Description
This article explains SAML authentication basics in an easily understood manner.
Scope
FortiGate, FortiProxy, FortiAuthenticator.
Solution
SAML (Security Assertion Markup Language) is an XML-based standard, developed to exchange authentication and authorization data between an Identity Provider (commonly abbreviated IdP) and a Service Provider (commonly abbreviated SP).
A Service Provider may for example be a VPN gateway, firewall, or web application requiring the user to be authenticated.
An Identity Provider is an authentication server; this may be FortiAuthenticator, Google, Entra ID, Okta, or similar.
A unique feature of SAML is that the user authenticates to the Identity Provider directly, and the user’s credentials do not pass through the service/application/gateway the user is authenticating. Authentication typically happens in a browser.
There are two authentication flows:
- SP-initiated: The user connects to the Service Provider, like a VPN tunnel, and the Service Provider directs to the Identity Provider for authentication. This is a more common use case.
- IdP-initiated: The user connects to the Identity Provider, and after authentication, is directed to (or able to choose a) Service Provider (like a website or specific application).
This article focuses on SP-initiated authentication.
SAML functions broadly as follows:
- The user accesses the Service Provider (via FortiClient, browser, third-party web applications, etc.).
- The Service Provider points the user (client application) to the Identity Provider.
- The Identity Provider asks for the user and Service Provider details.
Note:
The Identity Provider needs to know which Service Provider redirected the user to ensure only valid requests from known Service Providers are handled.
- The user (client application) provides credentials and other relevant information to the Identity Provider.
Note:
The credentials are not sent via SAML itself but are entered into a website hosted by the Identity Provider. If the connecting client is not a browser (for example, FortiClient), then the client application will launch an inbuilt or external browser window to submit the credentials.
- The Identity Provider processes credentials and looks up other relevant information, like group memberships, second-factor authentication, etc.
- The Identity Provider accepts credentials, generates a SAML response that includes details about the Identity Provider, and assigns a cookie.
Note:
The cookie is stored in the browser and used if a Service Provider redirects to the Identity Provider again. Instead of having to authenticate again, the user (client application) presents the cookie, and the Identity Provider behaves the same as if authentication were successful. The cookie will usually have a valid duration of a few hours only.
- The user (client application) presents the SAML response to the Service Provider.
- If everything is in order (correct group memberships, for example), the Service Provider accepts the user.
Related documents:
Fortinet Cyberglossary: Security Assertion Markup Language (SAML)
FortiAuthenticator Documentation: SAML IdP
ipsec-vpn-saml-based-authentication
FortiGate Documentation: Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP
Troubleshooting Tip: How to troubleshoot SAML authentication
FortiGate Documentation: ZTNA proxy access with SAML authentication example
