Professional Documents
Culture Documents
FortiAuthenticator-6.4.0-SAML 2FA Interoperability Guide
FortiAuthenticator-6.4.0-SAML 2FA Interoperability Guide
FortiAuthenticator 6.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: techdoc@fortinet.com
Change Log 4
About this Guide 5
FortiAuthenticator setup 6
Initial setup 6
System settings 7
DNS 7
Configure the FQDN 7
Configuring the remote LDAP authentication server 7
Importing a remote LDAP user and registering a token 8
Creating a realm for the remote LDAP server 9
Configuring SAML settings 10
Configuring FortiAuthenticator as an identity provider (IdP) 10
Configuring FortiAuthenticator SP settings 11
FortiGate 13
Creating a new SAML user and server 14
Applying the SAML server to proxy authentication 15
Configuring ZTNA access proxy to allow SAML authentication requests to SP 16
Configuring VIP and firewall policy to forward IdP authentication traffic to
FortiAuthenticator 18
Examples 20
Applying SAML and 2FA to ZTNA HTTPS access proxy example 21
Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP
connections example 23
Applying SAML and 2FA to a ZTNA SSH access proxy example 25
FortiManager 28
Create a FortiManager administrator account 28
Configure the FortiManager as an SP 28
Results 29
FortiAnalyzer 30
Create a FortiAnalyzer administrator account 30
Configure the FortiAnalyzer as a SAML SP 30
Results 31
Third-party Service Provider 32
The purpose of this guide is to aid in the configuration of Security Assertion Markup Language (SAML) authentication
using FortiAuthenticator for Fortinet solutions.
Testing was performed with the following product versions:
l FortiAuthenticator 6.4.0
l FortiGate 7.0.1
l FortiManager 7.0.1
l FortiAnalyzer 7.0.1
FortiAuthenticator setup
This section includes configuration information for the FortiAuthenticator. Any deviations from this configuration will be
detailed in the relevant section. For more information on the setup and configuration of the FortiAuthenticator, see the
FortiAuthenticator Administration Guide on the Fortinet Docs Library.
This section includes the following information:
l Initial setup on page 6
l System settings on page 7
l Configuring the remote LDAP authentication server on page 7
l Importing a remote LDAP user and registering a token on page 8
l Creating a realm for the remote LDAP server on page 9
l Configuring SAML settings on page 10
Initial setup
Upon initial deployment, the FortiAuthenticator is configured to the following default settings:
Port 1 IP: 192.168.1.99
Port 1 Netmask: 255.255.255.0
Default Gateway: 192.168.1.1
These settings can be modified by configuring a PC to an address on the same subnet and accessing the GUI via
https://192.168.1.99/. Alternatively, you can configure these settings using the CLI.
1. Connect the management computer to the FortiAuthenticator using the supplied console cable.
2. Log in to the FortiAuthenticator unit using the default credentials below:
Username: admin
Password: <blank>
You will be prompted to change and confirm your new password.
3. Configure the network settings as required, for example:
config system interface
edit port1
set ip <ip-address>/<netmask>
set allowaccess https-gui https-api ssh
next
end
config router static
edit 0
set device port1
set dst 0.0.0.0/0
set gateway <ip-gateway>
next
end
Substitute your own desired FortiAuthenticator IP address and default gateway. This will give you access to the GUI
through the specified IP address.
For more information on FortiAuthenticator initial setup, see the FortiAuthenticator Administration Guide in the Fortinet
Document Library.
System settings
Once the initial setup of the FortiAuthenticator is complete, further configuration can be performed through the GUI.
DNS
To enable resolution of the FortiGuard network and other systems such as NTP servers, set your DNS to your local or
ISP nameserver configuration via Network > DNS.
You can configure the FQDN for the FortiAuthenticator from the System Information widget in System > Dashboard.
Click the edit icon next to Device FQDN to open the Edit Device FQDN window, enter a name for Fully qualified domain
name, and click OK.
To configure a new remote authentication server pointing to the Windows Active Directory:
1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New.
The Create New LDAP Server window opens.
2. In the Create New LDAP Server window:
a. Enter a name, IP address, and port for the LDAP server.
b. In the Base distinguished name field, enter the full base dn for the LDAP server in the format:
DC=example,DC=com.
c. Select the Bind type as Regular, and enter a username and password.
d. In the Query Elements pane, select Group attribute for the Obtain group memberships from toggle, and keep
the default values for the following fields:
i. User object class
ii. Username attribute
iii. Group object class
iv. Group membership attribute
e. Enable Secure Connection, and select either the LDAPS or STARTTLS protocol.
1. In the LDAP tab, under Remote Auth. Servers, select the LDAP server that you created and click Edit.
2. In the Remote LDAP Users pane, select Import users from the Username dropdown and click Go.
The Import Remote LDAP Users window opens.
3. In the Import Remote LDAP Users window, select your users and click OK to import.
Importing remote LDAP users may take time depending on the number of users being
imported.
Registering FortiToken
In order to test two-factor authentication, a token is required. The configuration instructions included in this guide use
FortiToken.
For security reasons, a token can only be automatically registered from the FortiGuard
network a single time. If you need to register it a subsequent time, please contact Fortinet
support.
To register a FortiToken:
1. Go to Authentication > User Management > FortiTokens, and select Create New.
2. Select the Token type and enter the FortiToken Serial number or Activation code. Click OK.
Once registered, tokens will be displayed with an Available status.
1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and double-click a
user to edit it.
2. Go to the User Information pane and enter an email address.
The email address will be used for FortiToken mobile activation.
3. Enable One-Time Password (OTP) authentication, and select Deliver token code by FortiToken Mobile.
Select FortiToken Mobile added earlier from the relevant dropdown menu.
4. Set the Activation Delivery method to Email.
The activation information is sent to the user via the email address provided here.
5. Click OK to save changes to the remote user.
An activation email is sent to the email address specified in the Email field under the User Information pane.
6. Open the email to complete the activation and install the token to the FortiToken Mobile app.
To import remote LDAP users, see Importing remote LDAP users.
The realm name may only contain letters, numbers, periods, hyphens, and underscores. It
cannot start or end with a special character.
3. Select the previously created remote LDAP server for the realm from the User source dropdown.
See Configuring the remote LDAP authentication server on page 7.
4. Click OK to create the new realm.
The following section includes information on how to configure the FortiAuthenticator as the SAML IdP. In addition to the
IdP settings, SAML SP settings must be configured on the FortiAuthenticator for each SAML SP device.
This section includes the following instructions:
1. Configuring FortiAuthenticator as an identity provider (IdP) on page 10
2. Configuring FortiAuthenticator SP settings on page 11
Device FQDN can be configured from the System Information widget in System
> Dashboard > Status. See Configure the FQDN on page 7.
2. Enable SAML Identity Provider portal, and enter the following information:
l Server address: Enter the device FQDN or the IP address of the IdP FortiAuthenticator.
3. Click OK to complete.
Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.
In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use
on the service providers.
In order to complete the following configuration, you will need to configure the SAML settings on the SP device at the
same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available
when configuring the SAML settings on the SP device.
1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
2. Enter the following information:
l SP name: Enter a name for the SP device. Here, the SP name is Enterprise Core.
l IDP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog, and click OK. Here, the IdP
prefix is ztna.
l Server certificate: Select the same certificate as the default IdP certificate used in Authentication
l Authentication method: Select an authentication method. Here, Every configured password and OTP factors
is selected.
3. Click Save.
4. The details for following settings are available when configuring the service provider device (e.g. FortiAnalyzer or
FortiGate).
l SP entity ID: For instance, here, the SP entity ID-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/metadata/.
l SP ACS (login) URL: For instance, here, the SP ACS (login) URL-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/login/.
l SP SLS (logout) URL: For instance, here, the SP SLS (logout) URL-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/logout/.
SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective
configurations on the service provider device side, e.g., FortiGate.
See Creating a new SAML user and server on page 14.
5. Click OK.
FortiGate
Before proceeding, ensure that system settings are up to date. See System settings on page
7.
The FortiGate appliance is the Gateway to your network, therefore, securing remote access, whether to the appliance
itself (administration) or the network behind it (VPN), is critical.
FortiOS supports native two-factor authentication using FortiToken, however, to use two-factor authentication on
multiple FortiGate devices, you should use a FortiAuthenticator to enable strong authentication.
SAML is used for exchanging authentication and authorization data between an identity provider (IdP) and a service
provider (SP), such as Google Apps, Office 365, and Salesforce. FortiAuthenticator can be configured as an IdP,
providing trust relationship authentication for unauthenticated users trying to access an SP.
One advantage of SAML authentication is that two-factor authentication can be provided by the SAML Identity Provider
(IdP).
This chapter demonstrates using FortiAuthenticator as the IdP and applying 2FA to user authentication for remote users
accessing Web, RDP, and SSH resources over the Zero-trust network access (ZTNA) Access Proxy.
Topology
In this topology, FortiAuthenticator integrates with Active Directory on the Windows Domain Controller, which is also
acting as the EMS server. Users are sync’d from the AD to FortiAuthenticator, and the remote users are configured with
token-based authentication. SAML authentication is configured on the FortiGate, pointing to the FortiAuthenticator as
the SAML IdP. The SAML server is applied to the ZTNA Access Proxy authentication scheme and rule to provide the
foundation for applying user authentication on individual ZTNA rules.
On the FortiGate, a SAML user is used to define the SAML SP and IdP settings. The SAML user is then applied to the
ZTNA proxy using authentication scheme, rule and settings.
For end users to reach the FortiGate SP’s captive portal, a ZTNA server is created to access the SAML SP service.
Finally, the SAML user needs to be added to a ZTNA rule to trigger authentication when accessing the ZTNA access
proxy.
This chapter assumes that the FortiGate EMS fabric connector is already successfully
connected.
1. Configuring FortiAuthenticator as a remote authentication LDAP server, importing remote LDAP user with 2FA, and
setting up a realm:
a. Configuring the remote LDAP authentication server on page 7
b. Importing a remote LDAP user and registering a token on page 8
c. Creating a realm for the remote LDAP server on page 9
2. Configuring a SAML IdP and a service provider:
a. Configuring FortiAuthenticator as an identity provider (IdP) on page 10
b. Configuring FortiAuthenticator SP settings on page 11
3. Configuring the FortiGate SAML related settings:
a. Creating a new SAML user and server on page 14
b. Applying the SAML server to proxy authentication on page 15
c. Configuring ZTNA access proxy to allow SAML authentication requests to SP on page 16
d. Configuring VIP and firewall policy to forward IdP authentication traffic to FortiAuthenticator on page 18
Also, see the example implementations.
l The URLs used in the SAML user settings are the same ones defined on the FortiAuthenticator. See
Configuring FortiAuthenticator SP settings on page 11.
2. Enter the following commands to add the SAML user object to a new user group:
config user group
edit "ztna-users"
set member "su-ztna"
next
end
1. Enter the following commands to apply the SAML server to an authentication scheme:
config authentication scheme
edit "saml-scheme"
set method saml
set saml-server "su-ztna"
next
end
2. Enter the following commands to apply the authentication scheme to an authentication rule:
config authentication rule
edit "saml-rule"
set srcintf "any"
set srcaddr "all"
set ip-based disable
set active-auth-method "saml-scheme"
set web-auth-cookie enable
next
end
3. Enter the following command to configure the active-auth-scheme and the captive portal:
config firewall address
edit "entcore.fortidemo.fortinet.com"
set type fqdn
set fqdn "entcore.fortidemo.fortinet.com"
next
end
config authentication setting
set active-auth-scheme "saml-scheme"
set captive-portal "entcore.fortidemo.fortinet.com"
end
The captive portal is used to serve the login page for the SAML requests.
Besides configuring the captive portal in the proxy authentication settings, you must also
publish the SAML SP URLs through the ZTNA access proxy.
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
The New ZTNA Server window opens.
3. In the New ZTNA Server window, enter the following information:
l Name: Enter a name for the server. Here, the Name is ZTNA-access.
l External interface: From the dropdown, search for an external interface. Here any is selected.
l External port: Enter an external port number. Here, the External port is 20443.
l Default certificate: From the dropdown, search for a default certificate. Here the Default certificate is
FortiDemo.
4. Click OK to continue.
To map the access-proxy configurations to the SAML server from the CLI:
edit 1
set service samlsp
set saml-server "su-ztna"
next
end
next
end
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
The New ZTNA Rule window opens.
3. In the New ZTNA Rule window, enter the following information:
l Name: Enter a name for the rule. Here, the Name is ZTNA-Rule.
l Source (Address): Select a source address. Here, the Source(Address) is all.
l Source (User): Select a user source. Here, the Source(User) is ztna-users.
l ZTNA Server: From the dropdown, select the ZTNA server. Here, the ZTNA Server is the previously created
server ZTNA-access.
l Action: Select an action. Here, Accept is selected.
4. Click OK to save changes.
1. Go to Policy & Objects > Firewall Policy and click Create New.
The New Policy window opens.
Remote clients connect to the FortiAuthenticator IdP behind the FortiGate using a VIP. Here, users connect to the FQDN
fac.fortidemo.fortinet.com, which resolves to the external IP address of the VIP.
1. Go to Policy & Objects > Firewall Policy and click create new.
The New Policy window opens.
2. In the New Policy window, enter the following information:
l Name: Enter a name for the firewall policy. Here, the policy name is WAN to FAC.
l ZTNA: Disable ZTNA.
l Incoming Interface: Select an incoming interface. Here, any is selected.
l Outgoing Interface: Select an outgoing interface. Here, any is selected.
This completes the authentication settings for FortiGate to provide SAML two-factor authentication.
Examples
1. Applying SAML and 2FA to ZTNA HTTPS access proxy example on page 21
2. Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP connections example on page 23
3. Applying SAML and 2FA to a ZTNA SSH access proxy example on page 25
In this HTTPS access proxy example, two real servers are implemented with round robin load balancing performed
between them.
The HTTPS access proxy is configured on the same ZTNA server as was configured in the authentication step. The
same ZTNA rule and firewall policy also apply. See Configuring ZTNA access proxy to allow SAML authentication
requests to SP on page 16.
To configure the ZTNA server for HTTPS access proxy with load balancing:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Edit the ZTNA-access server.
3. In the Service/server mapping table, click Create New:
a. Set Virtual Host to Any Host.
b. In the Servers table click Create New:
i. Set IP to 10.100.77.200.
ii. Set Port to 443.
iii. Set Status to Active.
iv. Click OK.
c. Create a second server with IP 10.100.77.202.
d. Click OK.
4. Click OK.
The default load balancing algorithm is round-robin.
From the remote endpoint, user John Locus attempts to connect to the Finance server over ZTNA:
1. On the remote Windows computer, open FortiClient and register to the EMS server.
2. Open a browser and attempt to connect to the web server at https://ztna.fortidemo.fortinet.com:20443.
3. Device authentication prompts the user for their device certificate. Select the certificate issued by EMS and click
OK.
4. FortiGate receives the SAML request and redirects the user to the IdP login screen. Enter the username and
password for John Locus and click Login.
5. A second prompt opens asking for the Token Code. Enter the code then click Verify.
6. The FortiAuthenticator IdP verifies the login, then sends the SAML assertion back to the user.
7. The browser redirects the assertion to the FortiGate SP, which decides if the user is allowed access.
8. On a successful log in, FortiGate redirects the user to the web page that they are trying to access.
On the FortiGate, a successful connection can be seen in Log & Report > Forward Traffic log, or by using the CLI:
# execute log filter category 0
# execute log filter field srcip 10.100.66.103
# execute log display
...
1: date=2021-08-25 time=23:34:15 eventtime=1629959656098675227 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.66.103 srcport=51341 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=10.100.77.202 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=3396047 srcuuid="d8dd134a-0517-51ec-
2ff0-3032b84564e7" service="HTTPS" proto=6 action="accept" policyid=1
policytype="proxy-policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b"
policyname="ZTNA-Rule" duration=16 user="johnlocus" group="ztna-users" wanin=2837
rcvdbyte=2837 wanout=1495 lanin=2581 sentbyte=2581 lanout=5505 appcat="unscanned"
2: date=2021-08-25 time=23:34:04 eventtime=1629959645171823879 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.66.103 srcport=62691 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=10.100.77.200 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=3396036 srcuuid="d8dd134a-0517-51ec-
2ff0-3032b84564e7" service="HTTPS" proto=6 action="accept" policyid=1
policytype="proxy-policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b"
policyname="ZTNA-Rule" duration=5 user="johnlocus" group="ztna-users" wanin=2837
rcvdbyte=2837 wanout=1546 lanin=1576 sentbyte=1576 lanout=1033 appcat="unscanned"
...
4: date=2021-08-25 time=23:29:21 eventtime=1629959362319670887 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.66.103 srcport=62107 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=10.100.64.201 dstport=20443
dstintf="root" dstintfrole="undefined" sessionid=3388350 srcuuid="d8dd134a-0517-51ec-
2ff0-3032b84564e7" service="tcp/20443" proto=6 action="accept" policyid=41
policytype="policy" poluuid="256d6bd8-0518-51ec-7b6a-18df00b82da3" policyname="ZTNA
Policy" duration=1 user="johnlocus" authserver="su-ztna" wanin=0 rcvdbyte=0 wanout=0
lanin=14246 sentbyte=14246 lanout=993 appcat="unscanned"
Log number four shows that the session was first allowed through the ZTNA firewall policy. Log numbers one and two
show the traffic allowed through the ZTNA proxy-policy over two successive sessions. Note that they have different
destination IP addresses (dstip), indicating that ZTNA was performing server load balancing.
Use the following command to show if the FortiGate's WAD process has an active record of the SAML user login:
# diagnose wad user list
Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP
connections - example
In this TCP forwarding access proxy example, RDP connections are allowed to be forwarded to the Windows/EMS
server.
Traffic to TCP/3389 is allowed through the ZTNA proxy.
Name EMS-Server
Type Subnet
IP/Netmask 10.100.88.5/32
Interface any
c. Click OK.
2. Add new server mappings to the existing access proxy configurations:
config firewall access-proxy
edit "ZTNA-access"
config api-gateway
edit 3
set url-map "tcp"
set service tcp-forwarding
config realservers
edit 1
set address "EMS-Server"
set mappedport 3389
set type tcp-forwarding
next
end
next
end
next
end
On the remote endpoint, manually configure ZTNA connection rules to forward RDP traffic to the ZTNA access proxy.
The rules can also be pushed from the EMS server; for details see Provisioning ZTNA TCP forwarding rules via EMS.
Mode Transparent
Encryption Disabled
Encryption can be enabled or disabled. When it is disabled, the client to
access proxy connection is not encrypted in HTTPS. Because RDP is
encrypted by default, disabling Encryption does not reduce security.
5. Click Create.
On the FortiGate, a successful connection can be seen in Log & Report > Forward Traffic log, or by using the CLI:
#execute log filter category 0
# execute log filter field srcip 10.100.66.103
# execute log display
...
3: date=2021-08-25 time=23:05:52 eventtime=1629957952722272222 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.66.103 srcport=59980 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=10.100.88.5 dstport=3389
dstintf="root" dstintfrole="undefined" sessionid=3349083 srcuuid="d8dd134a-0517-51ec-
2ff0-3032b84564e7" service="RDP" proto=6 action="accept" policyid=1 policytype="proxy-
policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b" policyname="ZTNA-Rule"
duration=8 user="johnlocus" group="ztna-users" wanin=0 rcvdbyte=0 wanout=0 lanin=1444
sentbyte=1444 lanout=665 appcat="unscanned"
Use the following command to show if the FortiGate's WAD process has an active record of the SAML user login:
#diagnose wad user list
In this SSH access proxy example, SSH connections can be forwarded to the web server.
Name Web-Server1
Type Subnet
IP/Netmask 10.100.77.101/32
Interface any
c. Click OK.
2. Add new server mappings to the existing access proxy configurations:
config firewall access-proxy
edit "ZTNA-access"
config api-gateway
edit 3
config realservers
edit 1
set address "Web-Server1"
set mappedport 22
set type ssh
next
end
next
end
next
end
On the remote endpoint, manually configure ZTNA connection rules to forward SSH traffic to the ZTNA access proxy.
The rules can also be pushed from the EMS server; for details see Provisioning ZTNA TCP forwarding rules via EMS.
Mode Transparent
Encryption Disabled
5. Click Create.
On the FortiGate, a successful connection can be seen in Log & Report > Forward Traffic log, or by using the CLI:
Use the following command to show if the FortiGate's WAD process has an active record of the SAML user login:
# diagnose wad user list
FortiManager
Before proceeding, ensure that you have configured SAML settings on the FortiAuthenticator.
See Configuring SAML settings on page 10.
1. Go to System Settings > Admin > Administrators, and click Create New.
2. Configure the administrator account settings, and click OK.
l Prefix: Enter the prefix that was created during SP configuration on FortiAuthenticator.
l IdP Certificate: Import and select the certificate that was chosen during FortiAuthenticator setup.
4. Select OK.
The following settings are required for service provider configuration on FortiAuthenticator.
l SP Entity ID
Results
When the administrator visits the SP IP address of FQDN, they will see an additional option on the login screen to sign in
using SSO.
FortiAnalyzer
Before proceeding, ensure that you have configured SAML settings on the FortiAuthenticator.
See Configuring SAML settings on page 10.
1. Go to System Settings > Admin > Administrators, and click Create New.
2. Configure the administrator account settings, and click OK.
In order to complete the following configuration, you will need to simultaneously configure the SAML SP settings on the
FortiAuthenticator. This is because some fields required for configuring SP settings on the FortiAuthenticator are only
available when configuring the SAML settings on the FortiAnalyzer.
See Configuring FortiAuthenticator SP settings on page 11.
l Prefix: Enter the prefix that was created during SP configuration on FortiAuthenticator.
l IdP Certificate: Import and select the certificate that was chosen during FortiAuthenticator setup.
4. Select OK.
Make note of the following settings, as they are required during SP configuration on
FortiAuthenticator.
l SP Entity ID
Results
When the administrator visits the SP IP address of FQDN, they will see an additional option on the login screen to sign in
using SSO.
After completing FortiAuthenticator setup, please consult the vendor's documentation for information about configuring
your third-party device as a SP.
Most third-party SP configurations require the following information:
l A public certificate from the IdP to validate signature.
The signature is stored on the SP side and used when a SAML response arrives.
l The ACS URL from the SP where SAML responses are posted.
l The IdP Sign-in URL where SAML requests are posted.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.