Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Creating SAML user and server

To create a new SAML server:
  1. Go to User & Authentication > Single Sign-On and select Create New.

    The single-sign on wizard opens.

  2. Enter a name for the SAML server.
  3. In SP address, enter the local IP address and port in the format <IP_ADDRESS>:<PORT>.

    SP address is the IP address of the interface users use to connect to the SSL VPN in VPN > SSL-VPN Settings > Listen on Interface(s).

    The port should be the same port configured in VPN > SSL-VPN Settings > Listen on Port.

    Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    SP entity ID, SP single sign-on URL, and SP single logout URL are then used when configuring SP settings on FortiAuthenticator.

    See Configuring FortiGate SP settings on FortiAuthenticator.

  4. Click Next.

  5. In IdP Details:
    1. Ensure that IdP type is Fortinet Product.
    2. In IdP address, enter the Server address from FortiAuthenticator. See Configuring SAML IdP settings.
    3. In Prefix, enter the IdP prefix from Configuring FortiGate SP settings on FortiAuthenticator.
    4. In the IdP certificate dropdown, select the certificate from Uploading SAML IdP certificate to the FortiGate SP.
  6. In the Additional SAML Attributes pane:
    1. In Attribute used to identify users, enter email.
    2. In Attribute used to identify groups, enter group.

    Attribute used to identify users and Attribute used to identify groups must match Assertion Attributes configured in Configuring FortiGate SP settings on FortiAuthenticator.

  7. Click Submit.
To create the SAML group:
  1. Go to User & Authentication >User Groups and click Create New.
  2. Enter a name for the group.
  3. In Remote Groups, select Add.

    The Add Group Match window opens.

  4. In the Remote Server dropdown, select FAC OneLogin IdP Proxy.

    FAC OneLogin IdP Proxy is the name of the SAML server set up in Creating a SAML server.

  5. In Groups, select Any.

    You may set Groups as Specify to filter specific groups from the FortiGate SP.

  6. Click OK.
  7. Click OK.

Creating SAML user and server

To create a new SAML server:
  1. Go to User & Authentication > Single Sign-On and select Create New.

    The single-sign on wizard opens.

  2. Enter a name for the SAML server.
  3. In SP address, enter the local IP address and port in the format <IP_ADDRESS>:<PORT>.

    SP address is the IP address of the interface users use to connect to the SSL VPN in VPN > SSL-VPN Settings > Listen on Interface(s).

    The port should be the same port configured in VPN > SSL-VPN Settings > Listen on Port.

    Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    SP entity ID, SP single sign-on URL, and SP single logout URL are then used when configuring SP settings on FortiAuthenticator.

    See Configuring FortiGate SP settings on FortiAuthenticator.

  4. Click Next.

  5. In IdP Details:
    1. Ensure that IdP type is Fortinet Product.
    2. In IdP address, enter the Server address from FortiAuthenticator. See Configuring SAML IdP settings.
    3. In Prefix, enter the IdP prefix from Configuring FortiGate SP settings on FortiAuthenticator.
    4. In the IdP certificate dropdown, select the certificate from Uploading SAML IdP certificate to the FortiGate SP.
  6. In the Additional SAML Attributes pane:
    1. In Attribute used to identify users, enter email.
    2. In Attribute used to identify groups, enter group.

    Attribute used to identify users and Attribute used to identify groups must match Assertion Attributes configured in Configuring FortiGate SP settings on FortiAuthenticator.

  7. Click Submit.
To create the SAML group:
  1. Go to User & Authentication >User Groups and click Create New.
  2. Enter a name for the group.
  3. In Remote Groups, select Add.

    The Add Group Match window opens.

  4. In the Remote Server dropdown, select FAC OneLogin IdP Proxy.

    FAC OneLogin IdP Proxy is the name of the SAML server set up in Creating a SAML server.

  5. In Groups, select Any.

    You may set Groups as Specify to filter specific groups from the FortiGate SP.

  6. Click OK.
  7. Click OK.