Fortinet white logo
Fortinet white logo

Administration Guide

Configuring the FortiAuthenticator

Configuring the FortiAuthenticator

This section provides steps for configuring Security Assertion Markup Language (SAML) authentication using FortiAuthenticator for FortiSandbox solutions.

Tooltip

This section includes configuration information for the SAML authentication using FortiAuthenticator for FortiSandbox only. For more information about the setup and configuration of the FortiAuthenticator, see the FortiAuthenticator Administration Guide on the Fortinet Documents Library.

To configure FortiAuthenticator:
  1. Create a new SSO user.
  2. Configure FortiAuthenticator IdP and export the IdP certificate.
  3. Configure SP settings on FortiAuthenticator.
  4. Configure SAML SSO settings on FortiSandbox.

Create a new SSO user

To create a new SSO user on FortiAuthenticator:
  1. Go to Authentication > User Management > Local Users, and click Create New.
  2. Enter a username and password for the local user.
  3. Disable Allow RADIUS authentication.

  4. Click OK to save changes to the local user

Configure FortiAuthenticator IdP and export the IdP certificate

To configure FortiAuthenticator IdP:
  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML Identity Provider portal, and enter the following information:
    Server address

    Enter the device FQDN of the FortiAuthenticator IdP.

    Tooltip

    When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the Server address should be the FortiAuthenticator public IP.

    Username input formatSelect the default username input format. The default is username@realm.
    Realms

    In the dropdown, select the local realm.

    Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User Groups search box, and click OK.

    Default IdP certificateSelect a default certificate to use in your SAML configuration. The certificate is used in the https connection to the IdP portal.
  3. Click OK.

Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.

In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use on the service providers.

To export the IdP certificate in FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Local Services.
  2. Select the certificate used in the SAML IdP and click Export Certificate.

Configure the SP settings on FortiAuthenticator

To complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

To configure service provider settings on the FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:

    SP name

    Enter a name for the SP device.

    IDP prefix

    Select +, and enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.

    Server certificate

    Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General.

    Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.

    Authentication method

    Select an authentication method.
  3. Click Save.
  4. The details for following settings are available when configuring the service provider device on FortiSandbox (System > SSO > enable SSO).

    From ForiSandbox

    To FortiAuthenticator field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    SP entity ID

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    SP ACS (login) URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    SP SLS (logout) URL

    Tooltip

    SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match the respective FortiSandbox configurations as the service provider device side.

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need manually updated to the Private IP to the Public IP. Otherwise, the URLs will not work.

  5. Click OK.
  6. Select and click Edit to edit the recently created SP.

  7. In Assertion Attribute Configuration:
    • From the Subject NameID dropdown, select Username .

    • From the Format dropdown, select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified .

  8. Under Assertion Attributes, click Add Assertion Attribute:
    1. In the SAML attribute field, enter username.
    2. From the User attribute dropdown, select Username.
  9. Click Add Assertion Attribute again and create a new SAML attribute.
    1. For User attribute select Group.
    2. In the SAML attribute field enter groupname.
  10. Click OK to save changes.

Configure SAML SSO settings on FortiSandbox

To configure FortiSandbox as a service provider:
  1. On FortiSandbox go to System > Certificates and import the IdP certificate exported from FortiAuthenticator.
  2. On FortiSandbox go to System > SAML SSO and configure the settings. Copy the following URLs from FortiAuthenticator SAML Service Provider page:

    From Authenticator

    To FortiSandbox field

    IdP entity id

    (http://x.x.x.x/saml-idp/dnax3e5175oisk76/metadata/)

    IdP Entity ID

    IdP single sign-on URL

    (https://x.x.x.x/saml-idp/dnax3e5175oisk76/login/)

    IdP login URL

    IdP single logout URL

    (https://x.x.x.x/saml-idp/dnax3e5175oisk76/logout/)

    IdP logout URL

  3. For IdP certificate, choose the certificate you imported earlier.
  4. Click OK.
Tooltip

When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the IdP and SP URLs should be updated with public IPs.

Configuring the FortiAuthenticator

Configuring the FortiAuthenticator

This section provides steps for configuring Security Assertion Markup Language (SAML) authentication using FortiAuthenticator for FortiSandbox solutions.

Tooltip

This section includes configuration information for the SAML authentication using FortiAuthenticator for FortiSandbox only. For more information about the setup and configuration of the FortiAuthenticator, see the FortiAuthenticator Administration Guide on the Fortinet Documents Library.

To configure FortiAuthenticator:
  1. Create a new SSO user.
  2. Configure FortiAuthenticator IdP and export the IdP certificate.
  3. Configure SP settings on FortiAuthenticator.
  4. Configure SAML SSO settings on FortiSandbox.

Create a new SSO user

To create a new SSO user on FortiAuthenticator:
  1. Go to Authentication > User Management > Local Users, and click Create New.
  2. Enter a username and password for the local user.
  3. Disable Allow RADIUS authentication.

  4. Click OK to save changes to the local user

Configure FortiAuthenticator IdP and export the IdP certificate

To configure FortiAuthenticator IdP:
  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML Identity Provider portal, and enter the following information:
    Server address

    Enter the device FQDN of the FortiAuthenticator IdP.

    Tooltip

    When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the Server address should be the FortiAuthenticator public IP.

    Username input formatSelect the default username input format. The default is username@realm.
    Realms

    In the dropdown, select the local realm.

    Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User Groups search box, and click OK.

    Default IdP certificateSelect a default certificate to use in your SAML configuration. The certificate is used in the https connection to the IdP portal.
  3. Click OK.

Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.

In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use on the service providers.

To export the IdP certificate in FortiAuthenticator:
  1. Go to Certificate Management > End Entities > Local Services.
  2. Select the certificate used in the SAML IdP and click Export Certificate.

Configure the SP settings on FortiAuthenticator

To complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

To configure service provider settings on the FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:

    SP name

    Enter a name for the SP device.

    IDP prefix

    Select +, and enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.

    Server certificate

    Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General.

    Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.

    Authentication method

    Select an authentication method.
  3. Click Save.
  4. The details for following settings are available when configuring the service provider device on FortiSandbox (System > SSO > enable SSO).

    From ForiSandbox

    To FortiAuthenticator field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    SP entity ID

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    SP ACS (login) URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    SP SLS (logout) URL

    Tooltip

    SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match the respective FortiSandbox configurations as the service provider device side.

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need manually updated to the Private IP to the Public IP. Otherwise, the URLs will not work.

  5. Click OK.
  6. Select and click Edit to edit the recently created SP.

  7. In Assertion Attribute Configuration:
    • From the Subject NameID dropdown, select Username .

    • From the Format dropdown, select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified .

  8. Under Assertion Attributes, click Add Assertion Attribute:
    1. In the SAML attribute field, enter username.
    2. From the User attribute dropdown, select Username.
  9. Click Add Assertion Attribute again and create a new SAML attribute.
    1. For User attribute select Group.
    2. In the SAML attribute field enter groupname.
  10. Click OK to save changes.

Configure SAML SSO settings on FortiSandbox

To configure FortiSandbox as a service provider:
  1. On FortiSandbox go to System > Certificates and import the IdP certificate exported from FortiAuthenticator.
  2. On FortiSandbox go to System > SAML SSO and configure the settings. Copy the following URLs from FortiAuthenticator SAML Service Provider page:

    From Authenticator

    To FortiSandbox field

    IdP entity id

    (http://x.x.x.x/saml-idp/dnax3e5175oisk76/metadata/)

    IdP Entity ID

    IdP single sign-on URL

    (https://x.x.x.x/saml-idp/dnax3e5175oisk76/login/)

    IdP login URL

    IdP single logout URL

    (https://x.x.x.x/saml-idp/dnax3e5175oisk76/logout/)

    IdP logout URL

  3. For IdP certificate, choose the certificate you imported earlier.
  4. Click OK.
Tooltip

When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the IdP and SP URLs should be updated with public IPs.