Creating SAML user and server
To create a new SAML server:
- Go to User & Authentication > Single Sign-On and select Create New.
The single-sign on wizard opens.
- Enter a name for the SAML server.
- In SP address, enter the local IP address and port in the format
<IP_ADDRESS>:<PORT>
.SP address is the IP address of the interface users use to connect to the SSL VPN in VPN > SSL-VPN Settings > Listen on Interface(s).
The port should be the same port configured in VPN > SSL-VPN Settings > Listen on Port.
Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.
SP entity ID, SP single sign-on URL, and SP single logout URL are then used when configuring SP settings on FortiAuthenticator.
See Configuring FortiGate SP settings on FortiAuthenticator.
- Click Next.
- In IdP Details:
- Ensure that IdP type is Fortinet Product.
- In IdP address, enter the Server address from FortiAuthenticator. See Configuring SAML IdP settings.
- In Prefix, enter the IdP prefix from Configuring FortiGate SP settings on FortiAuthenticator.
- In the IdP certificate dropdown, select the certificate from Uploading SAML IdP certificate to the FortiGate SP.
- In the Additional SAML Attributes pane:
- In Attribute used to identify users, enter email.
- In Attribute used to identify groups, enter group.
Attribute used to identify users and Attribute used to identify groups must match Assertion Attributes configured in Configuring FortiGate SP settings on FortiAuthenticator.
- Click Submit.
To create the SAML group:
- Go to User & Authentication >User Groups and click Create New.
- Enter a name for the group.
- In Remote Groups, select Add.
The Add Group Match window opens.
- In the Remote Server dropdown, select FAC OneLogin IdP Proxy.
FAC OneLogin IdP Proxy is the name of the SAML server set up in Creating a SAML server.
- In Groups, select Any.
You may set Groups as Specify to filter specific groups from the FortiGate SP.
- Click OK.
- Click OK.