Mapping SSO IdP server roles user to FortiPortal profiles
The site administrator can create profiles on FortiPortal to restrict access to UI pages or actions. These profiles can be mapped to existing roles on the IdP server.
When users are authenticated, the user role noted in the SAML assertion from the IdP server is mapped to a profile in FortiPortal and the appropriate permissions are provided to the user.
Site administrators do not need to change or add permissions on the IdP server exclusively for FortiPortal.
FortiPortal profiles can be mapped to IdP server roles prior to setting up an SSO provider. The IdP role name will be matched to any IdP servers that are added.
Click View SSO Roles in the Authentication tab to configure the mapping between FortiPortal profiles and SSO roles. For each SSO role mapping, the window displays Role Name, Role Type (Service Provider or Customer) and a list of (FortiPortal) profiles that map to the SSO role.
The SSO Roles window contains the following actions:
- Create:Create an SSO role mapping.
- Edit: Edit the selected SSO role mapping.
- Delete: Delete one or more selected SSO role mappings.
- Search: Search for SSO role mappings by name.
- Show x entries: Limit the number of entries that are displayed at once (20 or 50).
- Sort: Sort columns in ascending or descending order.
To map IdP roles to FortiPortal profiles:
- Go to System > Settings > Authentication.
- Set Authentication Access to Remote.
- In the Remote Server dropdown, select SSO.
- click View SSO Roles.
The SSO Roles window opens.
- In the SSO Roles window, click Create.
- In the Create Role window, enter the following information:
-
Field
Required
Description
Role Name
Y
The SSO role name. The name must match a role name on the SSO server.
Role Type
Y
Service Provider or Customer.
FPC Roles
Y
Select the FortiPortal profile to associate with this SSO role.
- Click Save.