Description

This article describes how to configure SAML authentication for administrative access to the FortiGate Web GUI with Jumpcloud as the SAML IdP. Note that SAML-based admin logins do not require Security Fabric to be configured beforehand.

Scope

FortiGate, SAML

Solution

Configuration On FortiGate.

1.  In the FortiGate GUI, navigate to Security Fabric -> Fabric Connectors and edit the Security Fabric Setup widget. Select the Single Sign-On Settings button.
2. Specify the SP address field (address:port format), or select the Use Current Browser Address button. This field must be set to the IP Address/FQDN and Admin HTTPS port (if not the standard TCP/443) that is accessible to administrators attempting to login to the FortiGate Web GUI. This FQDN/IP address will be used to auto-generate the appropriate SP-related URLs for this use-case. For reference, the format of these URLs are as follows:

SP portal URL: https://<SP_address>:<port>/saml/login/

SP entity ID: https://<SP_address>:<port>/metadata/

SP ACS (login) URL: https://<SP_address>:<port>/saml/?acs

SP SLS (logout) URL: https://<SP_address>:<port>/saml/?sls

3. Set the Default admin profile to an appropriate profile. This determines the default permissions available to the SAML-based admin user when they initially login, though this can be modified after the admin's initial login.

• It can be a good idea to leave this at the default 'admin_no_access' profile so that new SAML admin accounts have to be manually upgraded to more permissive profiles by an existing super_admin.

4. Under IdP Settings, change the IdP type to Custom. Note that the IdP certificate from Jumpcloud must be uploaded to the FortiGate prior to this step. Obtaining the certificate is discussed further below, and the FortiGate upload process is described here: Uploading SAML IdP certificate to the FortiGate SP
5. At this point the Jumpcloud URLs will need to be configured and ready to apply here. For reference, the following are the typical formats used by Jumpcloud:

6. Select OK to save the configuration, and OK again to close the Security Fabric Settings page.

1. Make sure to download the IdP certificate from Jumpcloud and upload it to the FortiGate as a Remote Certificate (see also: Uploading SAML IdP certificate to the FortiGate SP).
2. IdP entity ID can be any string (as long as it matches exactly on both Jumpcloud and the FortiGate's idp-entity-id setting). Setting it to https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label> would be appropriate.
3. SP Entity ID on Jumpcloud maps to SP entity ID on the FortiGate (http://<SP_address>:<port>/metadata/)
4. ACS URLs on Jumpcloud maps to SP ACS (login) URL on the FortiGate (https://<SP_address>:<port>/saml/?acs)

Note:

If the page is continually loading during authentication then it means that there is a mismatch in the above URLs.

5. SAMLSubject Name, SAMLSubject NameID Format and Signature Algorithm can be left unmodified.

 

6. Default Relay State is optional and may be left unset (it is used for IdP-initiated SAML connections, whereas logging into the FortiGate directly is an SP-initiated flow).
7. Login URL on Jumpcloud maps to SP portal URL on the FortiGate (https://<SP_address>:<port>/saml/login/). Unlike SAML for VPN setups, Declare Redirect Endpoint is not required to be enabled for this setup.
8. IDP URL on Jumpcloud should be copied to IdP single logout URL on the FortiGate.
9.  Administrator SAML on the FortiGate expects a SAML user attribute named 'username', and that must be specifically configured on Jumpcloud (though the corresponding Jumpcloud Attribute Name may be any of the available options).

•  Failure to receive the username attribute in the SAML Assertion will result in an error stating 'No username is found in SAML assertion.'

 

10. Ensure that User Groups are bound on the Jumpcloud side, otherwise Jumpcloud users will not have permission to authenticate to this application (and by extension the FortiGate).

 

Once setup is complete, it will be possible to login to the FortiGate Admin Web GUI using SAML by selecting the Sign in with Security Fabric option.

 

Related article:

Technical Tip: Configuring SAML SSO login for FortiGate VPN with Jumpcloud acting as SAML IdP