Skip to main content
80211WiGuy
80211WiGuy
Explorer III
February 6, 2024
Question

SAML IdP - Sending specific asertion attribute (role) to SP based on user LDAP group membership

  • February 6, 2024
  • 2 replies
  • 2711 views

Hey Gang,

I'm not really sure what the right terminology is for this but I expect its a pretty common request.  We've created a few special groups in LDAP and dropped users into those various groups.  Based on the user's group membership, we want to send a single relevant role back to the SP when the user logs in via SAML.  FAC pulls the user groups from LDAP just fine for all our other use cases but we've never had to restrict down which groups are provided in auth responses, and we're not sure if the LDAP group being directly provided to the SP is best practice.  Right now when we chose LDAP group as role, the response sent to the SP is all groups a user is a member of which doesn't work for our purposes, nor does it seem secure/private to provide all that irrelevant info.

 

Are there any best practice guides floating around for this sort of use case?

2 replies

rbraha
Staff
rbraha
Staff
February 7, 2024

Hi @80211WiGuy 

You can achieve this by configuring CN of the Group on FGT and on FAC side you can configure as assertion attribute  Ldap group membership.

 

111.png

 

    80211WiGuy
    80211WiGuyAuthor
    Explorer III
    February 7, 2024

    Hi RB,

    Sorry, I dont understand why the FGT is involved here.  We are trying to solve a FAC SAML IdP and Service Provider authentication issue.  The user would not even be behind a FGT if they were trying to authenticate to the Service Provider from home.

    Hatibi
    Staff & Editor
    Hatibi
    Staff & Editor
    February 8, 2024

    Hi 80211WiGuy,

     

    if the requirement is to send a single relevant role back to the SP then you might check the option of using attributes from a remote RADIUS server.

     

     

    FortiAuthenticator can include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.

    There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:

    • A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers.

    https://docs.fortinet.com/document/fortiauthenticator/6.3.0/release-notes/568509/whats-new#SAML_IdP__RADIUS_attributes_for_assertions

     

    Description in the Service Providers tab:

    https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/19212/service-

     

    SAML Attribute:

    Remote RADIUS server:

    • RADIUS attribute

    When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:

    • Vendor: The RADIUS vendor name.

    • Attribute ID: The attribute within the vendor's RADIUS dictionary.

     

    Regards

      80211WiGuy
      80211WiGuyAuthor
      Explorer III
      February 8, 2024

      Thanks Sx11, we'll assess if this is a possibility.

      Terms & ConditionsAccessibility statement