name field in the FortiPortal unit. For example, if tenant ID is map_id
, FortiPortal gets the respective value for the map_id
attribute from the SAML response and maps that value with the domain name listed in General or the System > Settings > Authentication. If the value matches with the organization domain name, the user is granted access to the organization. If the value matches with the domain name in the System > Settings > Authentication, FortiPortal loads the administrator UI.
How can I add a domain name to the organization?
A unique domain name identifies the organization. You can add the domain name to the organization when configuring General.
In the General tab in Create or edit an organization, there is the Domains field. Enter the domain name and hit enter to add the name to the domain list.
The administrator can add more than one domain to an organization.
How can I add a domain name for a server provider?
After you select SSO/FortiAuthenticator/RADIUS as a remote server in the Authentication tab, you will see an option for the domain field.