FortiPortal
FortiPortal provides a comprehensive set of security management and analytics within a multi-tenant, multi-tier management framework.
tnesh
Staff
Staff
Article Id 261631
Description This article describes how to configure FortiPortal SSO Remote Authentication by using FortiAuthenticator SAML Service.
Scope FortiPortal, FortiAuthenticator.
Solution

SAML Identity Provider (IdP): FortiAuthenticator.
SAML Service Provider (SP): FortiPortal.

 

SAML Parameters Mapping:

 

SAML Parameter

FortiAuthenticator (IdP) SAML Parameter

FortiPortal (SP) SAML Parameter

IDP Entity URL

IdP entity id

SSO IDP Entity URL

To enter < IdP entity id>

IdP single sign-on URL

IdP single sign-on URL

IDP Sign On Service Post Endpoint URL

To enter <IdP single sign-on URL>

IDP Sign On Redirect Endpoint URL

IdP single sign-on URL

IDP Sign On Service Redirect Endpoint URL

To enter <IdP single sign-on URL>

IDP Logout Service Endpoint

IdP logout URL

IDP Logout Service Endpoint

To enter <IdP logout URL>

SP entity ID

To enter <SP Application ID>

SSO Application ID

http://<FPC_PORTAL>/metadata/

SP login URL

To enter <SSO Audience URL>

SSO Audience URL

https://<FPC_PORTAL> /fpc/saml/SSO

IdP certificate

Server certificate

SSO Certificate
<Certificate provided by IDP>

SAML Assertion Attribute

 

Assertion Attributes

1. Role Attribute

2. Tenant Identification Attribute

3. Site Attribute

 

Configuration Steps:

 

(A) FortiAuthenticator (IdP).

 

Note:

  • This article will be using the following FortiAuthenticator user attributes to map with FortiPortal attributes respectively as an example.
  • Both FortiAuthenticator and FortiPortal attribute values must be the same.

 

SAML Assertion Attribute FortiAuthenticator (IdP) Attribute FortiPortal (SP) Attribute
Role Attribute User Group SSO Roles

Tenant Identification Attribute

(Domains)

User’s Last name Edit Customer > Domains
Site Attribute Username Sites

 

     1. Create User Groups.

 Note: This value will be used to find a match for FPC Role Attribute.

 

fac-group.png

 

     2. Create a Local User / Remote User and add to a newly created user group.

 Note: This value will be used to find a match for FPC Site Attribute.


     3. Add a user email address.

 Note: The email domain value will be used to check if the user belongs to an FPC customer or an FPC administrator.


Example:

Email

Domain

Purpose

fpcadmin@fortinet.com

fortinet.com

for FPC administrator access

customer@custserver.com

custserver.com

for FPC Customer Portal access

 

     4. Edit the user's Last name with the domain value. Eg: custserver.com.

Note: This value will be used to find a match for the FPC Tenant Identification Attribute.


     5. Go to FortiAuthenticator -> SAML IdP -> General.

     6. Enable the SAML Identity Provider portal and enter the details.


Example:

 

fac-enable-saml.png

 

     7. Go to FortiAuthenticator -> SAML IdP -> Service Providers -> Create New.
     8. Enter the SP name and create a new IdP prefix.

 

fac-saml=sp1.png

 

     9. Enter the SP Metadata. The value needs to be the same as configured in FPC SSO settings. 


Note:

It is possible to come back to this page and enter the value once done configuring in FPC.


fac-enable-saml2.png

 

     10. Authentication method and Assertion Attribute Configuration as shown below:

 

fac-saml-sp3.png

 

     11. Map the Assertion Attribute Configuration settings as shown below:


Note:

SAML attribute needs to be the same as in FPC SSO Settings.

 

fac-saml-sp4.png

 

     12. Verify the parameters and select OK.

 

(B) FortiPortal.

 

     1. Go to FortiPortal -> Customers -> Domains -> Key in the domain value -> Select Create.

Note: This value will be used to find a match for the FPC Tenant Identification Attribute.

 

fpc-customer-domain.png

 

     2. Go to FortiPortal -> Customers -> Sites -> Site Names.


Note: 

This value will be used to find a match for FPC Site Attribute.

 

     3. Next, Go to FortiPortal -> Admin -> Settings -> User Authentication.
     4. At Authentication Access, select Remote.
     5. At Remote Server, select SSO.
     6. Proceed to enter the value according to the SAML configuration. 

 

Example:

 

Authentication Access

Remote

Allow Service Provider Usernames without Domain

Enable

Remote Server

SSO

Domains

fortinet.com

Note: This value will be used to allow user to access FPC Administrator site.

SSO Roles / SSO Profiles

Create a new SSO role

Note: This value will be used to find match for FPC Role Attribute.

 

fpc-sso-role.png

SSO IDP Entity URL

http://10.10.10.10/saml-idp/djx2mwsv98anlfeq/metadata/

IDP Sign On Service Post Endpoint URL

http://10.10.10.10/saml-idp/djx2mwsv98anlfeq/login/

IDP Sign On Service Redirect Endpoint URL

http://10.10.10.10/saml-idp/djx2mwsv98anlfeq/login/

SSO Application ID

http://10.10.10.20/metadata/ 

SSO Audience URL

https://10.10.10.20/fpc/saml/SSO 

Role Attribute

Role

Tenant Identification Attribute

tenant

SSO Error URL

 

IDP Logout Service Endpoint

https://10.10.10.10/saml-idp/djx2mwsv98anlfeq/logout/ 

SSO Certificate

<<IdP Server Certificate in Base64 encoded format>>

1. Download FortiAuthenticator (IdP) default cert.

2. Open using Notepad.

3. Remove the first and last rows.

4. Edit the content to become only ONE line.

5. Copy and paste into the FPC SSO Certificate field.

Site Attribute

site

 

     7. Select Submit and reboot FortiPortal.


Test Scenario:
Go to FortiPortal GUI -> Login with SSO User created in FortiAuthenticator.


Troubleshooting guide:

     1. Check logs from FortiAuthenticator: Logging -> Log Access -> Logs.

     2. Check logs from FortiPortal v6.0.x GUI:

Login to FortiPortal GUI (via the below URL) -> Admin -> System Log -> Start
v6.0.x: https://<Portal>/fpc/adminuser/login.

 

Then proceed to login with SSO user and capture the logs from the system log.
Sample output:

 

saml-fpc-debug.png

 

     3. Check logs from FortiPortal v6.0.x CLI:

 

exec shell

tail /var/tomcat/util/ftnt_fpc.log -f

 

     4. For FortiPortal v7.x, it is possible to access to FortiPortal GUI via the below URL and verify the SAML settings:

v7.x: https://<Portal>/fpc/app/admin.

 

     5. Using SAML debugging Chrome extension to check SAML-related messages.

Eg: https://chrome.google.com/webstore/detail.saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch 

Sample output:

 

saml-debug.png

 

Related documents:

Technical Tip: How to validate that Remote authentication 'SSO' SAML responses and assertions are si...

Remote authentication - SSO

Remote authentication: SSO