Description
This article contains the lists of resources related to SAML authentication method applied to various features in FortiGate.
It has been organized into four sections that cover SAML usage in:
- General Settings.
- FortiGate administration.
- Outbound firewall policies and proxy policies.
- SSL VPN access.
Scope
FortiGate.
Solution
A high-level description of SAML is the acronym for Security Assertion Markup Language.
It is an XML-based open-standard for transferring the identity of data between two parties: an identity provider (IdP) and a service provider (SP).
Identity Provider:
Performs authentication and passes the user's identity and authorization level to the service provider.
Service Provider:
Trusts the identity provider and authorizes the user to access the requested resource.
Note.
SAML library used in FortiOS does not support certificates with ECDSA (Elliptic Curve Digital Signature Algorithm) keys.
That applies to any feature using SAML as the authentication method.
See the list of resources below for help configuring and troubleshooting SAML Authentication in FortiGate.
| General Settings |
|
Title |
Description |
|
SAML SSO configuration performed from GUI. |
|
|
SAML daemon library does not support ECC and DSA algorithms. |
|
| How to read SAML Debug output |
Deep dive in SAML debugs from FortiGate. |
| FortiGate Administration |
|
Title |
Description |
|
SAML SSO for Admins - Azure as IdP |
SAML SSO login for FortiGate administrators with Azure acting as SAML IdP. |
|
SAML SSO login for FortiGate administrators with JumpCloud acting as SAML IdP. |
|
|
SAML SSO login for FortiGate administrators with Okta acting as SAML IdP. |
|
|
Configuring single-sign-on in the Security Fabric. |
|
|
Allow manual configuration for SAML settings when the device is joined to the Fabric. |
|
|
Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP) |
Configure FortiGate to accept admin logins over SAML with LDAP credentials. |
| Configuring FortiGate SSO Administrators with ADFS as SAML IdP |
FortiGate Admin SSO with ADFS as SAML IdP. |
| Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) for Administrato... |
Admin SSO for Multiple FortiGate Units and a single Enterprise Application in Azure. |
| Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1 |
SP Entity ID empty after upgrade to v7.4.1. |
| Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP |
This article is a step-by-step guide on configuring and setting up a SAML SSO login for Wi-Fi SSID using Azure AD as the IdP. |
| Outbound Firewall Policies and Proxy Policies |
|
Title |
Description |
|
Outbound firewall authentication with FortiAuthenticator as a SAML IdP. |
|
|
Outbound firewall authentication with Azure AD as a SAML IdP. |
|
|
Outbound firewall authentication with Google Cloud Platform as a SAML IdP. |
|
|
Outbound firewall authentication with Azure AD as a SAML IdP for IPv6 traffic. |
|
|
ADFS as IdP for proxy policies. |
|
|
SAML SSO configuration from the web interface. |
|
|
SAML authentication for proxy-policy type access-proxy with ADFS as IdP. |
|
|
SAML authentication for proxy-policy type access-proxy with FortiAuthenticator as IdP. |
|
| Unable to match ZTNA proxy policy or ZTNA firewall policy when SAML authentication is enabled |
SAML authentication failing to match group attribute from FortiAuthenticator. |
|
Wireless Authentication using SAML Credentials and Azure as IdP |
SAML authentication for WiFi Captive Portal using Microsoft Azure as IdP. |
|
Wireless Authentication using SAML Credentials and Google as IdP |
SAML authentication for WiFi Captive Portal using Google Cloud Platform as IdP. |
|
How to configure SAML authentication for firewall policy with Virtual IP (VIP) |
Implement SAML authentication for firewall policy which has VIP as the destination address. |
| How to read FortiGate WAD debugs from ZTNA TCP-Forwarding connection with SAML Authentication |
Reading WAD debugs for ZTNA Access Proxy authenticated with Azure as SAML IdP. |
| SSL VPN Access - Configuration |
|
Title |
Description |
|
SAML authentication for SSL VPN with Azure as IdP. |
|
|
SSL-VPN with SAML Authentication with Google Suite as IdP and MFA |
SAML authentication for SSL VPN with GCP as IdP with MFA. |
|
SAML authentication for SSL VPN with DUO as IdP. |
|
|
SSL VPN with DUO as SAML IdP using Azure AD as Authentication Source |
SAML authentication for SSL VPN with DUO as IdP and Azure AD as Authentication Source. |
|
SAML authentication for SSL VPN with AWS as IdP. |
|
|
SAML authentication for SSL VPN with Okta as IdP. |
|
|
SAML configuration for specific group matching with Okta as IdP. |
|
|
SAML configuration for SSL VPN realms. |
|
|
Enabling Azure Multifactor Authentication. |
|
|
Using a browser as an external user-agent for SAML authentication in an SSL VPN connection. |
|
|
How to hide the username/password prompt for the SSL-VPN login portal to show SAML only |
Restricting SSL VPN Login portal to only Single Sing-On option. |
|
Configuring SSL VPN with SAML and Dual WAN Link on FortiGate. |
|
| Using a single Azure Enterprise Application for multiple SAML Service Providers (SPs) for SSL VPN au... |
SSLVPN with SAML for Multiple FortiGate Units and a single Enterprise Application in Azure. |
| How to configure SSL VPN web portal to automatically redirect to SAML SSO login page |
Ensuring SSL VPN Web Portal automatically redirects to SAML login. |
| SSL VPN Access - Troubleshooting |
|
Title |
Description |
|
Troubleshooting steps for common problems and causes for SSLVPN with SAML. |
|
|
Companion for troubleshooting SSL VPN with SAML Authentication |
Additional troubleshooting steps for common problems and causes for SSLVPN with SAML. |
|
Basic troubleshooting steps. |
|
|
Invalid certificate warning when using SAML authentication. |
|
|
Leveraging Realms when multiple IdPs are configured in. FortiGate |
|
|
SAML authentication prompt was bypassed due to cached cookies in FortiClient. |
|
|
Azure SAML group mismatch, getting error '/remote/logoutok'. |
|
|
Azure SAML group mismatch when default Azure group claim is used. |
|
|
Diagnostic command to display SAML metadata to be provided to IdP. |
|
|
SSL VPN SAML Authentication not working for some users of the same group |
Clarification of Azure limit of 150 SAML assertions for group claims. |
|
SAML authentication fails with error 'login page did not respond within time limit' |
SAML authentication is configured correctly but the user receives an error when connecting to SSL VPN. |
|
The SAML button is selected, the page does not redirect to the login page for SAML, and the SAML button is greyed out. |
| IPsec VPN Access - Configuration |
|
Title |
Description |
|
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients |
SAML authentication for IPsec dialup on FortiClient 7.2.4+ with IKEv2. |
| Configure Dialup IPsec IKEv2 VPN tunnel with OKTA SAML SSO Authentication | SAML authentication for IPsec dialup on FortiClient with OKTA. |
| How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN | SAML authentication for IPsec dialup on FortiClient with Microsoft Entra ID. |
| How to configure AD-FS SAML authentication for Dial-up IPsec VPN | SAML authentication for IPsec dialup on FortiClient with Microsoft AD-FS. |
| Troubleshoot IPSEC SAML Dial UP tunnel | Troubleshoot the IPSec SAML Dial-up tunnel if it fails to connect. |
