Technical Tip: Importance of using external metadata file in SAML configuration in FortiAuthenticator

There are cases where FortiAuthenticator acts as an IDP ( Identity provider) or SP (Service provider). When configuring either of these, it is required to configure external SP or IDP details on FortiAuthenticator.

The most common method of doing this is through copy and paste. But by doing so, there can be cases where certain mismatches will take place.

It can be a minor error, but SAML will not work as expected, causing errors. There are cases where external entities might have differences in the exact URLS, certificates, etc.

It is recommended to use the metadata file provided by the relevant SP or IDP to upload external IDP or SP details to FortiAuthenticator.

This will minimize configuration issues in SAML in FortiAuthenticator.

Below are two screenshots from FortiAuthenticator for SP and IDP:

Additionally, the XML file as SP should look as below example to avoid errors:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2025-04-26T08:04:05Z"
cacheDuration="PT604800S"
entityID="testSP">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://send.assertions.here.suba.cz.HTTP-POST.suba.cz/ACS"
index="1" />

</md:SPSSODescriptor>
</md:EntityDescriptor>