Fortinet black logo

Administration Guide

24.1.1
24.1.1
23.4.1
23.3.1
22.4.2
22.4.1
22.3.0
22.2.0

Single sign-on (SSO) SAML2 configuration

Single sign-on (SSO) SAML2 configuration

Note

You should complete the Verifying domain ownership steps before completing this configuration. This will allow you to manually add one of your users to test the SSO (SAML2) configuration after completing the configuration steps.

These features are only available for Premium service level licenses (Free 25 user Premium (for Partners only) and Premium (purchased by customer). It is not available for free and Standard service level licenses.

The Security Awareness and Training Service allows customers and partners to share metadata to establish a baseline of trust and interoperability using the XML based Security Assertion Markup Language (SAML) standard.

Using one of your existing SAML2 single sign-on solutions to authenticate users when they log in to the system allows users to use an existing credential set (email, password, and optional MFA) when logging in to the system. Users will not have to use a Fortinet Inc. assigned credential set (email, password, and emailed MFA token) when logging in to the service.

Note

Configuring a single sign-on solution allows users to authenticate to the Fortinet Inc. Security Awareness and Training Service. Before users can log in, they must first be imported into the service. See Creating and importing users. Currently, the service does not support account creation during the single sign-on log in process.

Different solution providers have different configuration steps for configuring a SAML2 app for authentication with third-party services. Customers will need to work with their internal IT department or service provider to configure the SAML2 application for the Fortinet Inc. Security Awareness and Training Service.

If you require assistance configuring the Authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

There are three main steps to configuring single sign-on for the Fortinet Inc. Security Awareness and Training Service:

  1. Copying the ACS and Entity ID to your Identity Provider’s configuration.

  2. Mapping the Identity Provider attributes to your idP settings.

  3. Provide the Metadata URL or XML Metadata from your Identity Provider.

To configure SAML2 single sign-on (SSO):

  1. Go to Authentication from the Navigation Menu.

  2. In your SSO/SAML2 application configuration, enter the Assertion Consumer service (ACS) URL and the Service Provider metadata (SP Entity ID) in the appropriate fields.

  3. Map the Identity Provider attributes to your idP settings. Note that the names are case sensitive and must be entered exactly as in the following table:

    Name of user profile field

    Mapped SAML attributes

    Examples
    Username The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: Unique User Idenfier
    Email The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: user.mail
    First_name The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary First Name attribute).

    Google: First Name

    Microsoft: user.givenName
    Last_name The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the Last Name attribute).

    Google: Last Name

    Microsoft: user.surname (or sn)
    Unique User Identifier (Microsoft only) The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Microsoft: user.mail
    Note

    For Google configurations, you can refer to this article.

    For Microsoft configurations, you will need to first delete the existing entries and create new entries using the table above. You can also refer to your Microsoft documentation (Federated Services / Azure (Entra)).

    If you wish to configure access to the service through the user apps (Microsoft and Google), sometimes called the Start URL, refer to this article.

    You will need to open a ticket in order to get your tenant name. Email infosec_awareness@fortinet.com asking for your tenant name. The url will be https://app.training.fortinet.com/local/bridge/launch.php?name=<tenant_name>.

    Ensure that you add the users you wish to access the app via your SSO/SAML2 configuration interface.

  4. For Microsoft and other vendors, paste the Metadata URL from your Identity Provider into the field at the bottom of the Authentication page (Step 3). For Google, you must download the XML file. Select the option for XML File and either drag and drop or choose the XML File from Step 3 at the bottom of the authentication screen, then select Save Changes.

    After configuring the Authentication method, you should create a single test user and verify that the login sequence works.

Previous
Next

Single sign-on (SSO) SAML2 configuration

Note

You should complete the Verifying domain ownership steps before completing this configuration. This will allow you to manually add one of your users to test the SSO (SAML2) configuration after completing the configuration steps.

These features are only available for Premium service level licenses (Free 25 user Premium (for Partners only) and Premium (purchased by customer). It is not available for free and Standard service level licenses.

The Security Awareness and Training Service allows customers and partners to share metadata to establish a baseline of trust and interoperability using the XML based Security Assertion Markup Language (SAML) standard.

Using one of your existing SAML2 single sign-on solutions to authenticate users when they log in to the system allows users to use an existing credential set (email, password, and optional MFA) when logging in to the system. Users will not have to use a Fortinet Inc. assigned credential set (email, password, and emailed MFA token) when logging in to the service.

Note

Configuring a single sign-on solution allows users to authenticate to the Fortinet Inc. Security Awareness and Training Service. Before users can log in, they must first be imported into the service. See Creating and importing users. Currently, the service does not support account creation during the single sign-on log in process.

Different solution providers have different configuration steps for configuring a SAML2 app for authentication with third-party services. Customers will need to work with their internal IT department or service provider to configure the SAML2 application for the Fortinet Inc. Security Awareness and Training Service.

If you require assistance configuring the Authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

There are three main steps to configuring single sign-on for the Fortinet Inc. Security Awareness and Training Service:

  1. Copying the ACS and Entity ID to your Identity Provider’s configuration.

  2. Mapping the Identity Provider attributes to your idP settings.

  3. Provide the Metadata URL or XML Metadata from your Identity Provider.

To configure SAML2 single sign-on (SSO):

  1. Go to Authentication from the Navigation Menu.

  2. In your SSO/SAML2 application configuration, enter the Assertion Consumer service (ACS) URL and the Service Provider metadata (SP Entity ID) in the appropriate fields.

  3. Map the Identity Provider attributes to your idP settings. Note that the names are case sensitive and must be entered exactly as in the following table:

    Name of user profile field

    Mapped SAML attributes

    Examples
    Username The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: Unique User Idenfier
    Email The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: user.mail
    First_name The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary First Name attribute).

    Google: First Name

    Microsoft: user.givenName
    Last_name The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the Last Name attribute).

    Google: Last Name

    Microsoft: user.surname (or sn)
    Unique User Identifier (Microsoft only) The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Microsoft: user.mail
    Note

    For Google configurations, you can refer to this article.

    For Microsoft configurations, you will need to first delete the existing entries and create new entries using the table above. You can also refer to your Microsoft documentation (Federated Services / Azure (Entra)).

    If you wish to configure access to the service through the user apps (Microsoft and Google), sometimes called the Start URL, refer to this article.

    You will need to open a ticket in order to get your tenant name. Email infosec_awareness@fortinet.com asking for your tenant name. The url will be https://app.training.fortinet.com/local/bridge/launch.php?name=<tenant_name>.

    Ensure that you add the users you wish to access the app via your SSO/SAML2 configuration interface.

  4. For Microsoft and other vendors, paste the Metadata URL from your Identity Provider into the field at the bottom of the Authentication page (Step 3). For Google, you must download the XML file. Select the option for XML File and either drag and drop or choose the XML File from Step 3 at the bottom of the authentication screen, then select Save Changes.

    After configuring the Authentication method, you should create a single test user and verify that the login sequence works.

Previous
Next