Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agrakov
Staff
Staff

Created on ‎10-03-2022 11:21 AM

Article Id 225528

Technical Tip: SAML attribute mapping

Description

This article describes about SAML attribute mapping.
Scope FortiOS 7.0+
Solution

Attribute mapping is mapping one attribute name to another name.

 

Any available attribute may be mapped from the IdP library for example 'Google Directory Attribute' can be mapped to a new attribute name and a new attribute name can be used on SP as group-name or user-name information.

 

'FortiGate' will be acting as 'Service Provider' (SP) and 'GOOGLE' will be acting as 'Identity Provider' (IdP)

 

SP – is who is providing the Service.

IdP – is who is doing Authentication.

 

For example: 

 

On the Google IdP side, map the 'Primary Email' to new attributes: 'BOGUS' and 'Username'.

 

IdP side will send to SP two attributes named 'Username' and 'BOGUS' with the 'Primary Email' information.

 

samld_send_common_reply [118]:     Attr: 10, 32, 'Username' 'agrakov@mydomain.my'

samld_send_common_reply [118]:     Attr: 10, 29, 'BOGUS' 'agrakov@mydomain.my'


Depending on SP configuration (mapping), SP can map attribute 'BOGUS' or 'Username' to be used as user-name information.

 

agrakov_0-1664816897807.png


or only 'Primary email' to 'BOGUS' can be mapped, and use the attribute on the SP side as user-name information.

 

agrakov_1-1664816897807.png

 

samld_send_common_reply [122]:     Attr: 18, 29, 2022-10-03T17:01:13.362Z

samld_send_common_reply [118]:     Attr: 10, 17, 'Groupname' 'IT'

samld_send_common_reply [118]:     Attr: 10, 29, 'BOGUS' 'agrakov@myDomain.my'

samld_send_common_reply [118]:     Attr: 10, 25, 'Groupname' 'IT-Support'


 

On the Google IdP side, map 'Department' with 'Google groups' to the new attribute 'Groupname'.


 

agrakov_2-1664816897808.png

 

On the SP side, map 'Groupname' to be used as group-name information.

 

# config user saml

      edit "GOOGLE-SAML"
         set group-name "Groupname" 

  end
 

IdP side will send two attributes 'Groupname' with group-name information.

 

Groupname values: IT and IT-Support.

 

samld_send_common_reply [118]:     Attr: 10, 17, 'Groupname' 'IT'

samld_send_common_reply [118]:     Attr: 10, 32, 'Username' 'agrakov@myDomain.my'

samld_send_common_reply [118]:     Attr: 10, 25, 'Groupname' 'IT-Support'

 

SP side has multiple groups configured, one group for IT and the second for IT-Support.

 

# config user group
      edit "GOOGLE-SAML-IT-Support"

         set member "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

         config match

            edit 1

                set server-name "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

                set group-name "IT-Support"

            next

          end
       next

       edit "GOOGLE-SAML"

          set member "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

          config match

             edit 1

                 set server-name "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

                 set group-name "IT"

              next

           end

        next

   end

 

 

As attribute IT and IT-Support was sent from the IdP side, the SP side has been associated with the user with the groups.

 

agrakov_3-1664816897808.png
Labels:
1350
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.