Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
herzogk
Staff & Editor
Staff & Editor

Created on ‎09-26-2025 05:42 AM Edited on ‎11-28-2025 05:19 AM By Community Manager

Article Id 412823

Technical Tip: Configuring Authentik as SAML provider for FortiOS admins

Description This article describes how to configure Authentik as a SAML provider for FortiOS admin users.
Scope FortiOS v7.2.x, v7.4.x, and v7.6.x.
Solution

Authentik is a self-hosted, open source identity provider that can be configured as a SAML identity provider.

Configure the following to connect it with FortOS.

 

Authentik Configuration:

Begin by logging in as an administrator in Authentik.

 

  1. Create a Custom SAML Property Mapping in Authentik.
  • Navigate to Customization -> Property Mappings -> Create.
  • Select SAML Provider Property Mapping.
  • Use the following settings:
    • Name: fgt.username.
    • SAML Attribute Name: username.
    • Expression: return request.user.email.


Property mapping example.Property mapping example.

 

  1. Create the application and provider pair.
Provider Settings:
  • Navigate to Applications -> Providers -> Create and enter the following settings:
  • For Advanced Protocol Settings, add the Property Mapping above and select the desired Signing Certificate.

    Provider example.Provider example.

  • Note for firmware v7.6.4+: 
    • As of v7.6.4, FortiOS requires that the SAML response be signed.
    • Ensure that in the settings to check 'Sign Responses'.

 

Enable responses to be signed.Enable responses to be signed.


Application Settings:

  • Name: fortigate_app.
  • Slug: fortigate_admin.
  • Provider: Select Provider from the above.

 

After creation, configure the required user/group bindings.

 

Application example.Application example.

 

FortiGate Configuration:

Begin by logging in as a current admin to the FortiGate.

Navigate to Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings.

 

Note: In the sign-on and logout URLs, the slug 'fortigate_admin' from above is configured.

 

FortiGate SSO Example.FortiGate SSO Example.

 

After configuration is complete, log out and log back in with the SAML identity to confirm that it is working as expected.

A new SSO entry will be listed under System -> Administrators.

 

Newly created SSO adminNewly created SSO admin
579
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.