Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configuring FortiGate SP settings on FortiAuthenticator

FortiGate is configured as a SAML client ,i.e., SAML SP for FortiAuthenticator.

To complete the following configuration, you will need to configure the SAML settings on the ForiGate SP at the same time. This is because some fields including the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL are only available when configuring the SAML settings on the FortiGate SP.

To configure FortiGate service provider settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:
    1. SP name: Enter a name for the FortiGate SP.
    2. IdP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.
    3. Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General. See Configuring SAML IdP settings.
    4. In Application name for FTM push notification, enter OneLogin.
  3. Click Save.
  4. In the SP Metadata pane, enter the following information:
    1. SP entity ID: Enter the SP entity ID from Creating SAML user and server.
    2. SP ACS (login) URL: Enter the SP single sign-on URL from Creating SAML user and server.
    3. SP SLS (logout) URL: Enter the SP single logout URL from Creating SAML user and server.

      SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective configurations on the FortiGate SP side.

  5. Click OK.
  6. Select and click Edit to edit the recently created FortiGate SP.
  7. In Assertion Attribute Configuration:
    1. Select Subject NameID in Subject NameID.
    2. Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress in Format.
  8. In Assertion Attributes, select Add Assertion Attribute:
    1. Enter a name for the SAML attribute. Here, group.
    2. Select SAML assertion in the User attribute dropdown.
    3. Enter group in Custom field.
    4. Select Add Assertion Attribute again to create a new SAML attribute named email, and from the User attribute dropdown select SAML username.

      SAML assertion attribute names and values must match values configured in Creating SAML user and server.

  9. Click OK to save changes.

Configuring FortiGate SP settings on FortiAuthenticator

FortiGate is configured as a SAML client ,i.e., SAML SP for FortiAuthenticator.

To complete the following configuration, you will need to configure the SAML settings on the ForiGate SP at the same time. This is because some fields including the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL are only available when configuring the SAML settings on the FortiGate SP.

To configure FortiGate service provider settings on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:
    1. SP name: Enter a name for the FortiGate SP.
    2. IdP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.
    3. Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General. See Configuring SAML IdP settings.
    4. In Application name for FTM push notification, enter OneLogin.
  3. Click Save.
  4. In the SP Metadata pane, enter the following information:
    1. SP entity ID: Enter the SP entity ID from Creating SAML user and server.
    2. SP ACS (login) URL: Enter the SP single sign-on URL from Creating SAML user and server.
    3. SP SLS (logout) URL: Enter the SP single logout URL from Creating SAML user and server.

      SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective configurations on the FortiGate SP side.

  5. Click OK.
  6. Select and click Edit to edit the recently created FortiGate SP.
  7. In Assertion Attribute Configuration:
    1. Select Subject NameID in Subject NameID.
    2. Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress in Format.
  8. In Assertion Attributes, select Add Assertion Attribute:
    1. Enter a name for the SAML attribute. Here, group.
    2. Select SAML assertion in the User attribute dropdown.
    3. Enter group in Custom field.
    4. Select Add Assertion Attribute again to create a new SAML attribute named email, and from the User attribute dropdown select SAML username.

      SAML assertion attribute names and values must match values configured in Creating SAML user and server.

  9. Click OK to save changes.