Fortinet black logo

SAML Interoperability Guide

Home FortiAuthenticator 6.4.0 SAML Interoperability Guide
6.4.0
6.4.0

Configuring SP settings on FortiAuthenticator

Configuring SP settings on FortiAuthenticator

In order to complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

To configure service provider settings on the FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:
    • SP name: Enter a name for the SP device.
    • IDP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.
    • Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General. See Configuring FortiAuthenticator IdP.
    • Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.
    • Authentication method: Select an authentication method.
  3. Click Save.
  4. The details for following settings are available when configuring the service provider device (e.g. a FortiAnalyzer or a FortiGate).
    • SP entity ID: Enter the SP entity ID.
    • SP ACS (login) URL: Enter the SP Assertion Consumer Service (ACS) login URL.
    • SP SLS (logout) URL: Enter the SP Single Logout Service (SLS) logout URL.

    SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective configurations on the service provider device side, e.g., FortiGate, FortiManager, or a FortiAnalyzer.

    See Creating a new SAML user and server, FortiManager, and FortiAnalyzer.
  5. Click OK.
  6. Select and click Edit to edit the recently created SP.
  7. In Assertion Attribute Configuration:
    1. Select Username from the Subject NameID dropdown.
    2. Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified in Format.
  8. In Assertion Attributes, select Add Assertion Attribute:
    1. Enter a name for the SAML attribute.
    2. Select Username from the User attribute dropdown.
    3. Select Add Assertion Attribute again and create a new SAML attribute with User attribute as Group.
  9. Click OK to save changes.

Previous
Next

Configuring SP settings on FortiAuthenticator

In order to complete the following configuration, you will need to configure the SAML settings on the SP device at the same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available when configuring the SAML settings on the SP device.

To configure service provider settings on the FortiAuthenticator:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Enter the following information:
    • SP name: Enter a name for the SP device.
    • IDP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.
    • Server certificate: Select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General. See Configuring FortiAuthenticator IdP.
    • Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.
    • Authentication method: Select an authentication method.
  3. Click Save.
  4. The details for following settings are available when configuring the service provider device (e.g. a FortiAnalyzer or a FortiGate).
    • SP entity ID: Enter the SP entity ID.
    • SP ACS (login) URL: Enter the SP Assertion Consumer Service (ACS) login URL.
    • SP SLS (logout) URL: Enter the SP Single Logout Service (SLS) logout URL.

    SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective configurations on the service provider device side, e.g., FortiGate, FortiManager, or a FortiAnalyzer.

    See Creating a new SAML user and server, FortiManager, and FortiAnalyzer.
  5. Click OK.
  6. Select and click Edit to edit the recently created SP.
  7. In Assertion Attribute Configuration:
    1. Select Username from the Subject NameID dropdown.
    2. Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified in Format.
  8. In Assertion Attributes, select Add Assertion Attribute:
    1. Enter a name for the SAML attribute.
    2. Select Username from the User attribute dropdown.
    3. Select Add Assertion Attribute again and create a new SAML attribute with User attribute as Group.
  9. Click OK to save changes.

Previous
Next