In FortiAuthenticator, configurations are located under SAML ldP -> General. Follow the steps below:

1. Enable the SAML Identity Provider portal.
2. Set either an IP or FQDN (preferred) server address and a prefix.
3. Select the correct realm. In this case, select LDAP.
4. Create a remote group. Add users/admins and a filter for the group.

1. Download the IDP server certificate highlighted above under Certificate Management -> End Entities -> Local Services.
                                                        

   

    

2. Create an SP, under SAML ldP -> Service Providers:
                                                             

   

    

Add the following claim, filling in details as necessary:
SAML attribute: 'username'. This attribute is hardcoded on the FortiGate, it needs to be configured only on the IDP side.
User attribute: Remote LDAP Server: samAccountName (or Username attribute: configured in Auth, Remote Auth Servers, LDAP).
                               

Follow the steps below in FortiGate:

1. Enable SSO Admin login.

2. For the IdP address, provide the IP or FQDN (preferred) and a prefix. The details should be the same as configured in step 2.

3. Upload the certificate downloaded in step 4. The setting is located under Security Fabric -> Fabric connectors -> Security Fabric Setup -> edit -> Single Sign-On Settings.
                                                   

   

    

   Alternatively, run the following in the CLI (the details provided are examples):
   
   

   config system saml
       set status enable
       set default-profile "super_admin"
       set idp-entity-id "http://fortiauth.local/saml-idp/fgtadm/metadata/ "
       set idp-single-sign-on-url "https://fortiauth.local/saml-idp/fgtadm/login/ "
       set idp-single-logout-url "https://fortiauth.local/saml-idp/fgtadm/logout/ "
       set idp-cert "fortiauth.local_SAN"
       set server-address "10.191.19.149:4443"

   end

    

4. Logout from FortiGate, refresh, select the SSO option, and auth with LDAP credentials on FortiAuthenticator (IDP):

    

   

    

   

    

5. Login to the firewall as an SSO admin. If the steps are completed, this will succeed.
                                                                                           
   

   

    

                                                                      
6. At the time of writing, SAML SSO-admin authentication at VDOM level is not supported: it is only supported at global level. As a workaround, these steps can be performed (where appropriate):
   1. If possible, set FortiGate's SSO URL to an FQDN and use DNS to point to different VDOM IPs to make some users hit the FortiGate with different IPs using the same FQDN.
   2. Add VDOM to admin account's VDOM list, (not ideal if permission is a problem).
   3. Change the SSO URL to the VDOM's IP that is needed. Refer to this article on how to resolve two different IPs per FQDN.
   
   

If there is a requirement to bind admin users to the SAML accounts and provide access to the specific VDOM, then follow Technical Tip: FortiGate - Admin login with remote Radius and vdom access profile:

• FortiAuthenticator acting as a RADIUS Server.
• FortiGate is configured as a RADIUS client, with remote admin wildcard group, and VDOM override enabled.