Fortinet white logo
Fortinet white logo

Remote authentication: SSO

Remote authentication: SSO

For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IDP) initiated SAML authentication.

Caution

FortiPortal requires that all SAML responses and assertions are signed.

To configure your SAML IDP server:
  1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

    FortiPortal field Example attribute name Example attribute value Description

    Role Attribute

    FPC_Role user.jobtitle Used to map the IDP server roles to FortiPortal profiles. Required.
    Site Attribute FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.
    Tenant Identification Attribute FPC_Tenant user.companyname

    Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

    See Tenant identification and domains for more information.

    Email Attribute

    FPC_Email

    user.mail

    Defines the field in the SAML assertion that holds the user's email address, which is then used to map to a organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

  2. Configure other options as needed.

  3. Consult the documentation for your IDP provider for more information.

To configure FortiPortal:
  1. In the Authentication Access field, select Remote.

  2. In the Remote Server field, select SSO.

  3. Enter the SSO IDP Entity URL. The name of this field on your provider may vary. For example, in Azure AD, this value is found in the Identifier field.

  4. Enter the IDP Sign On Service Enpoint URL. For example, in Azure AD, this value is found in the Login URL field.

  5. Enter the IDP Sign on Service Redirect Endpoint URL. This value is usually the same as the IDP Sign On Service Endpoint URL.

  6. Enter the SSO Application ID as set in your IDP configuration.

  7. Enter the SSO Audience URL value from the sign on URL as set in your IDP configuration. This is usually https://<portal>/fpc/saml/SSO.

  8. Enter the Role Attribute as set in your IDP configuration.

  9. Enter the Tenant Identification Attribute as set in your IDP configuration. If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

  10. Enter the IDP Logout Service Endpoint. In Azure AD, this value is found in the Logout URL field.

  11. Enter the SSO Certificate from your IDP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

  12. Enter the Site Attribute as set in your IDP configuration.

  13. Optionally, enter the Email Attribute.

  14. Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.

  15. Click Save.

To use two-factor authentication, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IDP server.

When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

https://<Portal>/fpc/app/admin

Remote authentication: SSO

Remote authentication: SSO

For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IDP) initiated SAML authentication.

Caution

FortiPortal requires that all SAML responses and assertions are signed.

To configure your SAML IDP server:
  1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

    FortiPortal field Example attribute name Example attribute value Description

    Role Attribute

    FPC_Role user.jobtitle Used to map the IDP server roles to FortiPortal profiles. Required.
    Site Attribute FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.
    Tenant Identification Attribute FPC_Tenant user.companyname

    Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

    See Tenant identification and domains for more information.

    Email Attribute

    FPC_Email

    user.mail

    Defines the field in the SAML assertion that holds the user's email address, which is then used to map to a organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

  2. Configure other options as needed.

  3. Consult the documentation for your IDP provider for more information.

To configure FortiPortal:
  1. In the Authentication Access field, select Remote.

  2. In the Remote Server field, select SSO.

  3. Enter the SSO IDP Entity URL. The name of this field on your provider may vary. For example, in Azure AD, this value is found in the Identifier field.

  4. Enter the IDP Sign On Service Enpoint URL. For example, in Azure AD, this value is found in the Login URL field.

  5. Enter the IDP Sign on Service Redirect Endpoint URL. This value is usually the same as the IDP Sign On Service Endpoint URL.

  6. Enter the SSO Application ID as set in your IDP configuration.

  7. Enter the SSO Audience URL value from the sign on URL as set in your IDP configuration. This is usually https://<portal>/fpc/saml/SSO.

  8. Enter the Role Attribute as set in your IDP configuration.

  9. Enter the Tenant Identification Attribute as set in your IDP configuration. If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

  10. Enter the IDP Logout Service Endpoint. In Azure AD, this value is found in the Logout URL field.

  11. Enter the SSO Certificate from your IDP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

  12. Enter the Site Attribute as set in your IDP configuration.

  13. Optionally, enter the Email Attribute.

  14. Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.

  15. Click Save.

To use two-factor authentication, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IDP server.

When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

https://<Portal>/fpc/app/admin