- Go to Authentication > Remote Auth. Servers > SAML and select Create New.
- Enter the following information:
Name Enter a name for the remote SAML server. Description Enter a description for the remote SAML server. Device FQDN The FQDN of the configured device from the system dashboard.
Select FSSO or Proxy as the remote SAML server type.
Select the method to determine the URL path of the SAML service provider.
- Individualize:Enable to include the name of the SAML service provider in the URL path.
- Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
The SAML service provider login URL.
The SAML service provider Entity ID.
ACS (login) URL
The SAML service provider Assertion Consumer Service (ACS) login URL.
Import IDP metadata/certificate
Select to import the SAML IdP metadata or certificate file.
IDP entity ID
Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:
IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO. IDP certificate fingerprint
Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.
Use the following OpenSSL command:
$ openssl x509 -noout -fingerprint -in "server.crt"
Example result, showing the fingerprint:
Fingerprint algorithm The SAML portal by default uses SHA-256.
Select the authentication context value for the "RequestedAuthnContext" assertion.
- Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
- MFA: Enforces MFA on the remote SAML IdP server.
When selected, FortiAuthenticator indicates in the SAML authentication requests to the remote SAML IdP server that MFA is required.
- None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
When MFA enforcement is enabled, and a non-MFA authentication context is included in the IdP response, the authentication fails with
Error 401 Unauthorized.
Enable IdP-initiated assertion response Allows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login.
Send AuthnRequest with HTTP-POST binding
If enabled, HTTP-POST binding is used for authentication requests. Otherwise, HTTP-Redirect binding is used by default.
Sign SAML requests with a local certificate Select to choose a local SAML certificate. Single Logout Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL. Username Obtain username from
Select the method to extract usernames:
- Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
- Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example:
Group Membership Obtain group membership from
Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.
Select the method to extract usernames:
- SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
- LDAP lookup: Enable and select the LDAP server to obtain group memberships.
- Cloud: Enable and select the OAuth server and group field to obtain group memberships.
Implicit group membership Select to choose a local group the retrieved SAML users are placed into.
- Select OK to add the remote SAML server.
The Create New Remote SAML Server window appears.