Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configure SAML settings on FortiAuthenticator

To configure FortiAuthenticator IdP settings:
  1. Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
  2. Configure the following settings:
    1. Server address: The IP address or FQDN of the FortiAuthenticator.
    2. Realms: Select the previously created LDAP realm.
    3. Default IdP certificate: Choose a certificate. The default can be used if desired.
      The remaining settings can be left in their default state.
  3. Click OK to save your changes.
To configure the service provider settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers and click Create New.
  2. Configure the following settings:
    1. SP Name: enter a name for your service provider.
    2. IdP Prefix: Click Generate prefix to create a new IdP prefix.
    3. Server certificate: Select the certificate to be used in your configuration or choose Use default setting in SAML IdP General page.
    4. SP entity ID: Enter urn:federation:MicrosoftOnline.
    5. SP ACS (login) URL: Enter https://login.microsoftonline.com/login.srf.
    6. SP SLS (logout) URL: Enter https://login.microsoftonline.com/login.srf.
    7. Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
  3. In the Assertion Attributes section, configure the following settings:
    1. Subject NameID: Select user mS-DS-Consistency Guid.
    2. Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
      Press Enter and then SAML attributes can be created.
  4. In the Debugging Options section click Create New to create a SAML attribute with the following settings:
    1. SAML attribute: Enter IDPEmail.
    2. User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.
  5. Click OK to save your changes.

Configure SAML settings on FortiAuthenticator

To configure FortiAuthenticator IdP settings:
  1. Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.
  2. Configure the following settings:
    1. Server address: The IP address or FQDN of the FortiAuthenticator.
    2. Realms: Select the previously created LDAP realm.
    3. Default IdP certificate: Choose a certificate. The default can be used if desired.
      The remaining settings can be left in their default state.
  3. Click OK to save your changes.
To configure the service provider settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers and click Create New.
  2. Configure the following settings:
    1. SP Name: enter a name for your service provider.
    2. IdP Prefix: Click Generate prefix to create a new IdP prefix.
    3. Server certificate: Select the certificate to be used in your configuration or choose Use default setting in SAML IdP General page.
    4. SP entity ID: Enter urn:federation:MicrosoftOnline.
    5. SP ACS (login) URL: Enter https://login.microsoftonline.com/login.srf.
    6. SP SLS (logout) URL: Enter https://login.microsoftonline.com/login.srf.
    7. Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
  3. In the Assertion Attributes section, configure the following settings:
    1. Subject NameID: Select user mS-DS-Consistency Guid.
    2. Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
      Press Enter and then SAML attributes can be created.
  4. In the Debugging Options section click Create New to create a SAML attribute with the following settings:
    1. SAML attribute: Enter IDPEmail.
    2. User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.
  5. Click OK to save your changes.