Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiPortal 7.4.1 Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Remote authentication: SSO

    Remote authentication: SSO

    For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IdP) initiated SAML authentication.

    If only one IdP is configured and there are no per-organization overrides, the Login with Single Sign-On button displays and redirects to the IdP.

    For more information about how user and tenant identification works, see Tenant identification and domains.

    To configure your SAML IdP server:

    1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

      FortiPortal field Example attribute name Example attribute value Description

      Role Attribute

      		 FPC_Role user.jobtitle Used to map the IdP server roles to FortiPortal profiles. Required.

      Site Attribute

      		 FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.

      Tenant Identification Attribute

      		 FPC_Tenant user.companyname

      Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

      See Tenant identification and domains for more information.

      Email Attribute

      FPC_Email

      user.mail

      Defines the field in the SAML assertion that holds the user's email address, which is then used to map to an organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

    2. Configure other options as needed.

    3. Consult the documentation for your IdP provider for more information.

    Caution

    FortiPortal requires that all SAML responses and assertions are signed.

    In Microsoft Entra ID, edit Token signing certificate and set Signing Option to Sign SAML response and assertion.
    To configure FortiPortal:

    1. Go to System > Settings > Authentication.

    2. Configure the settings as follows:

      Field

      Required

      		 Description
      Authentication Access

      N

      		 Set to Remote.

      Enable Two-factor Authentication

      N

      Do not enable two-factor authentication with SSO in FortiPortal.

      To use two-factor authentication with SSO, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IdP server.
      Remote Server

      Y

      		 Select SSO then select remote IdP servers from the list or click Create to create new IdP servers. See To configure an SSO IdP server.

    3. Click Save.

    To configure an SSO IdP server:

    1. Configure the settings as follows:

      Field

      Required

      		 Description

      Name

      Y

      Enter a name for the server.

      Host Name

      Y

      Enter the IP address or FQDN of the IdP server.

      Support IdP Initiated SSO

      N

      This should be enabled when IdP-initiated SSO is enabled on your SAML server.

      Non-Matching Domain Authentication

      N

      Enable or disable matching an identifying attribute that has been configured as a domain instead of the entered domain. See Tenant identification and domains.
      Entity URL

      Y

      Enter the URL of your SSO provider entity identifier. The name of this field on your provider may vary.

      For example, in Microsoft Entra ID, this value is found in the Microsoft Entra Identifier field.
      Sign On Service Endpoint URL

      Y

      Enter the sign-on endpoint URL as provided by your SSO provider.

      For example, in Microsoft Entra ID, this value is found in the Login URL field.
      Sign on Service Redirect Endpoint

      Y

      This value is usually the same as the IdP Sign On Service Endpoint URL.

      Logout Endpoint

      N

    2. Enter the logout endpoint from your IDP provider.

      In Microsoft Entra ID, this value is found in the Logout URL field.

      		3.

      IDP Certificate

      Y

      Enter the certificate from your IdP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

      Response Signed

      N

      By default, FortiPortal requires that responses from the IdP are signed.

      Assertions Signed

      N

      By default, FortiPortal requires that assertions from the IdP are signed.

      Self Service Portal

      N

      Enter this value if provided by your IdP provider.

      Error Endpoint

      N

      If specified by your IdP provider, enter the URL where users are redirected if there is an error in the assertion process.

      Domains

      N

      Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.
      Role Attribute

      Y

      		 Enter the value as set in your IdP configuration. See Role Attribute.

      Tenant ID Attribute

      N

      Enter the value as set in your IdP configuration. See Tenant Identification Attribute.

      If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

      Site Attribute

      N

      Enter the Site Attribute as set in your IdP configuration. See Site Attribute.

      Email Attribute

      N

      Enter the Email Attribute as set in your IdP configuration. See Email Attribute.

      Contact Information Attributes

      N

      Expand, then specify attributes for user contact information.

      When these attributes are specified, FortiPortal fills in the configured fields from the SAML response when creating the account for the remote user.

      FortiPortal does not raise an error if any of these fields are missing or empty when users authenticate.

      View/Change SSO Roles

      See Mapping SSO IdP server roles user to FortiPortal profiles .

    3. Click Save.

    When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

    https://<Portal>/fpc/app/admin
    Previous
    Next

    Remote authentication: SSO

    Remote authentication: SSO

    For single sign-on (SSO), FortiPortal supports both service provider (SP) initiated and identity provider (IdP) initiated SAML authentication.

    If only one IdP is configured and there are no per-organization overrides, the Login with Single Sign-On button displays and redirects to the IdP.

    For more information about how user and tenant identification works, see Tenant identification and domains.

    To configure your SAML IdP server:

    1. Set custom attributes to identify what fields in the SAML assertion will hold the needed values:

      FortiPortal field Example attribute name Example attribute value Description

      Role Attribute

      		 FPC_Role user.jobtitle Used to map the IdP server roles to FortiPortal profiles. Required.

      Site Attribute

      		 FPC_Site user.officelocation Used to restrict an account to a specific site or location. Optional.

      Tenant Identification Attribute

      		 FPC_Tenant user.companyname

      Defines the field in the SAML assertion that holds the user's domain name, which is then used to map to an organization or administration domain. Optional.

      See Tenant identification and domains for more information.

      Email Attribute

      FPC_Email

      user.mail

      Defines the field in the SAML assertion that holds the user's email address, which is then used to map to an organization or administration domain if Tenant Identification Attribute is not set and the username is not in email format. Optional.

    2. Configure other options as needed.

    3. Consult the documentation for your IdP provider for more information.

    Caution

    FortiPortal requires that all SAML responses and assertions are signed.

    In Microsoft Entra ID, edit Token signing certificate and set Signing Option to Sign SAML response and assertion.
    To configure FortiPortal:

    1. Go to System > Settings > Authentication.

    2. Configure the settings as follows:

      Field

      Required

      		 Description
      Authentication Access

      N

      		 Set to Remote.

      Enable Two-factor Authentication

      N

      Do not enable two-factor authentication with SSO in FortiPortal.

      To use two-factor authentication with SSO, select the Remote authentication access and SSO and configure two-factor authentication on the SAML IdP server.
      Remote Server

      Y

      		 Select SSO then select remote IdP servers from the list or click Create to create new IdP servers. See To configure an SSO IdP server.

    3. Click Save.

    To configure an SSO IdP server:

    1. Configure the settings as follows:

      Field

      Required

      		 Description

      Name

      Y

      Enter a name for the server.

      Host Name

      Y

      Enter the IP address or FQDN of the IdP server.

      Support IdP Initiated SSO

      N

      This should be enabled when IdP-initiated SSO is enabled on your SAML server.

      Non-Matching Domain Authentication

      N

      Enable or disable matching an identifying attribute that has been configured as a domain instead of the entered domain. See Tenant identification and domains.
      Entity URL

      Y

      Enter the URL of your SSO provider entity identifier. The name of this field on your provider may vary.

      For example, in Microsoft Entra ID, this value is found in the Microsoft Entra Identifier field.
      Sign On Service Endpoint URL

      Y

      Enter the sign-on endpoint URL as provided by your SSO provider.

      For example, in Microsoft Entra ID, this value is found in the Login URL field.
      Sign on Service Redirect Endpoint

      Y

      This value is usually the same as the IdP Sign On Service Endpoint URL.

      Logout Endpoint

      N

    2. Enter the logout endpoint from your IDP provider.

      In Microsoft Entra ID, this value is found in the Logout URL field.

      		3.

      IDP Certificate

      Y

      Enter the certificate from your IdP server. Strip out any carriage returns and the BEGIN CERTIFICATE and END CERTIFICATE sections.

      Response Signed

      N

      By default, FortiPortal requires that responses from the IdP are signed.

      Assertions Signed

      N

      By default, FortiPortal requires that assertions from the IdP are signed.

      Self Service Portal

      N

      Enter this value if provided by your IdP provider.

      Error Endpoint

      N

      If specified by your IdP provider, enter the URL where users are redirected if there is an error in the assertion process.

      Domains

      N

      Select the domains to be used for administration access. For more information about how domain matching works, see Tenant identification and domains.
      Role Attribute

      Y

      		 Enter the value as set in your IdP configuration. See Role Attribute.

      Tenant ID Attribute

      N

      Enter the value as set in your IdP configuration. See Tenant Identification Attribute.

      If set, this value is used to match the user with an organization. For more information, see Tenant identification and domains.

      Site Attribute

      N

      Enter the Site Attribute as set in your IdP configuration. See Site Attribute.

      Email Attribute

      N

      Enter the Email Attribute as set in your IdP configuration. See Email Attribute.

      Contact Information Attributes

      N

      Expand, then specify attributes for user contact information.

      When these attributes are specified, FortiPortal fills in the configured fields from the SAML response when creating the account for the remote user.

      FortiPortal does not raise an error if any of these fields are missing or empty when users authenticate.

      View/Change SSO Roles

      See Mapping SSO IdP server roles user to FortiPortal profiles .

    3. Click Save.

    When troubleshooting single sign-on, use the following URL for the spuser account to authenticate locally, bypassing remote authentication:

    https://<Portal>/fpc/app/admin
    Previous
    Next