SAML Single Sign-On (SSO)
SAML SSO can be configured in User Management.
FortiPAM acts as the ISP in SAML authentication. The SAML server defines the configuration between ISP and IdP. An IdP can authenticate FortiPAM remote users and provide groups for authorization.
To create a SAML SSO server:
- Go to User Management > Saml Single Sign-On.
- Enter the following information, and click Next after each tab:
Configure Service Provider
Base URL
The URL where the Identity Provider (IdP) sends SAML authentication requests.
Note: The address should be WAN-accessible and can be an IP address or an FQDN.
Note: To include a port, append it after a colon. For example:
200.1.1.1.:443
.Entity ID
Enter the SP entity ID.
Portal (Sign On) URL
The SAML service provider login URL. The URL is used to initiate a single sign-on.
Note: Not all IdPs require a Portal (Sign On) URL.
Note: The Portal (Sign On) URL is alternatively referred to as the Portal URL or the Sign On URL.
Single Logout Service (SLS) URL
The SP Single Logout Service (SLS) logout URL. The IdP sends the logout response to this URL.
Note: The Single Logout Service (SLS) URL is alternatively referred to as the SLS URL, Single Logout Service URL, or the Logout URL.
Sp Certificate
Enable this option and import the SP certificate for authentication request signing by the SP.
Note: This option is disabled by default.
Configure Identity Provider
An IdP provides SAML assertions for the service provider and redirects the user's browser back to the service provider web server.
Log in to the IdP to find the following information.
Type
Select either Fortinet Product or a Custom IdP.
IdP Address
The IdP address.
Note: This option is only available when the Type is Fortinet Product.
Prefix
Enter the IdP prefix.
Note: The prefix is appended to the end of the IdP URLs.
Note: This option is only available when the Type is Fortinet Product.
IdP Certificate
Select a server certificate to use for the SP.
Whenever the configuration changes on the IdP, you need to upload the new certificate reflecting the changes.
IdP entity ID
The IdP's entity ID, for example:
http://www.example.com/saml-idp/xxx/metadata/
Note: This option is only available when the Type is Custom.
IdP single sign-on URL
The IdP's login URL, for example:
http://www.example.com/saml-idp/xxx/login/
Note: This option is only available when the Type is Custom.
IdP single logout URL
The IdP's logout URL, for example:
http://www.example.com/saml-idp/xxx/logout/
Note: This option is only available when the Type is Custom.
Additional Saml Attributes
FortiPAM looks for the attributes to verify authentication attempts. Configure your IdP to include the attributes in the SAML attribute statement.
Attribute used to identify users
Enter the SAML attribute used to identify the users.
Attribute used to identify groups
Enter the SAML attribute used to identify the groups.
AD FS claim
Enable AD FS claim.
Note: This option is disabled by default.
User claim type
From the dropdown, select a user claim type (default =
User Principal Name
).Group claim type
From the dropdown, select a group claim type (default =
User Group
). - In the Review tab, verify the information you entered and click Submit to create the SAML SSO server.
Use the pen icon to edit tabs.
Alternatively, use the CLI commands to configure an IdP. |
CLI configuration to set up a SAML IdP example:
config user saml
edit <SAML Name>
set entity-id "http://<PAM_VIP>/saml/metadata/"
set single-sign-on-url "https://<PAM_VIP>/XX/YY/ZZ/saml/login/"
set single-logout-url "https://<PAM_VIP>/remote/saml/logout/"
set idp-entity-id "http://<iDP URL>/<idp_entity_id>"
set idp-single-sign-on-url "https://<iDP_URL>/<sign_on_url>"
set idp-single-logout-url "https://<iDP_URL>/<sign_out_url>"
set idp-cert <iDP Certificate>
set user-name "username"
set group-name "group"
set digest-method sha256
next
end
config firewall access-proxy
edit "fortipam_access_proxy"
set vip "fortipam_vip"
config api-gateway
edit 4
set service samlsp
set saml-server "fortipam-saml-sso-server"
next
end
next
end
config authentication scheme
edit "fortipam_saml_auth_scheme"
set method saml
set saml-server "fortipam-saml-sso-server"
next
end
config authentication rule
edit "fortipam_saml_auth_rule" #Create a new rule and move it above the default "fortipam_auth" rule.
set srcaddr "all"
set dstaddr "saml_auth_addr"
set ip-based disable
set active-auth-method "fortipam_saml_auth_scheme"
set web-auth-cookie enable
next
edit "fortipam_auth"
set srcaddr "all"
set ip-based disable
set active-auth-method "fortipam_auth_scheme"
set web-auth-cookie enable
next
end
CLI configuration to enable SAML authentication on the login page example
config system global
set saml-authentication enable
end
To log in to FortiPAM as a SAML user:
- On the login page, from the Local dropdown, select SAML.
- Select Continue to open the SAML login page.
- Enter the username and password to log in to FortiPAM.