Security Assertion Markup Language (SAML) Support

You can configure an authentication server that supports the SAML protocol to access FortiGuest. A SAML supporting authentication server is the Identity Provider and FortiGuest is the Service Provider. When the SAML authentication server is configured, the FortiGuest login page provides an option to login using SAML. Users can authenticate to the captive portal using their SAML credentials from a trusted IDP.

Select Microsoft ADFS SAML or Generic SAML IDP as the Server Type.

Configure the SAML settings for the Identity Provider.

These settings configure the data that FortiGuest requires to connect to the authentication server.

Field	Description
Server	The IDP server hostname or IP address.
Entity ID	The identifier of the IDP server.
Single SignOn Service EndPoint	The target URL where authentication request from FortiGuest is sent.
Single LogOut Service EndPoint	The URL where log out request from FortiGuest is sent.
Select Identity Provider Signing Certificate	SAML response validators issued by the IDP servers. To use the signing certificate for encryption, do not updated the Select Identity Provider Encryption Certificate field.
Select Identity Provider Encryption Certificate

Configure the SAML settings for the Service Provider. These settings configure the data that the IDP requires to connect to FortiGuest.

Field	Description
Entity ID	The identifier of the FortiGuest.
Assertion Consumer Service Endpoint	The target URL of FortiGuest server to which the IDP will send the SAML response or SAML assertion after authentication.
Single Logout Service Endpoint	The target URL of FortiGuest server to which the IDP will send the SAML log out response.
Select NameID Format	The name identifier of the user.
Select Signature Algorithm For Party Trust	The signature algorithm user in the sign‐on process.
Select Digest Algorithm For Party Trust	The digest algorithm used in the digest process.

Configure additional SAML attributes. FortiGuest looks for these attributes to verify authentication attempts.
1. Specify the additional attributes that you want to authenticate against.
2. Configure your Identity Provider to include them in the SAML attribute statement.
3. Map the attributes from your IDP to the attributes in your SAML profile on FortiGuest.
Field Description
Attribute used to identify username The username attribute.
Attribute used to identify email The email attribute.
Attribute used to identify groups The groups attribute.
Once SAML server is added, select a user realm and click Next.
Add mapping rules to accept or refuse connection, assign usage profile and account group based on the group attribute values.

Field	Description
Attribute used to identify username	The username attribute.
Attribute used to identify email	The email attribute.
Attribute used to identify groups	The groups attribute.

To add SAML authentication to the guest portal, configure the SAML server in the Realm policy, see Realm Policy. Preview the portal and ensure that Login with SAML option is enabled.

Note: Navigate to the SAML Settings to export the meta data file after adding the SAML server.