Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agrakov
Staff
Staff

Created on ‎06-28-2022 12:22 PM Edited on ‎09-25-2023 09:12 PM By Community Manager

Article Id 216160

Technical Tip: How to check metadata for SAML authentication

Description

This article describes scenarios where users may need to download metadata to apply it on the IdP side.
Scope FortiGate firmware 7.0.1+ (to check the metadata for SSL-VPN).
FortiGate firmware 6.4.0+ (to check the metadata for admin access).
Solution

To check the metadata for SSL VPN (FortiGate as SP), run the following in the CLI:


diag vpn ssl saml-metadata "<SAML HERE>"


Example output:


<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://FortiGate IP/FQDN:port/remote/saml/metadatarealm=ADFS-SAML/">

  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://FortiGate IP/FQDN:port/remote/saml/login?realm=ADFS-SAML/"/>

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://FortiGate IP/FQDN:port/remote/saml/logout?realm=ADFS-SAML/"/>

    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

  </SPSSODescriptor>

</EntityDescriptor>


To check the metadata for admin access (FortiGate as SP), run the following command:

 

diag sys saml metadata

 

Example output:

 

<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://FortiGate IP/FQDN:port/metadata/">

  <SPSSODescriptor AuthnRequestsSigned="true" WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <KeyDescriptor use="signing">

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<X509Data>

<X509Certificate>MIIGMzCCBRugAwIBAgIMRGOxmgw6BWgidNRcMA0GCSqGSIb3DQEBCwUAMEwxCzAJ

BgNVBAYTAkJdMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB

bHBoYVNtTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIxMDQxOTEzMzQxNloXDTIyMDUy

MTEzMzQxNlowFzEVMBMGA1UEAwwMKi5ncmFrb3YubmV0MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAs+gyQEFqqd

.

.

.
4784
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.