Fortinet white logo
Fortinet white logo

Cookbook

Enabling FSSO and SAML on the FortiAuthenticator

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  2. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Enable Implicit group membership and assign the saml_users group. This places SAML authenticated users into this group.

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.

Enabling FSSO and SAML on the FortiAuthenticator

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  2. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Enable Implicit group membership and assign the saml_users group. This places SAML authenticated users into this group.

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.