Fortinet black logo

Cookbook

Home FortiGate / FortiOS 5.6.0 Cookbook

Enabling FSSO and SAML on the FortiAuthenticator

5.6.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:548692
Download PDF

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  2. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Under SAML assertions, enable Text-based list and enter Memberof. This attribute will be configured later on the Centrify tenant to be included in the SAML response to the FortiAuthenticator.

    Enable Implicit group membership and assign the saml_users group. This places SAML authenticated users into this group.

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.

Previous
Next

Enabling FSSO and SAML on the FortiAuthenticator

  1. On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

    Enter a Secret key and select OK to apply your changes. This Secret key is used on the FortiGate to add the FortiAuthenticator as the FSSO server.

  2. Go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:
    • Portal URL: captive portal URL for the FortiGate and user.
    • Entity ID: used in the Centrify SAML IdP application setup.
    • ACS (login) URL: assertion POST URL used by the SAML IdP.

    Under SAML assertions, enable Text-based list and enter Memberof. This attribute will be configured later on the Centrify tenant to be included in the SAML response to the FortiAuthenticator.

    Enable Implicit group membership and assign the saml_users group. This places SAML authenticated users into this group.

    Keep this window open as these URLs are needed to configure the IdP application and for testing.

    You cannot save these settings yet as the IdP information (IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint) still needs to be entered. These fields will be filled once the IdP application configuration is complete.

Previous
Next