Fortinet black logo

Creating a new SAML user and server

6.4.0
Copy Link
Copy Doc ID efb53b49-7278-11ec-bdf2-fa163e15d75b:138819
Download PDF

Creating a new SAML user and server

To create a new SAML server from the GUI:
  1. Go to User & Authentication > Single Sign-On and select Create New.

    The single-sign on wizard opens.

  2. Enter a name for the SAML server.

    The other fields automatically populate based on the FortiGate's WAN IP and port.

    Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    SP entity ID, SP single sign-on URL, and SP single logout URL are then used when configuring SP settings on FortiAuthenticator.

    See Configuring SP settings on FortiAuthenticator.

  3. Click Next.
  4. In IdP Details:
    1. In IdP address, enter the IdP address from the FortiAuthenticator.
    2. In Prefix, enter the prefix from the FortiAuthenticator.
    3. In IdP certificate, select REMOTE_Cert_1.
  5. In Additional SAML Attributes:
    1. In Attribute used to identify users, enter Username.
    2. In Attribute used to identify groups, enter Group.

      In FortiAuthenticator IdP, SAML attributes are configured in the Assertion Attributes pane when configuring the SP settings.

      See Configuring SP settings on FortiAuthenticator.

  6. Click Submit.

    SAML related settings are available in the GUI for FortiOS 7.0.2 and above.

    For FortiOS 7.0.1 and below, use the CLI commands to set up SAML related settings.

To create a new SAML user and server from the CLI:
  1. Enter the following commands to create a SAML user object:

    config user saml

    edit "saml_test"

    set cert "FortiDemo"

    set entity-id "http://-test.fortidemo.fortinet.com:10403/remote/saml/metadata/"

    set single-sign-on-url "https://-test.fortidemo.fortinet.com:10403/remote/saml/login/"

    set single-logout-url "https://-test.fortidemo.fortinet.com:10403/remote/saml/logout/"

    set idp-entity-id "http://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/metadata/"

    set idp-single-sign-on-url "https://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/login/"

    set idp-single-logout-url "https://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/logout/"

    set idp-cert "REMOTE_Cert_1"

    set user-name "Username"

    set group-name "Group"

    set digest-method sha1

    next

    end

    In the above CLI commands:

    • The cert FortiDemo is a local certificate used to sign SAML messages exchanged between the client and the FortiGate SP. In this case, it is used to sign -test.fortidemo.fortinet.com.

    • The cert REMOTE_Cert_1 is a remote certificate used to identify the IdP, which in this case is fac.fortidemo.fortinet.com.

    In the SP URL above:

    • -test.fortidemo.fortinet.com- FQDN that resolves to the FortiGate SP.

    • 10403- Port used to map FortiGate SAML SP service.

    • /remote/saml- Custom user defined fields, typically to identify the service, i.e., remote access and SAML authentication.

    • metadata, /login, and /logout- Standard convention used to identify the SP entity, login, and logout portal.

To create the SAML group:
  1. Go to User & Authentication >User Groups and click Create New.
  2. Enter a name for the group.
  3. In Remote Groups, select Add, in the Remote Server dropdown, select saml_test, and click OK.
  4. Click OK.

To create the SAML group using the CLI:
  1. Enter the following commands to add the SAML user object to a new user group:

    config user group

    edit "saml_grp"

    set member "saml_test"

    next

    end

The CLI commands above are based on their respective settings in the GUI.

Creating a new SAML user and server

To create a new SAML server from the GUI:
  1. Go to User & Authentication > Single Sign-On and select Create New.

    The single-sign on wizard opens.

  2. Enter a name for the SAML server.

    The other fields automatically populate based on the FortiGate's WAN IP and port.

    Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.

    SP entity ID, SP single sign-on URL, and SP single logout URL are then used when configuring SP settings on FortiAuthenticator.

    See Configuring SP settings on FortiAuthenticator.

  3. Click Next.
  4. In IdP Details:
    1. In IdP address, enter the IdP address from the FortiAuthenticator.
    2. In Prefix, enter the prefix from the FortiAuthenticator.
    3. In IdP certificate, select REMOTE_Cert_1.
  5. In Additional SAML Attributes:
    1. In Attribute used to identify users, enter Username.
    2. In Attribute used to identify groups, enter Group.

      In FortiAuthenticator IdP, SAML attributes are configured in the Assertion Attributes pane when configuring the SP settings.

      See Configuring SP settings on FortiAuthenticator.

  6. Click Submit.

    SAML related settings are available in the GUI for FortiOS 7.0.2 and above.

    For FortiOS 7.0.1 and below, use the CLI commands to set up SAML related settings.

To create a new SAML user and server from the CLI:
  1. Enter the following commands to create a SAML user object:

    config user saml

    edit "saml_test"

    set cert "FortiDemo"

    set entity-id "http://-test.fortidemo.fortinet.com:10403/remote/saml/metadata/"

    set single-sign-on-url "https://-test.fortidemo.fortinet.com:10403/remote/saml/login/"

    set single-logout-url "https://-test.fortidemo.fortinet.com:10403/remote/saml/logout/"

    set idp-entity-id "http://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/metadata/"

    set idp-single-sign-on-url "https://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/login/"

    set idp-single-logout-url "https://fac.fortidemo.fortinet.com/saml-idp/k7vmvgjo8k47krkg/logout/"

    set idp-cert "REMOTE_Cert_1"

    set user-name "Username"

    set group-name "Group"

    set digest-method sha1

    next

    end

    In the above CLI commands:

    • The cert FortiDemo is a local certificate used to sign SAML messages exchanged between the client and the FortiGate SP. In this case, it is used to sign -test.fortidemo.fortinet.com.

    • The cert REMOTE_Cert_1 is a remote certificate used to identify the IdP, which in this case is fac.fortidemo.fortinet.com.

    In the SP URL above:

    • -test.fortidemo.fortinet.com- FQDN that resolves to the FortiGate SP.

    • 10403- Port used to map FortiGate SAML SP service.

    • /remote/saml- Custom user defined fields, typically to identify the service, i.e., remote access and SAML authentication.

    • metadata, /login, and /logout- Standard convention used to identify the SP entity, login, and logout portal.

To create the SAML group:
  1. Go to User & Authentication >User Groups and click Create New.
  2. Enter a name for the group.
  3. In Remote Groups, select Add, in the Remote Server dropdown, select saml_test, and click OK.
  4. Click OK.

To create the SAML group using the CLI:
  1. Enter the following commands to add the SAML user object to a new user group:

    config user group

    edit "saml_grp"

    set member "saml_test"

    next

    end

The CLI commands above are based on their respective settings in the GUI.