Administration Guide

Home FortiAuthenticator 6.5.4 Administration Guide

6.5.4

General

To configure general SAML IdP portal settings:

Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

Configure the following settings:

Device FQDN

To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.

Server address

Enter the IP address or FQDN of the FortiAuthenticator device.

IdP-initiated login URL

The URL used to access the IdP portal in an IdP-initiated login scenario.

SPs configured in FortiAuthenticator must have the option Support IdP-initiated assertion response enabled in order to be listed in the portal.

Username input format

Select one of the following three username input formats:

username@realm
realm\username
realm/username

Captcha

The state of the optional IP lockout CAPTCHA settings.

Note: The option is read-only.

Select the pen icon to edit the IP lockout CAPTCHA settings in Lockouts.

Use default realm when user-provided realm is different from all configured realms

When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

Realms

Select Add a realm to add the default local realm to which the users will be associated.

Use Groups and Filter to add specific user groups.

The maximum number of allowed realms is equal to the maximum number of realms in the legacy self-service portal plus the realms in SAML IdP.

A maximum of 100 realms can be added.

Legacy login sequence

When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

The option is disabled by default.

When doing IdP proxy to multiple remote SAML IdP servers, keep this option disabled.

IAM login

Enable to allow IAM login.

Note: The option is now only available when Legacy login sequence is enabled.

Trusted endpoint single sign-on

When enabled, SSOMA endpoints can log in without reentering username and password.

The username login page includes a Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints.

The legacy login page does not offer the Trusted Endpoint Single Sign-On button.

The option is disabled by default.

Note: Trusted endpoint single sign-on and Legacy login sequence options are mutually exclusive.

Listening port

Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator (default = 8008).

Enforce MFA

When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on.

When disabled, token-based verification is bypassed for trusted endpoints.

Note: The option is only available when Trusted endpoint single sign-on is enabled.

Enforce IP matching

When enabled, the source IP address of the endpoint connecting to the listening port must match one of the IP addresses reported by the SSOMA to do a successful trusted endpoint authentication. For example, if the endpoint is on a private network and its connection to the FortiAuthenticator is being NAT'ed, this option should be disabled.

Set the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).

Default IdP certificate

Select a default certificate the IdP uses to sign SAML assertions from the dropdown menu.

Automatically switch IdP certificate before its expiry time

Enable and select a New default IdP certificate from the dropdown.

Switch at

Enter a date (YYYY-MM-DD) and time when the new default IdP certificate applies.

Alternatively:

Use the calendar icon to select a date. For changing time, select the clock icon and choose a time from the list.

Select Today to switch to today's date or select Now to switch to the time now.

Default signing algorithm

Select a default signing algorithm from the dropdown.

Get nested groups for user

Enable to get nested groups for Windows AD users.

Use geolocation in FortiToken Mobile push notifications

Enable to use geolocation in FortiToken Mobile push notifications.

Select Save to apply any changes that you have made.

To configure general SAML IdP portal settings:

Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

Configure the following settings:

Device FQDN

To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.

Server address

Enter the IP address or FQDN of the FortiAuthenticator device.

IdP-initiated login URL

The URL used to access the IdP portal in an IdP-initiated login scenario.

SPs configured in FortiAuthenticator must have the option Support IdP-initiated assertion response enabled in order to be listed in the portal.

Username input format

Select one of the following three username input formats:

username@realm
realm\username
realm/username

Captcha

The state of the optional IP lockout CAPTCHA settings.

Note: The option is read-only.

Select the pen icon to edit the IP lockout CAPTCHA settings in Lockouts.

Use default realm when user-provided realm is different from all configured realms

When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

Realms

Select Add a realm to add the default local realm to which the users will be associated.

Use Groups and Filter to add specific user groups.

The maximum number of allowed realms is equal to the maximum number of realms in the legacy self-service portal plus the realms in SAML IdP.

A maximum of 100 realms can be added.

Legacy login sequence

When enabled, the legacy sequence requests username and password on the same form. When disabled, only the username is requested on the first form.

The option is disabled by default.

When doing IdP proxy to multiple remote SAML IdP servers, keep this option disabled.

IAM login

Enable to allow IAM login.

Note: The option is now only available when Legacy login sequence is enabled.

Trusted endpoint single sign-on

When enabled, SSOMA endpoints can log in without reentering username and password.

The username login page includes a Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints.

The legacy login page does not offer the Trusted Endpoint Single Sign-On button.

The option is disabled by default.

Note: Trusted endpoint single sign-on and Legacy login sequence options are mutually exclusive.

Listening port

Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator (default = 8008).

Enforce MFA

When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on.

When disabled, token-based verification is bypassed for trusted endpoints.

Note: The option is only available when Trusted endpoint single sign-on is enabled.

Enforce IP matching

Set the user's login session timeout limit between 5 - 1440 minutes (one day). The default is 480 minutes (eight hours).

Default IdP certificate

Select a default certificate the IdP uses to sign SAML assertions from the dropdown menu.

Automatically switch IdP certificate before its expiry time

Enable and select a New default IdP certificate from the dropdown.

Switch at

Enter a date (YYYY-MM-DD) and time when the new default IdP certificate applies.

Alternatively:

Use the calendar icon to select a date. For changing time, select the clock icon and choose a time from the list.

Select Today to switch to today's date or select Now to switch to the time now.

Default signing algorithm

Select a default signing algorithm from the dropdown.

Get nested groups for user

Enable to get nested groups for Windows AD users.

Use geolocation in FortiToken Mobile push notifications

Enable to use geolocation in FortiToken Mobile push notifications.

Select Save to apply any changes that you have made.