Tenant identification and domains
During authentication, FortiPortal identifies whether the user is an administrator or an organization and loads the correct user interface. FortiPortal uses the domain name to identify which interface should be loaded.
If the Tenant Identification Attribute is configured and is provided in the SAML assertion, the value in the Tenant Identification Attribute is used to match a domain name provided in the SSO settings or in an organization's General settings.
If a user does not match a configured domain and Non-Matching Domain Authentication is enabled, FortiPortal proceeds with authentication using the global IdP. The global IdP returns an attribute identifying the tenant, which has been configured as a domain in FortiPortal and will have no relation to the domain name entered.
If the domain in the SAML assertion does not match any of these domains, an error message is displayed.
If the Tenant Identification Attribute is not configured or is not provided in the SAML assertion, the domain name is taken from the username attribute, which must be formatted as an email address.
If the username is not provided as an email address, then the SSO Email Attribute can be used to configure which SAML assertion field holds the user's email address. This field will be used to match the domain name.
If the username is not in email format and neither Tenant Identification Attribute nor Email Attribute are set, then the domain cannot be matched, login fails, and FortiPortal displays an error.
How can the tenant ID attribute help maintain the appropriate privileged access to the system?
The Tenant Identification Attribute value is taken from the IdP response and that value is mapped with the domain name field in FortiPortal. For example, if the Tenant Identification Attribute is map_id
, FortiPortal gets the value for the map_id
attribute from the SAML response and maps that value with a domain name listed in an organization's General settings or the System > Settings > Authentication settings. If the value matches with an organization domain name, the user is granted access to that organization. If the value matches with a domain name in the SSO settings, the administrative interface loads.
How can I add a domain name to an organization?
A unique domain name identifies the organization. You can add domain names to an organization in that organization's General settings.
In the General tab in Create or edit an organization, enter the domain name in the Domains field and press Enter to add the name to the domain list.
You can add more than one domain to an organization.
See General for more information.
How can I add a domain name for a service provider?
After you select Remote
as the Authentication Access in the Authentication tab, you will see the Domains field.
See Authentication for more information.