FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agrakov
Staff
Staff

Description

This article describes about scenarios, where users might need to download metadata to apply it on the IDP side.

Scope FortiGate, firmware 7.0.1+ (to check the metadata for SSL-VPN).
FortiGate, firmware 6.4.0+ (to check the metadata for admin access).
Solution

To check the metadata for SSL VPN (FortiGate as SP)


(root)# diagnose vpn ssl saml-metadata "YOUR SAML"


Example output:


<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://FortiGate IP/FQDN:port/remote/saml/metadatarealm=ADFS-SAML/">

  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://FortiGate IP/FQDN:port/remote/saml/login?realm=ADFS-SAML/"/>

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://FortiGate IP/FQDN:port/remote/saml/logout?realm=ADFS-SAML/"/>

    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

  </SPSSODescriptor>

</EntityDescriptor>


To check the metadata for admin access (FortiGate as SP):

 

(global)# di sys saml metadata

 

Example output:

<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://FortiGate IP/FQDN:port/metadata/">

  <SPSSODescriptor AuthnRequestsSigned="true" WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <KeyDescriptor use="signing">

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<X509Data>

<X509Certificate>MIIGMzCCBRugAwIBAgIMRGOxmgw6BWgidNRcMA0GCSqGSIb3DQEBCwUAMEwxCzAJ

BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB

bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIxMDQxOTEzMzQxNloXDTIyMDUy

MTEzMzQxNlowFzEVMBMGA1UEAwwMKi5ncmFrb3YubmV0MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAs+gyQEFqqd

.

.

.