This article describes how to configure FortiPortal SSO Remote Authentication using Active Directory Federation Services (ADFS).
FortiPortal v7.0 and v7.2.
Windows Server.
Things to note before proceeding with the configuration steps:
SAML Assertion Attribute |
ADFS (IdP) Attribute |
FortiPortal (SP) Attribute |
Role Attribute |
<user.title> |
<System -> Settings -> Authentication -> View/Change SSO Roles -> View SSO Roles> |
Tenant Identification Attribute |
<user.companyname> |
<Edit Organization -> Domains> |
Site Attribute |
<user.department> |
<Edit Organization -> Sites name> |
Configuration steps:
SAML Service Provider (SP): FortiPortal.
SAML Identity Provider (IdP): Active Directory Federation Services (ADFS).
At Authentication Access, select Remote -> proceed to enter the SAML-SSO configuration attributes.
Example:
Authentication Access |
Remote |
Enable Two-factor Authentication |
Un-check |
Remote Server |
SSO |
SSO IdP Entity URL |
|
IdP Sign On Service Endpoint URL |
|
IdP Sign On Service Redirect Endpoint URL |
|
SSO Application ID |
|
SSO Audience URL |
|
Role Attribute |
fpc-role |
Tenant Identification Attribute |
tenant-sso |
SSO Error URL |
|
IdP Logout Service Endpoint |
|
SSO Certificate |
<<IdP Server Certificate in Base64 encoded format>> 1. Download ADFS (IdP) cert from ADFS server 2. Open using Notepad. 3. Remove the first and last rows. 4. Edit the content to become only ONE line. 5. Copy and paste into the FPC SSO Certificate field. |
Site Attribute |
site-sso |
Domains |
fortilab.com Note: This value will be used to allow user to access FPC Administrator site. |
View/Change SSO Roles |
Create a new SSO role Note: This value will be used to find match for FPC Role Attribute. |
Enter a Display name (Eg: FPC-SSO) -> select Next -> select Next.
At the Ready to Add Trust page, verify all the attributes and select Next.
At the Edit Claim Issuance Policy window, select Add Rule.
9. At Choose Rule Type, select Send LDAP Attributes as Claims -> select Next.
LDAP Attribute |
Outgoing Claim Type |
E-Mail Addresses |
|
Title |
fpc-role |
Company |
tenant-sso |
Department |
site-sso |
Incoming claim type |
|
Incoming name ID format |
Unspecified (grey-out) |
Outgoing claim type |
Name ID |
Outgoing name ID format |
Unspecified |
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name <relying-party_name>
Example:
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name FPC-SSO
PS C:\Windows\system32> set-AdfsRelyingPartyTrust -TargetName <relying-party_name> -SamlResponseSignature MessageAndAssertion
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name <relying-party_name>
Example:
PS C:\Windows\system32> set-AdfsRelyingPartyTrust -TargetName FPC-SSO -SamlResponseSignature MessageAndAssertion
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name FPC-SSO
https://<hostname>/FederationMetadata/2007-06/FederationMetadata.xml
entityID="http://<ADFS-Server-Hostname>/adfs/services/trust"
SingleSignOnService Binding=”…..” Location=”https://<ADFS-Server-Hostname>/adfs/ls/”
SingleLogoutService Binding="….." Location=”https://<ADFS-Server-Hostname>/adfs/ls/”
FortiPortal IdP Attributes |
ADFS Server |
SSO IdP Entity URL |
entityID |
IdP Sign On Service Endpoint URL |
SingleSignOnService … Location |
IdP Sign On Service Redirect Endpoint URL |
SingleLogoutService … Location |
Test scenario:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.