Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.4.5 Administration Guide
    4.4.5
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Configuring the FortiAuthenticator

    Configuring the FortiAuthenticator

    This section provides steps for configuring Security Assertion Markup Language (SAML) authentication using FortiAuthenticator for FortiSandbox solutions.

    Tooltip

    This section includes configuration information for the SAML authentication using FortiAuthenticator for FortiSandbox only. For more information about the setup and configuration of the FortiAuthenticator, see the FortiAuthenticator Administration Guide on the Fortinet Documents Library.

    To configure FortiAuthenticator:
    1. Create a new SSO user.
    2. Configure FortiAuthenticator IdP and export the IdP certificate.
    3. Configure SP settings on FortiAuthenticator.
    4. Configure SAML SSO settings on FortiSandbox.

    Create a new SSO user

    To create a new SSO user on FortiAuthenticator:
    1. Go to Authentication > User Management > Local Users, and click Create New.
    2. Enter a username and password for the local user.
    3. Disable Allow RADIUS authentication.

    4. Click OK to save changes to the local user

    Configure FortiAuthenticator IdP and export the IdP certificate

    To configure FortiAuthenticator IdP:
    1. Go to Authentication > SAML IdP > General.
    2. Enable SAML Identity Provider portal, and enter the following information:
      Server address

      Enter the device FQDN of the FortiAuthenticator IdP.

      Tooltip

      When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the Server address should be the FortiAuthenticator public IP.

      Username input formatSelect the default username input format. The default is username@realm.
      Realms

      In the dropdown, select the local realm.

      Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User Groups search box, and click OK.

      Default IdP certificateSelect a default certificate to use in your SAML configuration. The certificate is used in the https connection to the IdP portal.
    3. Click OK.

    Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.

    In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use on the service providers.

    To export the IdP certificate in FortiAuthenticator:
    1. Go to Certificate Management > End Entities > Local Services.
    2. Select the certificate used in the SAML IdP and click Export Certificate.

    Configure the SP settings on FortiAuthenticator

    To complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

    To configure service provider settings on the FortiAuthenticator:
    1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
    2. Enter the following information:

      SP name

      		 Enter a name for the SP device.

      IDP prefix

      		 Select +, and enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.

      Server certificate

      Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General.

      Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.

      Authentication method

      		Select an authentication method.
    3. Click Save.
    4. The details for following settings are available when configuring the service provider device on FortiSandbox (System > SSO > enable SSO).

      From ForiSandbox

      To FortiAuthenticator field

      SP Entity ID

      (https://10.1.0.1/sso_sp)

      SP entity ID

      SP login URL

      (https://10.1.0.1/sso_sp/op/?acs)

      SP ACS (login) URL

      SP logout URL

      (https://10.1.0.1/sso_sp/op/?sls)

      SP SLS (logout) URL

      Tooltip

      SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match the respective FortiSandbox configurations as the service provider device side.

      Tooltip

      If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need to update the Public IP to Private IP manually. Otherwise, the URLs will not work.

    5. Click OK.
    6. Select and click Edit to edit the recently created SP.

    7. In Assertion Attribute Configuration:

      • From the Subject NameID dropdown, select Username .

      • From the Format dropdown, select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified .

    8. Under Assertion Attributes, click Add Assertion Attribute:
      1. In the SAML attribute field, enter username.
      2. From the User attribute dropdown, select Username.
    9. Click Add Assertion Attribute again and create a new SAML attribute.
      1. For User attribute select Group.
      2. In the SAML attribute field enter groupname.
    10. Click OK to save changes.

    Configure SAML SSO settings on FortiSandbox

    To configure FortiSandbox as a service provider:
    1. On FortiSandbox go to System > Certificates and import the IdP certificate exported from FortiAuthenticator.
    2. On FortiSandbox go to System > SAML SSO and configure the settings. Copy the following URLs from FortiAuthenticator SAML Service Provider page:

      From Authenticator

      To FortiSandbox field

      IdP entity id

      (http://x.x.x.x/saml-idp/dnax3e5175oisk76/metadata/)

      IdP Entity ID

      IdP single sign-on URL

      (https://x.x.x.x/saml-idp/dnax3e5175oisk76/login/)

      IdP login URL

      IdP single logout URL

      (https://x.x.x.x/saml-idp/dnax3e5175oisk76/logout/)

      IdP logout URL

    3. For IdP certificate, choose the certificate you imported earlier.
    4. Click OK.
    Tooltip

    When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the IdP and SP URLs should be updated with public IPs.
    Previous
    Next

    Configuring the FortiAuthenticator

    Configuring the FortiAuthenticator

    This section provides steps for configuring Security Assertion Markup Language (SAML) authentication using FortiAuthenticator for FortiSandbox solutions.

    Tooltip

    This section includes configuration information for the SAML authentication using FortiAuthenticator for FortiSandbox only. For more information about the setup and configuration of the FortiAuthenticator, see the FortiAuthenticator Administration Guide on the Fortinet Documents Library.

    To configure FortiAuthenticator:
    1. Create a new SSO user.
    2. Configure FortiAuthenticator IdP and export the IdP certificate.
    3. Configure SP settings on FortiAuthenticator.
    4. Configure SAML SSO settings on FortiSandbox.

    Create a new SSO user

    To create a new SSO user on FortiAuthenticator:
    1. Go to Authentication > User Management > Local Users, and click Create New.
    2. Enter a username and password for the local user.
    3. Disable Allow RADIUS authentication.

    4. Click OK to save changes to the local user

    Configure FortiAuthenticator IdP and export the IdP certificate

    To configure FortiAuthenticator IdP:
    1. Go to Authentication > SAML IdP > General.
    2. Enable SAML Identity Provider portal, and enter the following information:
      Server address

      Enter the device FQDN of the FortiAuthenticator IdP.

      Tooltip

      When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the Server address should be the FortiAuthenticator public IP.

      Username input formatSelect the default username input format. The default is username@realm.
      Realms

      In the dropdown, select the local realm.

      Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User Groups search box, and click OK.

      Default IdP certificateSelect a default certificate to use in your SAML configuration. The certificate is used in the https connection to the IdP portal.
    3. Click OK.

    Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.

    In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use on the service providers.

    To export the IdP certificate in FortiAuthenticator:
    1. Go to Certificate Management > End Entities > Local Services.
    2. Select the certificate used in the SAML IdP and click Export Certificate.

    Configure the SP settings on FortiAuthenticator

    To complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

    To configure service provider settings on the FortiAuthenticator:
    1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
    2. Enter the following information:

      SP name

      		 Enter a name for the SP device.

      IDP prefix

      		 Select +, and enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.

      Server certificate

      Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General.

      Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.

      Authentication method

      		Select an authentication method.
    3. Click Save.
    4. The details for following settings are available when configuring the service provider device on FortiSandbox (System > SSO > enable SSO).

      From ForiSandbox

      To FortiAuthenticator field

      SP Entity ID

      (https://10.1.0.1/sso_sp)

      SP entity ID

      SP login URL

      (https://10.1.0.1/sso_sp/op/?acs)

      SP ACS (login) URL

      SP logout URL

      (https://10.1.0.1/sso_sp/op/?sls)

      SP SLS (logout) URL

      Tooltip

      SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match the respective FortiSandbox configurations as the service provider device side.

      Tooltip

      If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need to update the Public IP to Private IP manually. Otherwise, the URLs will not work.

    5. Click OK.
    6. Select and click Edit to edit the recently created SP.

    7. In Assertion Attribute Configuration:

      • From the Subject NameID dropdown, select Username .

      • From the Format dropdown, select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified .

    8. Under Assertion Attributes, click Add Assertion Attribute:
      1. In the SAML attribute field, enter username.
      2. From the User attribute dropdown, select Username.
    9. Click Add Assertion Attribute again and create a new SAML attribute.
      1. For User attribute select Group.
      2. In the SAML attribute field enter groupname.
    10. Click OK to save changes.

    Configure SAML SSO settings on FortiSandbox

    To configure FortiSandbox as a service provider:
    1. On FortiSandbox go to System > Certificates and import the IdP certificate exported from FortiAuthenticator.
    2. On FortiSandbox go to System > SAML SSO and configure the settings. Copy the following URLs from FortiAuthenticator SAML Service Provider page:

      From Authenticator

      To FortiSandbox field

      IdP entity id

      (http://x.x.x.x/saml-idp/dnax3e5175oisk76/metadata/)

      IdP Entity ID

      IdP single sign-on URL

      (https://x.x.x.x/saml-idp/dnax3e5175oisk76/login/)

      IdP login URL

      IdP single logout URL

      (https://x.x.x.x/saml-idp/dnax3e5175oisk76/logout/)

      IdP logout URL

    3. For IdP certificate, choose the certificate you imported earlier.
    4. Click OK.
    Tooltip

    When FortiSandbox and FortiAuthenticator are accessed by assigned external public IPs, the IdP and SP URLs should be updated with public IPs.
    Previous
    Next