Technical Tip: Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IDP)

kiri · ‎12-31-2022

Description

This article describes how to configure FortiGate to accept admin logons over SAML with LDAP credentials.

Scope

FortiAuthenticator 6.X.
FortiGate 6.2, 6.4, 7.X.

Solution

In FortiAuthenticator, follow the steps below:

1) Enable the SAML Identity Provider portal.
2) Set either a IP or FQDN (preferred) server address and a prefix.
2) Select the correct realm. In this case, select LDAP.
3) Create a remote group. Add users/admins and a filter for the group.

4) Download the IPD server certificate highlighted above.

5) Create an SP:

6) Add the following claim, filling in details as necessary:
SAML attribute: 'username'.
User attribute: Remote LDAP Server: samAccountName (or Username attribute: configured in Auth, Remote Auth Servers, LDAP).

Follow the steps below in FortiGate:

7) Enable SSO Admin login.
8) For IdP address, provide the IP or FQDN (preferred) and a prefix. The details should be the same as configured in step 2.
9) Upload the certificate downloaded in step 4.

Alternatively, run the following in the CLI (the details provided are examples):

# config system saml

set status enable
set default-profile "super_admin"
set idp-entity-id "http://fortiauth.local/saml-idp/fgtadm/metadata/"
set idp-single-sign-on-url "https://fortiauth.local/saml-idp/fgtadm/login/"
set idp-single-logout-url "https://fortiauth.local/saml-idp/fgtadm/logout/"
set idp-cert "fortiauth.local_SAN"
set server-address "10.191.19.149:4443"

end

10) Logout from FortiGate, refresh, select the SSO option and auth with LDAP credentials on FortiAuthenticator (IDP):

11) Login to the firewall as an SSO admin. If the steps were successfully completed, this will succeed.