Fortinet black logo

CLI Reference

Home FortiMail 7.4.2 CLI Reference
7.4.2
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.7
7.0.6
7.0.5
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.0
6.0.4
6.0.3
6.0.1
6.0.0
5.4.9
5.4.8
5.4.6
5.4.5
5.4.4
5.4.3
5.4.0

profile sso

profile sso

Use this command to configure connections with remote authentication servers such as FortiAuthenticator that support single sign-on (SSO) protocols.

In Security Assertion Markup Language (SAML) SSO, you must configure both of these to connect and authenticate with each other:

  • FortiMail, which is the service provider (SP). See system saml.
  • FortiAuthenticator or other remote authentication server, which is the identity provider (IdP)

To do this, you must:

  1. On the IdP server:

    1. Download its IdP metadata XML.

      Alternatively, copy the URL where FortiMail can download it.

    2. The email address that the user must give when they authenticate is stored in an attribute on the IdP server. This attribute has an object identifier (OID). If this OID is different than the default setting of remote-user-attribute-name "<attribute_str>" on FortiMail, then copy the IdP server's OID. For example:

    3. urn:oid:0.9.2342.19200300.100.1.3

  2. On FortiMail:

    1. If you are integrating with FortiAuthenticator or Ping Identity, then on FortiMail, use the CLI to enable Security Fabric and the administrator account named admin_sso:

      config system csf

      set status enable

      end

      config system admin

      edit admin_sso

      set status enable

      end

      The admin_sso account acts as a wildcard, so that you do not need to configure all FortiMail accounts on the IdP too. The Security Fabric provides communication for this feature.

    2. Paste the IdP metadata XML into an SSO profile. If the IdP uses a different attribute OID than the FortiMail default, then also configure that.

      See idp-metadata <idp-xml_str> and remote-user-attribute-name "<attribute_str>".

      Now FortiMail automatically generates its SP metadata, entity ID, and ACS URL. (You might need to navigate away from the tab and return in order for it to display.)

    3. Enable SSO. Copy the SP entity ID, ACS URL, and metadata XML.

      See system saml.

  3. On the IdP server:

    1. Paste the entity ID, SP metadata URL, and ACS URL from FortiMail.

    2. Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiMail use:

      urn:oid:0.9.2342.19200300.100.1.3

    3. Optionally, enable and configure multi-factor authentication (MFA).

    4. If required, add the FortiMail unit's certificate to the list of trusted CAs ("trust store").

      (Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)

  4. On FortiMail, for each account that will use SAML SSO to log in, configure:

In addition to SSO, FortiMail also supports single log off (SLO). When someone logs out of FortiMail, they will also be logged out of all services that use the same federated SSO authentication.

Syntax

config profile sso

edit <profile_name>

set comment <description_str>

set remote-user-attribute-name "<attribute_str>"

set idp-metadata <idp-xml_str>

end

Variable

Description

Default

<profile_name>

Enter a unique name for the profile.

comment <description_str>

Enter a descriptive comment.

idp-metadata <idp-xml_str>

Enter the XML metadata that contains the X.509 server certificate, supported protocols, and service URLs of the identity provider (IdP).

remote-user-attribute-name "<attribute_str>"

Enter the object identifier (OID) of email addresses on the IdP server.

If you do not enter an OID, then FortiMail uses the default OID urn:oid:0.9.2342.19200300.100.1.3.

Related topics

domain

system admin

system appearance

system saml

Previous
Next

profile sso

Use this command to configure connections with remote authentication servers such as FortiAuthenticator that support single sign-on (SSO) protocols.

In Security Assertion Markup Language (SAML) SSO, you must configure both of these to connect and authenticate with each other:

  • FortiMail, which is the service provider (SP). See system saml.
  • FortiAuthenticator or other remote authentication server, which is the identity provider (IdP)

To do this, you must:

  1. On the IdP server:

    1. Download its IdP metadata XML.

      Alternatively, copy the URL where FortiMail can download it.

    2. The email address that the user must give when they authenticate is stored in an attribute on the IdP server. This attribute has an object identifier (OID). If this OID is different than the default setting of remote-user-attribute-name "<attribute_str>" on FortiMail, then copy the IdP server's OID. For example:

    3. urn:oid:0.9.2342.19200300.100.1.3

  2. On FortiMail:

    1. If you are integrating with FortiAuthenticator or Ping Identity, then on FortiMail, use the CLI to enable Security Fabric and the administrator account named admin_sso:

      config system csf

      set status enable

      end

      config system admin

      edit admin_sso

      set status enable

      end

      The admin_sso account acts as a wildcard, so that you do not need to configure all FortiMail accounts on the IdP too. The Security Fabric provides communication for this feature.

    2. Paste the IdP metadata XML into an SSO profile. If the IdP uses a different attribute OID than the FortiMail default, then also configure that.

      See idp-metadata <idp-xml_str> and remote-user-attribute-name "<attribute_str>".

      Now FortiMail automatically generates its SP metadata, entity ID, and ACS URL. (You might need to navigate away from the tab and return in order for it to display.)

    3. Enable SSO. Copy the SP entity ID, ACS URL, and metadata XML.

      See system saml.

  3. On the IdP server:

    1. Paste the entity ID, SP metadata URL, and ACS URL from FortiMail.

    2. Select to identify users by their email addresses attribute, and then enter the attribute object identifier (OID) that authentication requests from FortiMail use:

      urn:oid:0.9.2342.19200300.100.1.3

    3. Optionally, enable and configure multi-factor authentication (MFA).

    4. If required, add the FortiMail unit's certificate to the list of trusted CAs ("trust store").

      (Skip this step if your IdP already trusts the certificate, directly or indirectly, via a CA certificate signing chain.)

  4. On FortiMail, for each account that will use SAML SSO to log in, configure:

In addition to SSO, FortiMail also supports single log off (SLO). When someone logs out of FortiMail, they will also be logged out of all services that use the same federated SSO authentication.

Syntax

config profile sso

edit <profile_name>

set comment <description_str>

set remote-user-attribute-name "<attribute_str>"

set idp-metadata <idp-xml_str>

end

Variable

Description

Default

<profile_name>

Enter a unique name for the profile.

comment <description_str>

Enter a descriptive comment.

idp-metadata <idp-xml_str>

Enter the XML metadata that contains the X.509 server certificate, supported protocols, and service URLs of the identity provider (IdP).

remote-user-attribute-name "<attribute_str>"

Enter the object identifier (OID) of email addresses on the IdP server.

If you do not enter an OID, then FortiMail uses the default OID urn:oid:0.9.2342.19200300.100.1.3.

Related topics

domain

system admin

system appearance

system saml

Previous
Next