Technical Tip: Configuring Authentik as SAML provider for FortiOS admins

Authentik is a self-hosted, open source identity provider that can be configured as a SAML identity provider.

Configure the following to connect it with FortOS.

Authentik Configuration:

Begin by logging in as an administrator in Authentik.

1. Create a Custom SAML Property Mapping in Authentik.

• Navigate to Customization -> Property Mappings -> Create.
• Select SAML Provider Property Mapping.
• Use the following settings:
  
  • Name: fgt.username.
  • SAML Attribute Name: username.
  • Expression: return request.user.email.

Property mapping example.

2. Create the application and provider pair.

• Navigate to Applications -> Providers -> Create and enter the following settings:
  
  • Type: SAML Provider.
  • Name: fortigate.
  • ACS URL: https://fortigate.tld/saml/?acs
  • Issuer: https://authentik.tld
  • Audience: https://fortigate.tld/metadata
  • Service Provider Binding: Post.
• For Advanced Protocol Settings, add the Property Mapping above and select the desired Signing Certificate.
  
  

  Provider example.

• Note for firmware v7.6.4+: 
  • As of v7.6.4, FortiOS requires that the SAML response be signed.
  • Ensure that in the settings to check 'Sign Responses'.

Enable responses to be signed.

Application Settings:

• Name: fortigate_app.
• Slug: fortigate_admin.
• Provider: Select Provider from the above.

After creation, configure the required user/group bindings.

Application example.

FortiGate Configuration:

Begin by logging in as a current admin to the FortiGate.

Navigate to Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings.

• Mode: Service Provider (SP).
• SP address: fortigate.tld.
• SP certificate: optional.
• Default admin profile: desired admin profile.
• IdP type: Custom.
• IdP certificate: exported certificate from authentic (System -> Certificates).

• IdP entity ID: https://authentik.tld/

• IdP single sign-on URL: https://authentik.tld/application/saml/fortigate_admin/sso/binding/redirect/

• IdP single logout URL: https://authentik.tld/application/saml/fortigate_admin/slo/binding/redirect/

Note: In the sign-on and logout URLs, the slug 'fortigate_admin' from above is configured.

FortiGate SSO Example.

After configuration is complete, log out and log back in with the SAML identity to confirm that it is working as expected.

A new SSO entry will be listed under System -> Administrators.

Newly created SSO admin