Security Assertion Markup Language (SAML) is an XML standard that allows for maintaining a single repository for authentication amongst internal and/or external systems.
The FortiAuthenticator can act as a Service Provider (SP) to request user identity information from a third-party Identity Provider (IDP). This information can then be used to sign the user on transparently based on what information the IDP sends.
Multiple SAML SP portals can be created on the FortiAuthenticator, with each portal configured to a different SAML IDP.
In this scenario:
- A user attempts to connect to the Internet via FortiGate.
- The user is not authenticated in FSSO so gets redirected to FortiAuthenticator.
- FortiAuthenticator (a service provider) checks with the existing third-party IDP to get the user identity.
- FortiAuthenticator pushes identity and group information into FSSO.
- FortiAuthenticator redirects the user to the original URL.
- FortiGate sees the user in FSSO and allows the user to pass.
To configure a SAML SP portal, go to Fortinet SSO Methods > SSO > SAML Authentication.
The following options are available:
Configure a new SAML SP portal.
|Delete||Delete the selected SAML SP portals.|
|Edit||Edit the selected SAML SP portal.|
- From Fortinet SSO Methods > SSO > SAML Authentication, select Create New.
- Configure the following settings:
- SAML assertion attribute: Enable and enter the SAML assertion attribute that domain names are obtained from.
Username prefix/suffix: Enable to obtain the domain name specified in the username. For example:
- Explicitly set to: Enable and enter the domain name to assign to the user.
- Select OK to create the new SAML SP portal.
|Remote SAML server||Select a configured remote SAML server, or select [ Create New ] to configure a new remote SAML server. See SAML for more information.|
|Enable SSO disclaimer||
Select to require a SAML SP SSO end-user to agree to a disclaimer before being redirected to the SAML IDP for authentication.
The Login Disclaimer Page and Disclaimer Denied Page can be customized. See Replacement messages for more information.
|Get SSO domain name from||
Select the method that determines the domain name: