Technical Tip: How to check metadata for SAML auth... - Fortinet Community

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 216160

Description

This article describes scenarios where users may need to download metadata to apply it on the IdP side.

Scope

FortiGate v7.0.1+ (to check the metadata for SSL-VPN), v6.4.0+ (to check the metadata for admin access).

Solution

To check the metadata for SSL VPN (FortiGate as SP), run the following in the CLI:

diag vpn ssl saml-metadata "<SAML HERE>"

Example output:

<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://FortiGate IP/FQDN:port/remote/saml/metadatarealm=ADFS-SAML/">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://FortiGate IP/FQDN:port/remote/saml/login?realm=ADFS-SAML/"/>

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://FortiGate IP/FQDN:port/remote/saml/logout?realm=ADFS-SAML/"/>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

</SPSSODescriptor>

</EntityDescriptor>

To check the metadata for admin access (FortiGate as SP), run the following command:

diag sys saml metadata

Example output:

<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://FortiGate IP/FQDN:port/metadata/">

<SPSSODescriptor AuthnRequestsSigned="true" WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<KeyDescriptor use="signing">

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<X509Data>

<X509Certificate>MIIGMzCCBRugAwIBAgIMRGOxmgw6BWgidNRcMA0GCSqGSIb3DQEBCwUAMEwxCzAJ

BgNVBAYTAkJdMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB

bHBoYVNtTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIxMDQxOTEzMzQxNloXDTIyMDUy

MTEzMzQxNlowFzEVMBMGA1UEAwwMKi5ncmFrb3YubmV0MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAs+gyQEFqqd

.

.

.

Related documents:
SAML SSO configuration from Web GUI

SAML daemon crashing when ECC or DSA certificates are used

How to read SAML Debug output

Illustrated explanation of SAML authentication

SAML SSO for Admins - Azure as IdP

SAML SSO configuration from Web GUI

SAML SSO for Admins - JumpCloud as IdP

SAML SSO for Admins - Okta as IdP

SAML SSO with Security Fabric

Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP when Security Fab...

Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP)

Configuring FortiGate SSO Administrators with ADFS as SAML IdP

Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) for Administrato...

Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1

Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP

Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP

6179

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2025 Fortinet, Inc. All Rights Reserved.