Fortinet black logo

Administration Guide

Service providers

Service providers

Service providers (SP) can be managed from Authentication > SAML IdP > Service Providers.

To configure SAML service provider settings:
  1. Select Create New.

  2. Enter the following information:
    SP name Enter a name for the SP.
    IDP prefix

    Enter a prefix for the IDP that is appended to the end of the IDP URLs.

    Alternatively, you can select Generate prefix to generate a random 16 digit alphanumeric string.

    Server certificate

    Select a server certificate to use for the SP. If a certificate is not selected, the specified default IdP certificate is used.

    IDP address To configure the IDP address (and IDP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
    IDP entity id

    The IDP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    IDP single sign-on URL

    The IDP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    IDP single logout URL

    The IDP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    SP entity id Enter the SP's entity ID.
    SP ACS (login) URL

    Enter the SP's Assertion Consumer Service (ACS) login URL.

    Click Alternative ACS URLs to configure up to three additional ACS (login) and SLS (logout) URLs.

    SP SLS (logout) URL Enter the SP's Single Logout Service (SLS) logout URL.
    Support IdP-initiated assertion response

    Allows the IdP to send an assertion response to the SP without a prior request from the SP.

    Enabling this setting allows the SP to participate in IdP initiated login, and causes the SP to appear in the IdP login portal.

    Relay state

    Allows SP to redirect user to the provided URL after a successful assertion response.

    Participate in single logout

    Enable or disable participation in single logout for the SAML IdP service.

    SAML request must be signed by SP Enable this option and import the SP certificate for authentication request signing by the SP.

    Certificate type

    SP certificate: The SP request is signed by the specified certificate.

    Direct CA certificate: The SP request must contain the SP certificate fingerprint that was used to sign the request, and the certificate fingerprint must be issued by the CA specified in the configuration.

    Certificate fingerprint

    The primary certificate for verifying the SP request signature.

    Fingerprint algorithm

    Displays the detected fingerprint algorithm of the certificate fingerprint or alternative certificate fingerprint.

    Alternative certificate fingerprint

    Specify a second acceptable certificate for verifying the SP request signature. FortiAuthenticator will accept SP requests with a valid signature from either configured certificate.

    Use ACS URL from SP authentication request

    When enabled, indicates that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the pre-configured ACS URL.

    Authentication
    Authentication method

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Bypass FortiToken authentication when user is from a trusted subnet

    Enable this option if you would like to have certain users bypass FortiToken authentication, so long as they belong to a trusted subnet.

    Select Configure subnets to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).

    Assertion Attributes
    Subject NameID

    Select the user attribute that serves as SAML assertion subject NameID.

    Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote SAML Subject NameID, or Remote SAML Custom assertion.

    If the attribute selected is not available for a user, Username is used by default.

    Include realm name in subject NameID

    When enabled, you can select the username/realm format to include in subject NameID.

    Format Select from Unspecified, Transient, or Persistent.
    Debugging Options
    Do not return to service provider automatically after successful authentication, wait for user input Enable this option to let users choose where to navigate to after they are authenticated.
    Disable this service provider Disables the SP.
    SAML Attribute

    Select Create New to create a new attribute that is added to SAML assertion.

    The following user attributes are available when creating a new assertion attribute:

    • Username
    • First name
    • Last name
    • Email
    • FortiAuthenticator local group
    • Remote LDAP DN
    • Remote LDAP sAMAccountName
    • Remote LDAP userPrincipalName
    • Remote LDAP displayName
    • Remote LDAP objectGUID
    • Remote LDAP group

Service providers

Service providers (SP) can be managed from Authentication > SAML IdP > Service Providers.

To configure SAML service provider settings:
  1. Select Create New.

  2. Enter the following information:
    SP name Enter a name for the SP.
    IDP prefix

    Enter a prefix for the IDP that is appended to the end of the IDP URLs.

    Alternatively, you can select Generate prefix to generate a random 16 digit alphanumeric string.

    Server certificate

    Select a server certificate to use for the SP. If a certificate is not selected, the specified default IdP certificate is used.

    IDP address To configure the IDP address (and IDP settings below), you must have already configured the server's address under Authentication > SAML IdP > General.
    IDP entity id

    The IDP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    IDP single sign-on URL

    The IDP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    IDP single logout URL

    The IDP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    SP entity id Enter the SP's entity ID.
    SP ACS (login) URL

    Enter the SP's Assertion Consumer Service (ACS) login URL.

    Click Alternative ACS URLs to configure up to three additional ACS (login) and SLS (logout) URLs.

    SP SLS (logout) URL Enter the SP's Single Logout Service (SLS) logout URL.
    Support IdP-initiated assertion response

    Allows the IdP to send an assertion response to the SP without a prior request from the SP.

    Enabling this setting allows the SP to participate in IdP initiated login, and causes the SP to appear in the IdP login portal.

    Relay state

    Allows SP to redirect user to the provided URL after a successful assertion response.

    Participate in single logout

    Enable or disable participation in single logout for the SAML IdP service.

    SAML request must be signed by SP Enable this option and import the SP certificate for authentication request signing by the SP.

    Certificate type

    SP certificate: The SP request is signed by the specified certificate.

    Direct CA certificate: The SP request must contain the SP certificate fingerprint that was used to sign the request, and the certificate fingerprint must be issued by the CA specified in the configuration.

    Certificate fingerprint

    The primary certificate for verifying the SP request signature.

    Fingerprint algorithm

    Displays the detected fingerprint algorithm of the certificate fingerprint or alternative certificate fingerprint.

    Alternative certificate fingerprint

    Specify a second acceptable certificate for verifying the SP request signature. FortiAuthenticator will accept SP requests with a valid signature from either configured certificate.

    Use ACS URL from SP authentication request

    When enabled, indicates that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the pre-configured ACS URL.

    Authentication
    Authentication method

    Select one of the following:

    • Enforce two-factor authentication
    • Apply two-factor authentication if available (authenticate any user)
    • Password-only authentication (exclude users without a password)
    • FortiToken-only authentication (exclude users without a FortiToken)
    Bypass FortiToken authentication when user is from a trusted subnet

    Enable this option if you would like to have certain users bypass FortiToken authentication, so long as they belong to a trusted subnet.

    Select Configure subnets to configure trusted subnets (under Authentication > User Account Policies > Trusted Subnets).

    Assertion Attributes
    Subject NameID

    Select the user attribute that serves as SAML assertion subject NameID.

    Select from either Username, Email, Remote LDAP user DN, Remote LDAP user objectGUID, Remote SAML Subject NameID, or Remote SAML Custom assertion.

    If the attribute selected is not available for a user, Username is used by default.

    Include realm name in subject NameID

    When enabled, you can select the username/realm format to include in subject NameID.

    Format Select from Unspecified, Transient, or Persistent.
    Debugging Options
    Do not return to service provider automatically after successful authentication, wait for user input Enable this option to let users choose where to navigate to after they are authenticated.
    Disable this service provider Disables the SP.
    SAML Attribute

    Select Create New to create a new attribute that is added to SAML assertion.

    The following user attributes are available when creating a new assertion attribute:

    • Username
    • First name
    • Last name
    • Email
    • FortiAuthenticator local group
    • Remote LDAP DN
    • Remote LDAP sAMAccountName
    • Remote LDAP userPrincipalName
    • Remote LDAP displayName
    • Remote LDAP objectGUID
    • Remote LDAP group