Authentik is a self-hosted, open source identity provider that can be configured as a SAML identify provider.

Configure the following in order to connect it with FortOS.

Authentik Configuration:

Begin by logging in as an administrator in authentik.

1. Create a Custom SAML Property Mapping in authentik.

• Navigate to Customization -> Property Mappings -> Create.
• Select SAML Provider Property Mapping.
• Use the following settings:
  
  • Name: fgt.username
  • SAML Attribute Name: username
  • Expression: return request.user.email

Property mapping example.

2. Create the application and provider pair.

• Navigate to Applications -> Providers -> Create and enter the following settings:
  
  • Type: SAML Provider.
  • Name: fortigate
  • ACS URL: https://fortigate.tld/saml/?acs
  • Issuer: https://authentik.tld
  • Audience: https://fortigate.tld/metadata
  • Service Provider Binding: Post
• For Advanced Protocol Settings, add the Property Mapping above and select the desired Signing Certificate.

Provider example.

Application Settings:

• Name: fortigate_app
• Slug: fortigate_admin
• Provider: Select Provider from the above.

After creation, configure the required user/group bindings.

Application example.

FortiGate Configuration:

Begin by logging in as a current admin to the FortiGate.

Navigate to Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings.

• Mode: Service Provider (SP)
• SP address: fortigate.tld
• SP certificate: optional
• Default admin profile: desired admin profile
• IdP type: Custom
• IdP certificate: exported certificate from authentic (System -> Certificates)

• IdP entity ID: https://authentik.tld/

• IdP single sign-on URL: https://authentik.tld/application/saml/fortigate_admin/sso/binding/redirect/

• IdP single logout URL: https://authentik.tld/application/saml/fortigate_admin/slo/binding/redirect/

Note: In the sign-on and logout URLs, the slug 'fortigate_admin' from above is configured.

FortiGate SSO Example.

After configuration is complete, log out and log back in with the SAML identity to confirm that it is working as expected.

A new SSO entry will be listed under System -> Administrators.

Newly created SSO admin