Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Example 1: Google SAML as IdP and FortiGate SSL VPN as SP

Example 1: Google SAML as IdP and FortiGate SSL VPN as SP

Tooltip

The FortiGate device used in this example setup is running on FortiOS 7.4.3.

1. Go to Authentication > User Source and click Add User Source:

2. Configure general settings. Note that Google cannot use Login Hint:

3. On admin.google.com, go to Apps > Web and mobile apps, then add a custom SAML app:

4. Download metadata. Then grab the certificate from this page and click continue:

5. Provide SP metadata details from FTC (unter Interface Detail) on Google:

6. In this example we map the primary email attribute to the username attribute.

7. On FTC, you can click Import Metadata and import the metadata file you downloaded earlier in step 4. Note that Google does not have a Logout URL:

8. Load the certficate that you got from step 4 here in FTC, and you can click save now to save the entire user source setting:

9. On FTC, go to Applications > SAML Applications and then Add SAML Application:

10. Configure General settings:

11. On FGT, we assume you already have SSL VPN set up. Create a new single sign-on under User & Authentication > Single Sign-On:

12. Put your SSLVPN address into the Address field and take note of the Entity ID, Assertion consumer service URL and Single logout service URL:

13. Input the details into the SP Metadata section on FTC:

14. For Interface Detail we're setting it like this in this example:

15. Take the IdP Metadata and input it into the next page on the FGT single sign-on wizard:

Configure as such and then click submit:

To obtain the certificate, go to Applications > SAML Applications and then click the 3-dotted menu of your SAML application > click Details > download the signing certificate > import into FGT:

16. On FTC make sure to map your new SP to the IdP you made earlier. Then you can click save and now you should have both the IdP and SP parts configured:

17. To add users on Google, go to Directory > Users > Add new user:

You can manage user access here. In our example we've turned the access on for all users on our Google account:

18. On FTC you need to add the same user using the same username (we're using their email in our example) by going to User Management > Users > Batch Add:

19. Once the users are added the setup should be ready for end users to use. Initiate the login through the SP. In FGT we'll click Single Sign-On:

Now it should take you to Google's sign-in page:

Login and now it should take you to the OTP page:

Verify the token using your selected MFA method of choice from when you created the user on FTC earlier. Now it should successfully take the end user to the SP which is the SSL VPN portal in our example:

Previous
Next

Example 1: Google SAML as IdP and FortiGate SSL VPN as SP

Tooltip

The FortiGate device used in this example setup is running on FortiOS 7.4.3.

1. Go to Authentication > User Source and click Add User Source:

2. Configure general settings. Note that Google cannot use Login Hint:

3. On admin.google.com, go to Apps > Web and mobile apps, then add a custom SAML app:

4. Download metadata. Then grab the certificate from this page and click continue:

5. Provide SP metadata details from FTC (unter Interface Detail) on Google:

6. In this example we map the primary email attribute to the username attribute.

7. On FTC, you can click Import Metadata and import the metadata file you downloaded earlier in step 4. Note that Google does not have a Logout URL:

8. Load the certficate that you got from step 4 here in FTC, and you can click save now to save the entire user source setting:

9. On FTC, go to Applications > SAML Applications and then Add SAML Application:

10. Configure General settings:

11. On FGT, we assume you already have SSL VPN set up. Create a new single sign-on under User & Authentication > Single Sign-On:

12. Put your SSLVPN address into the Address field and take note of the Entity ID, Assertion consumer service URL and Single logout service URL:

13. Input the details into the SP Metadata section on FTC:

14. For Interface Detail we're setting it like this in this example:

15. Take the IdP Metadata and input it into the next page on the FGT single sign-on wizard:

Configure as such and then click submit:

To obtain the certificate, go to Applications > SAML Applications and then click the 3-dotted menu of your SAML application > click Details > download the signing certificate > import into FGT:

16. On FTC make sure to map your new SP to the IdP you made earlier. Then you can click save and now you should have both the IdP and SP parts configured:

17. To add users on Google, go to Directory > Users > Add new user:

You can manage user access here. In our example we've turned the access on for all users on our Google account:

18. On FTC you need to add the same user using the same username (we're using their email in our example) by going to User Management > Users > Batch Add:

19. Once the users are added the setup should be ready for end users to use. Initiate the login through the SP. In FGT we'll click Single Sign-On:

Now it should take you to Google's sign-in page:

Login and now it should take you to the OTP page:

Verify the token using your selected MFA method of choice from when you created the user on FTC earlier. Now it should successfully take the end user to the SP which is the SSL VPN portal in our example:

Previous
Next