Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configuring a remote SAML server

Some fields, including IdP entity ID, IdP single sign-on URL, and IdP certificate fingerprint, are configured based on the corresponding OneLogin settings.

It is advised that you set up OneLogin and the SAML server simultaneously.

See Configuring SSO on OneLogin and Configuring application parameters on OneLogin.

To configure a remote SAML server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

    The Create New Remote SAML Server window opens.

  2. Enter a name for the SAML server.
  3. Select Type as Proxy.

    The Portal URL is the SAML SP login URL.

  4. In the Entity ID dropdown, select the non-Azure IdP entity ID.
  5. In the IdP Metadata pane:
    1. In IdP entity ID, enter Issuer URL from the SSO tab in OneLogin application configurtaion.
    2. In IdP single sign-on URL, enter SAML 2.0 Endpoint (HTTP) from the SSO tab in OneLogin application configurtaion.
    3. In IdP certificate fingerprint, select Import certificate, and upload the certificate fingerprint file that you saved while configuring the application on OneLogin. See Downloading the IdP certificate fingerprint on OneLogin.

      Alternatively, select Import IdP metadata to import the IdP related URL(s) you saved from OneLogin. See Importing IdP metadata.

  6. Enable SAML single logout and in IdP single logout URL enter SLO Endpoint (HTTP) from the SSO tab in OneLogin application configuration. See View Details.
  7. In the Username pane, ensure that Obtain username from is set to the default Subject NameID SAML assertion.
  8. In the Group Membership:
    1. In Obtain group membership from, select SAML assertions.
    2. In SAML assertions, select Text-based list, and enter group.

      group is the application parameter with Value set as Memberof. See Configuring a Memberof application parameter on OneLogin.

      In the Text-based list field, any value can be used so long it is a parameter for the OneLogin application.

  9. Optionally, enable Implicit group membership when only a single group exists.
  10. Click OK.

    Once the OneLogin application is set up and a certificate is associated with the application, you can download the IdP metadata by going to More Actions > SAML Metadata in one of the tabs when configuring the application.

Configuring a remote SAML server

Some fields, including IdP entity ID, IdP single sign-on URL, and IdP certificate fingerprint, are configured based on the corresponding OneLogin settings.

It is advised that you set up OneLogin and the SAML server simultaneously.

See Configuring SSO on OneLogin and Configuring application parameters on OneLogin.

To configure a remote SAML server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

    The Create New Remote SAML Server window opens.

  2. Enter a name for the SAML server.
  3. Select Type as Proxy.

    The Portal URL is the SAML SP login URL.

  4. In the Entity ID dropdown, select the non-Azure IdP entity ID.
  5. In the IdP Metadata pane:
    1. In IdP entity ID, enter Issuer URL from the SSO tab in OneLogin application configurtaion.
    2. In IdP single sign-on URL, enter SAML 2.0 Endpoint (HTTP) from the SSO tab in OneLogin application configurtaion.
    3. In IdP certificate fingerprint, select Import certificate, and upload the certificate fingerprint file that you saved while configuring the application on OneLogin. See Downloading the IdP certificate fingerprint on OneLogin.

      Alternatively, select Import IdP metadata to import the IdP related URL(s) you saved from OneLogin. See Importing IdP metadata.

  6. Enable SAML single logout and in IdP single logout URL enter SLO Endpoint (HTTP) from the SSO tab in OneLogin application configuration. See View Details.
  7. In the Username pane, ensure that Obtain username from is set to the default Subject NameID SAML assertion.
  8. In the Group Membership:
    1. In Obtain group membership from, select SAML assertions.
    2. In SAML assertions, select Text-based list, and enter group.

      group is the application parameter with Value set as Memberof. See Configuring a Memberof application parameter on OneLogin.

      In the Text-based list field, any value can be used so long it is a parameter for the OneLogin application.

  9. Optionally, enable Implicit group membership when only a single group exists.
  10. Click OK.

    Once the OneLogin application is set up and a certificate is associated with the application, you can download the IdP metadata by going to More Actions > SAML Metadata in one of the tabs when configuring the application.