Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

SAML Single Sign-On (SSO)

SAML Single Sign-On (SSO)

SAML SSO can be configured in User Management.

FortiPAM acts as the ISP in SAML authentication. The SAML server defines the configuration between ISP and IdP. An IdP can authenticate FortiPAM remote users and provide groups for authorization.

To create a SAML SSO server:
  1. Go to User Management > Saml Single Sign-On.

  2. Enter the following information, and click Next after each tab:

    Configure Service Provider

    Base URL

    The URL where the Identity Provider (IdP) sends SAML authentication requests.

    Note: The address should be WAN-accessible and can be an IP address or an FQDN.

    Note: To include a port, append it after a colon. For example: 200.1.1.1.:443.

    Entity ID

    Enter the SP entity ID.

    Portal (Sign On) URL

    The SAML service provider login URL. The URL is used to initiate a single sign-on.

    Note: Not all IdPs require a Portal (Sign On) URL.

    Note: The Portal (Sign On) URL is alternatively referred to as the Portal URL or the Sign On URL.

    Single Logout Service (SLS) URL

    The SP Single Logout Service (SLS) logout URL. The IdP sends the logout response to this URL.

    Note: The Single Logout Service (SLS) URL is alternatively referred to as the SLS URL, Single Logout Service URL, or the Logout URL.

    Sp Certificate

    Enable this option and import the SP certificate for authentication request signing by the SP.

    Note: This option is disabled by default.

    Configure Identity Provider

    An IdP provides SAML assertions for the service provider and redirects the user's browser back to the service provider web server.

    Log in to the IdP to find the following information.

    Type

    Select either Fortinet Product or a Custom IdP.

    IdP Address

    The IdP address.

    Note: This option is only available when the Type is Fortinet Product.

    Prefix

    Enter the IdP prefix.

    Note: The prefix is appended to the end of the IdP URLs.

    Note: This option is only available when the Type is Fortinet Product.

    IdP Certificate

    Select a server certificate to use for the SP.

    Whenever the configuration changes on the IdP, you need to upload the new certificate reflecting the changes.

    IdP entity ID

    The IdP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    Note: This option is only available when the Type is Custom.

    IdP single sign-on URL

    The IdP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    Note: This option is only available when the Type is Custom.

    IdP single logout URL

    The IdP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    Note: This option is only available when the Type is Custom.

    Additional Saml Attributes

    FortiPAM looks for the attributes to verify authentication attempts. Configure your IdP to include the attributes in the SAML attribute statement.

    Attribute used to identify users

    Enter the SAML attribute used to identify the users.

    Attribute used to identify groups

    Enter the SAML attribute used to identify the groups.

    AD FS claim

    Enable AD FS claim.

    Note: This option is disabled by default.

    User claim type

    From the dropdown, select a user claim type (default = User Principal Name).

    Group claim type

    From the dropdown, select a group claim type (default = User Group).

  3. In the Review tab, verify the information you entered and click Submit to create the SAML SSO server.

    Use the pen icon to edit tabs.

Alternatively, use the CLI commands to configure an IdP.
CLI configuration to set up a SAML IdP example:

config user saml

edit <SAML Name>

set entity-id "http://<PAM_VIP>/saml/metadata/"

set single-sign-on-url "https://<PAM_VIP>/XX/YY/ZZ/saml/login/"

set single-logout-url "https://<PAM_VIP>/remote/saml/logout/"

set idp-entity-id "http://<iDP URL>/<idp_entity_id>"

set idp-single-sign-on-url "https://<iDP_URL>/<sign_on_url>"

set idp-single-logout-url "https://<iDP_URL>/<sign_out_url>"

set idp-cert <iDP Certificate>

set user-name "username"

set group-name "group"

set digest-method sha256

next

end

config firewall access-proxy

edit "fortipam_access_proxy"

set vip "fortipam_vip"

config api-gateway

edit 4

set service samlsp

set saml-server "fortipam-saml-sso-server"

next

end

next

end

config authentication scheme

edit "fortipam_saml_auth_scheme"

set method saml

set saml-server "fortipam-saml-sso-server"

next

end

config authentication rule

edit "fortipam_saml_auth_rule" #Create a new rule and move it above the default "fortipam_auth" rule.

set srcaddr "all"

set dstaddr "saml_auth_addr"

set ip-based disable

set active-auth-method "fortipam_saml_auth_scheme"

set web-auth-cookie enable

next

edit "fortipam_auth"

set srcaddr "all"

set ip-based disable

set active-auth-method "fortipam_auth_scheme"

set web-auth-cookie enable

next

end

CLI configuration to enable SAML authentication on the login page example

config system global

set saml-authentication enable

end

To log in to FortiPAM as a SAML user:
  1. On the login page, from the Local dropdown, select SAML.
  2. Select Continue to open the SAML login page.
  3. Enter the username and password to log in to FortiPAM.
Previous
Next

SAML Single Sign-On (SSO)

SAML SSO can be configured in User Management.

FortiPAM acts as the ISP in SAML authentication. The SAML server defines the configuration between ISP and IdP. An IdP can authenticate FortiPAM remote users and provide groups for authorization.

To create a SAML SSO server:
  1. Go to User Management > Saml Single Sign-On.

  2. Enter the following information, and click Next after each tab:

    Configure Service Provider

    Base URL

    The URL where the Identity Provider (IdP) sends SAML authentication requests.

    Note: The address should be WAN-accessible and can be an IP address or an FQDN.

    Note: To include a port, append it after a colon. For example: 200.1.1.1.:443.

    Entity ID

    Enter the SP entity ID.

    Portal (Sign On) URL

    The SAML service provider login URL. The URL is used to initiate a single sign-on.

    Note: Not all IdPs require a Portal (Sign On) URL.

    Note: The Portal (Sign On) URL is alternatively referred to as the Portal URL or the Sign On URL.

    Single Logout Service (SLS) URL

    The SP Single Logout Service (SLS) logout URL. The IdP sends the logout response to this URL.

    Note: The Single Logout Service (SLS) URL is alternatively referred to as the SLS URL, Single Logout Service URL, or the Logout URL.

    Sp Certificate

    Enable this option and import the SP certificate for authentication request signing by the SP.

    Note: This option is disabled by default.

    Configure Identity Provider

    An IdP provides SAML assertions for the service provider and redirects the user's browser back to the service provider web server.

    Log in to the IdP to find the following information.

    Type

    Select either Fortinet Product or a Custom IdP.

    IdP Address

    The IdP address.

    Note: This option is only available when the Type is Fortinet Product.

    Prefix

    Enter the IdP prefix.

    Note: The prefix is appended to the end of the IdP URLs.

    Note: This option is only available when the Type is Fortinet Product.

    IdP Certificate

    Select a server certificate to use for the SP.

    Whenever the configuration changes on the IdP, you need to upload the new certificate reflecting the changes.

    IdP entity ID

    The IdP's entity ID, for example:

    http://www.example.com/saml-idp/xxx/metadata/

    Note: This option is only available when the Type is Custom.

    IdP single sign-on URL

    The IdP's login URL, for example:

    http://www.example.com/saml-idp/xxx/login/

    Note: This option is only available when the Type is Custom.

    IdP single logout URL

    The IdP's logout URL, for example:

    http://www.example.com/saml-idp/xxx/logout/

    Note: This option is only available when the Type is Custom.

    Additional Saml Attributes

    FortiPAM looks for the attributes to verify authentication attempts. Configure your IdP to include the attributes in the SAML attribute statement.

    Attribute used to identify users

    Enter the SAML attribute used to identify the users.

    Attribute used to identify groups

    Enter the SAML attribute used to identify the groups.

    AD FS claim

    Enable AD FS claim.

    Note: This option is disabled by default.

    User claim type

    From the dropdown, select a user claim type (default = User Principal Name).

    Group claim type

    From the dropdown, select a group claim type (default = User Group).

  3. In the Review tab, verify the information you entered and click Submit to create the SAML SSO server.

    Use the pen icon to edit tabs.

Alternatively, use the CLI commands to configure an IdP.
CLI configuration to set up a SAML IdP example:

config user saml

edit <SAML Name>

set entity-id "http://<PAM_VIP>/saml/metadata/"

set single-sign-on-url "https://<PAM_VIP>/XX/YY/ZZ/saml/login/"

set single-logout-url "https://<PAM_VIP>/remote/saml/logout/"

set idp-entity-id "http://<iDP URL>/<idp_entity_id>"

set idp-single-sign-on-url "https://<iDP_URL>/<sign_on_url>"

set idp-single-logout-url "https://<iDP_URL>/<sign_out_url>"

set idp-cert <iDP Certificate>

set user-name "username"

set group-name "group"

set digest-method sha256

next

end

config firewall access-proxy

edit "fortipam_access_proxy"

set vip "fortipam_vip"

config api-gateway

edit 4

set service samlsp

set saml-server "fortipam-saml-sso-server"

next

end

next

end

config authentication scheme

edit "fortipam_saml_auth_scheme"

set method saml

set saml-server "fortipam-saml-sso-server"

next

end

config authentication rule

edit "fortipam_saml_auth_rule" #Create a new rule and move it above the default "fortipam_auth" rule.

set srcaddr "all"

set dstaddr "saml_auth_addr"

set ip-based disable

set active-auth-method "fortipam_saml_auth_scheme"

set web-auth-cookie enable

next

edit "fortipam_auth"

set srcaddr "all"

set ip-based disable

set active-auth-method "fortipam_auth_scheme"

set web-auth-cookie enable

next

end

CLI configuration to enable SAML authentication on the login page example

config system global

set saml-authentication enable

end

To log in to FortiPAM as a SAML user:
  1. On the login page, from the Local dropdown, select SAML.
  2. Select Continue to open the SAML login page.
  3. Enter the username and password to log in to FortiPAM.
Previous
Next