Fortinet black logo

Administration Guide

Home FortiPortal 7.0.8 Administration Guide
7.0.8
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

Remote authentication: SSO

Remote authentication: SSO

For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IDP) initiated SAML authentication.

For more information about how user and tenant identification works, see Tenant identification and domains.

To configure your SAML IDP server:

  1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

    FortiPortal field Example attribute name Example attribute value Description

    Role Attribute

    		FPC_Role user.jobtitle Used to map the IDP server roles to FortiPortal profiles. Required.

    Site Attribute

    		FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.

    Tenant Identification Attribute

    		FPC_Tenant user.companyname

    Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

    See Tenant identification and domains for more information.

    Email Attribute

    FPC_Email

    user.mail

    Defines the field in the SAML assertion that holds the user's email address, which is then used to map to a organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

  2. Configure other options as needed.

  3. Consult the documentation for your IDP provider for more information.

Caution

FortiPortal requires that all SAML responses and assertions are signed.

In Microsoft Entra ID, edit Token signing certificate and set Signing Option to Sign SAML response and assertion.
To configure FortiPortal:

  1. Configure the settings as follows:

    Field

    Required

    		 Description
    Authentication Access

    N

    		 Select Remote.

    Enable Two-factor Authentication

    N

    Do not enable two-factor authentication with SSO in FortiPortal.

    To use two-factor authentication with SSO, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IDP server.
    Remote Server

    Y

    		 Select SSO.
    SSO IDP Entity URL

    Y

    Enter the URL of your SSO provider entity identifier. The name of this field on your provider may vary.

    For example, in Microsoft Entra ID, this value is found in the Microsoft Entra Identifier field.
    IDP Sign On Service Endpoint URL

    Y

    Enter the sign-on endpoint URL as provided by your SSO provider.

    For example, in Microsoft Entra ID, this value is found in the Login URL field.
    IDP Sign on Service Redirect Endpoint URL

    Y

  2. This value is usually the same as the IDP Sign On Service Endpoint URL.

    		3.
    SSO Application ID

    Y

    Enter the application ID as set in your IDP configuration.

    This is usually https://<portal>/fpc/saml/metadata.

    SSO Audience URL

    Y

    Enter the value from the sign on URL as set in your IDP configuration.

    This is usually https://<portal>/fpc/saml/SSO.
    Role Attribute

    Y

    		 Enter the value as set in your IDP configuration. See Role Attribute.

    Tenant Identification Attribute

    N

    Enter the value as set in your IDP configuration. See Tenant Identification Attribute.

    If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

    SSO Error URL

    N

    If specified by your IDP provider, enter the URL where users are redirected if there is an error in the assertion process.

    IDP Logout Service Endpoint

    Y

  3. Enter the logout endpoint from your IDP provider.

    In Microsoft Entra ID, this value is found in the Logout URL field.

    		4.

    SSO Certificate

    Y

    Enter the certificate from your IDP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

    Site Attribute

    N

    Enter the Site Attribute as set in your IDP configuration. See Site Attribute.

    Email Attribute

    N

    Enter the Email Attribute as set in your IDP configuration. See Email Attribute.

    Self Service Portal

    N

    Enter this value if provided by your IDP provider.

    Support Idp Initiated SSO

    N

    This should be enabled when IDP-initiated SSO is enabled on your SAML server.

    Domains

    N

    Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.

    View/Change SSO Roles

    See Mapping IDP server roles user to FortiPortal profiles .

  4. Click Save.

    Tooltip

    In Config Download, click sp.xml or idp.xml to download the relevant configuration file.

    The download buttons only appear after you have saved the SSO configuration.

When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

https://<Portal>/fpc/app/admin
Previous
Next

Remote authentication: SSO

For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IDP) initiated SAML authentication.

For more information about how user and tenant identification works, see Tenant identification and domains.

To configure your SAML IDP server:

  1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

    FortiPortal field Example attribute name Example attribute value Description

    Role Attribute

    		FPC_Role user.jobtitle Used to map the IDP server roles to FortiPortal profiles. Required.

    Site Attribute

    		FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.

    Tenant Identification Attribute

    		FPC_Tenant user.companyname

    Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

    See Tenant identification and domains for more information.

    Email Attribute

    FPC_Email

    user.mail

    Defines the field in the SAML assertion that holds the user's email address, which is then used to map to a organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

  2. Configure other options as needed.

  3. Consult the documentation for your IDP provider for more information.

Caution

FortiPortal requires that all SAML responses and assertions are signed.

In Microsoft Entra ID, edit Token signing certificate and set Signing Option to Sign SAML response and assertion.
To configure FortiPortal:

  1. Configure the settings as follows:

    Field

    Required

    		 Description
    Authentication Access

    N

    		 Select Remote.

    Enable Two-factor Authentication

    N

    Do not enable two-factor authentication with SSO in FortiPortal.

    To use two-factor authentication with SSO, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IDP server.
    Remote Server

    Y

    		 Select SSO.
    SSO IDP Entity URL

    Y

    Enter the URL of your SSO provider entity identifier. The name of this field on your provider may vary.

    For example, in Microsoft Entra ID, this value is found in the Microsoft Entra Identifier field.
    IDP Sign On Service Endpoint URL

    Y

    Enter the sign-on endpoint URL as provided by your SSO provider.

    For example, in Microsoft Entra ID, this value is found in the Login URL field.
    IDP Sign on Service Redirect Endpoint URL

    Y

  2. This value is usually the same as the IDP Sign On Service Endpoint URL.

    		3.
    SSO Application ID

    Y

    Enter the application ID as set in your IDP configuration.

    This is usually https://<portal>/fpc/saml/metadata.

    SSO Audience URL

    Y

    Enter the value from the sign on URL as set in your IDP configuration.

    This is usually https://<portal>/fpc/saml/SSO.
    Role Attribute

    Y

    		 Enter the value as set in your IDP configuration. See Role Attribute.

    Tenant Identification Attribute

    N

    Enter the value as set in your IDP configuration. See Tenant Identification Attribute.

    If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

    SSO Error URL

    N

    If specified by your IDP provider, enter the URL where users are redirected if there is an error in the assertion process.

    IDP Logout Service Endpoint

    Y

  3. Enter the logout endpoint from your IDP provider.

    In Microsoft Entra ID, this value is found in the Logout URL field.

    		4.

    SSO Certificate

    Y

    Enter the certificate from your IDP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

    Site Attribute

    N

    Enter the Site Attribute as set in your IDP configuration. See Site Attribute.

    Email Attribute

    N

    Enter the Email Attribute as set in your IDP configuration. See Email Attribute.

    Self Service Portal

    N

    Enter this value if provided by your IDP provider.

    Support Idp Initiated SSO

    N

    This should be enabled when IDP-initiated SSO is enabled on your SAML server.

    Domains

    N

    Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.

    View/Change SSO Roles

    See Mapping IDP server roles user to FortiPortal profiles .

  4. Click Save.

    Tooltip

    In Config Download, click sp.xml or idp.xml to download the relevant configuration file.

    The download buttons only appear after you have saved the SSO configuration.

When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

https://<Portal>/fpc/app/admin
Previous
Next