Fortinet black logo

Administration Guide

SAML

SAML

To add a remote SAML Server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
  2. The Create New Remote SAML Server window appears.

  3. Enter the following information:
    NameEnter a name for the remote SAML server.
    DescriptionEnter a description for the remote SAML server.
    Device FQDNThe FQDN of the configured device from the system dashboard.

    Type

    Select FSSO or Proxy as the remote SAML server type.

    URL Nomenclature

    Select the method to determine the URL path of the SAML service provider.

    • Individualize:Enable to include the name of the SAML service provider in the URL path.
    • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
    Portal URL

    The SAML service provider login URL.

    Entity ID

    The SAML service provider Entity ID.

    ACS (login) URL

    The SAML service provider Assertion Consumer Service (ACS) login URL.

    Import IDP metadata/certificate

    Select to import the SAML IdP metadata or certificate file.

    IDP entity ID

    Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

    https://idp_name.example.edu/idp

    IDP single sign-on URLEnter the identity provider portal URL you want to use for SSO.
    IDP certificate fingerprint

    Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

    Use the following OpenSSL command:

    $ openssl x509 -noout -fingerprint -in "server.crt"

    Example result, showing the fingerprint:

    SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

    Fingerprint algorithmThe SAML portal by default uses SHA-256.

    Authentication context

    Select the authentication context value for the "RequestedAuthnContext" assertion.

    • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
    • MFA: Enforces MFA on the remote SAML IdP server.

      When selected, FortiAuthenticator indicates in the SAML authentication requests to the remote SAML IdP server that MFA is required.

    • When MFA enforcement is enabled, and a non-MFA authentication context is included in the IdP response, the authentication fails with Error 401 Unauthorized.

    • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
    Enable IdP-initiated assertion responseAllows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.

    Send AuthnRequest with HTTP-POST binding

    If enabled, HTTP-POST binding is used for authentication requests. Otherwise, HTTP-Redirect binding is used by default.

    Sign SAML requests with a local certificateSelect to choose a local SAML certificate.
    Single Logout
    Enable SAML single logoutSelect to enable SLS (logout) URL and set IDP single logout URL.
    Username

    Obtain username from

    Select the method to extract usernames:

    • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
    • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
    Group Membership

    Obtain group membership from

    Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

    Select the method to extract usernames:

    • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
    • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
    • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
    Implicit group membershipSelect to choose a local group the retrieved SAML users are placed into.
  4. Select OK to add the remote SAML server.

SAML

To add a remote SAML Server:
  1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.
  2. The Create New Remote SAML Server window appears.

  3. Enter the following information:
    NameEnter a name for the remote SAML server.
    DescriptionEnter a description for the remote SAML server.
    Device FQDNThe FQDN of the configured device from the system dashboard.

    Type

    Select FSSO or Proxy as the remote SAML server type.

    URL Nomenclature

    Select the method to determine the URL path of the SAML service provider.

    • Individualize:Enable to include the name of the SAML service provider in the URL path.
    • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
    Portal URL

    The SAML service provider login URL.

    Entity ID

    The SAML service provider Entity ID.

    ACS (login) URL

    The SAML service provider Assertion Consumer Service (ACS) login URL.

    Import IDP metadata/certificate

    Select to import the SAML IdP metadata or certificate file.

    IDP entity ID

    Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

    https://idp_name.example.edu/idp

    IDP single sign-on URLEnter the identity provider portal URL you want to use for SSO.
    IDP certificate fingerprint

    Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

    Use the following OpenSSL command:

    $ openssl x509 -noout -fingerprint -in "server.crt"

    Example result, showing the fingerprint:

    SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

    Fingerprint algorithmThe SAML portal by default uses SHA-256.

    Authentication context

    Select the authentication context value for the "RequestedAuthnContext" assertion.

    • Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
    • MFA: Enforces MFA on the remote SAML IdP server.

      When selected, FortiAuthenticator indicates in the SAML authentication requests to the remote SAML IdP server that MFA is required.

    • When MFA enforcement is enabled, and a non-MFA authentication context is included in the IdP response, the authentication fails with Error 401 Unauthorized.

    • None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
    Enable IdP-initiated assertion responseAllows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.

    Send AuthnRequest with HTTP-POST binding

    If enabled, HTTP-POST binding is used for authentication requests. Otherwise, HTTP-Redirect binding is used by default.

    Sign SAML requests with a local certificateSelect to choose a local SAML certificate.
    Single Logout
    Enable SAML single logoutSelect to enable SLS (logout) URL and set IDP single logout URL.
    Username

    Obtain username from

    Select the method to extract usernames:

    • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
    • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
    Group Membership

    Obtain group membership from

    Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

    Select the method to extract usernames:

    • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
    • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
    • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
    Implicit group membershipSelect to choose a local group the retrieved SAML users are placed into.
  4. Select OK to add the remote SAML server.