Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Use SAML applications

Use SAML applications

A SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs:

To an SP, an IdP Proxy looks like an ordinary IdP. Likewise, to an IdP, an IdP Proxy looks like an SP. Thus an IdP Proxy has the combined capability of both an IdP and SP.

With FTC providing SAML and OIDC idP interface, we can move the application into the scope of FTC SaaS service and make use of existing SSO protocol to integrate with Forti ecosystem, which already supports SAML login. This relieves the FortiDevices from private integration with FTC, as long as it uses SAML SP for authentication. FTC can introduce new features like FIDO, adaptive authentication without downstream support.

Customer does not need to worry about device SN and FTC license ownership.

Use Case

One example would be if a customer already has a setup with an IdP and multiple SPs but they don't have 2FA. We can say that they're using Google as the IdP to provide the user source and then they might be using SSL VPN through a FortiGate to be the SP. With their current setup, if an end-user tries to login through SSL VPN, they will be directed to the Google login page and then once they input their username and password, they will immediately be let into SSL VPN. With FTC's IdP Proxy set up, what the end user will experience instead would be:

Google login > FTC 2FA OTP page > FGT SSL VPN

Previous
Next

Use SAML applications

A SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs:

To an SP, an IdP Proxy looks like an ordinary IdP. Likewise, to an IdP, an IdP Proxy looks like an SP. Thus an IdP Proxy has the combined capability of both an IdP and SP.

With FTC providing SAML and OIDC idP interface, we can move the application into the scope of FTC SaaS service and make use of existing SSO protocol to integrate with Forti ecosystem, which already supports SAML login. This relieves the FortiDevices from private integration with FTC, as long as it uses SAML SP for authentication. FTC can introduce new features like FIDO, adaptive authentication without downstream support.

Customer does not need to worry about device SN and FTC license ownership.

Use Case

One example would be if a customer already has a setup with an IdP and multiple SPs but they don't have 2FA. We can say that they're using Google as the IdP to provide the user source and then they might be using SSL VPN through a FortiGate to be the SP. With their current setup, if an end-user tries to login through SSL VPN, they will be directed to the Google login page and then once they input their username and password, they will immediately be let into SSL VPN. With FTC's IdP Proxy set up, what the end user will experience instead would be:

Google login > FTC 2FA OTP page > FGT SSL VPN

Previous
Next