FortiPortal
FortiPortal provides a comprehensive set of security management and analytics within a multi-tenant, multi-tier management framework.
tnesh
Staff
Staff
Article Id 282873
Description

 

This article describes how to configure FortiPortal SSO Remote Authentication using Active Directory Federation Services (ADFS).

 

Scope

 

FortiPortal v7.0 and v7.2.

Windows Server.

 

Solution

 

Things to note before proceeding with the configuration steps:

  1. Active Directory Federation Services (ADFS) is installed on the Windows server.
  2. SSL certificate is configured to sign the ADFS login page.
  3. In this article, ADFS will be using the values from AD user’s attributes to map with FortiPortal attributes respectively.
    Note: Both the ADFS & FortiPortal attribute values must be the same. Choose different AD User attributes that suit the environment.

 

SAML Assertion Attribute

ADFS (IdP) Attribute

FortiPortal (SP) Attribute

Role Attribute

<user.title>

<System -> Settings -> Authentication -> View/Change SSO Roles -> View SSO Roles>

Tenant Identification Attribute

<user.companyname>

<Edit Organization -> Domains>

Site Attribute

<user.department>

<Edit Organization -> Sites name>

 

 

Configuration steps:
SAML Service Provider (SP): FortiPortal.
SAML Identity Provider (IdP): Active Directory Federation Services (ADFS).

 

  • FortiPortal (SP):
  1. Go to FortiPortal -> Organization -> Edit -> enter domain -> select Create
    Note: This value will be used to find a match for the FPC Tenant Identification Attribute.


fpc-org-domain.png

 

  1. Go to FortiPortal -> Organization -> Edit -> Sites -> Site Names
    Note: The Site Names value will be used to find a match for FPC Site Attribute.


fpc-site=name.png

 

  1. Next, Go to FortiPortal -> System -> Settings -> Authentication.
  2. At Authentication Access, select Remote -> proceed to enter the SAML-SSO configuration attributes.

 

fpc-remote-authen.png

 

Example:

 

Authentication Access

Remote

Enable Two-factor Authentication

Un-check

Remote Server

SSO

SSO IdP Entity URL

http://<ADFS-Server-Hostname>/adfs/services/trust

IdP Sign On Service Endpoint URL

https:// <ADFS-Server-Hostname>/adfs/ls/

IdP Sign On Service Redirect Endpoint URL

https:// <ADFS-Server-Hostname>/adfs/ls/

SSO Application ID

https://<FPC-Portal>/fpc/saml/metadata

SSO Audience URL

https:// <FPC-Portal>/fpc/saml/SSO

Role Attribute

fpc-role

Tenant Identification Attribute

tenant-sso

SSO Error URL

 

IdP Logout Service Endpoint

https:// <ADFS-Server-Hostname>/adfs/ls/

SSO Certificate

<<IdP Server Certificate in Base64 encoded format>>

1. Download ADFS (IdP) cert from ADFS server

2. Open using Notepad.

3. Remove the first and last rows.

4. Edit the content to become only ONE line.

5. Copy and paste into the FPC SSO Certificate field.

Site Attribute

site-sso

Domains

fortilab.com

Note: This value will be used to allow user to access FPC Administrator site.

View/Change SSO Roles

Create a new SSO role

Note: This value will be used to find match for FPC Role Attribute.

 

  1. Once done, select Save
  2. Download the sp.xml file. Copy this sp.xml file to the ADFS server.

 

  • Active Directory Federation Service - ADFS (IdP).
  1. Open ADFS Management from the ADFS server:

 

open-adfs.png

 

 

  1. 'Right-click' on Relying Party Trust -> Add Relying Party Trust.


add-rp.png

 

 

  1. Select Start on the Welcome page -> select Import data about the relying party from a file -> browse and select the sp.xml -> select Next.

 

import-data-sp.xml.png

 

  1. Enter a Display name (Eg: FPC-SSO) -> select Next -> select Next.

 

display-name.png

 

  1. At the Ready to Add Trust page, verify all the attributes and select Next.

 

ready-to-add-trust.png

 

  1. At the Finish page, make sure to select Configure claims issuance policy -> select Close.

 

checkbox-claim.png

 

  1. Once the wizard is closed, Edit Claim Issuance Policy window will be open.
    Note: Minimize AD FS windows if the Claim Issuance Policy window is not visible.

  2. At the Edit Claim Issuance Policy window, select Add Rule.

 

claim-add-rule.png

 

     9. At Choose Rule Type, select Send LDAP Attributes as Claims -> select Next.

 

ldap-attribute-claim.png

 

  1. At Configure Claim Rule, enter the Claim rule name -> select Active Directory -> add the following claim type -> select Finish.

 

LDAP Attribute

Outgoing Claim Type

E-Mail Addresses

email

Title

fpc-role

Company

tenant-sso

Department

site-sso

 

configure-claim-rule.png

 

  1. Next, add the second Rule -> enter the Claim rule name -> select Transform an Incoming Claim -> Add the following claim type -> select Finish.

Incoming claim type

email

Incoming name ID format

Unspecified (grey-out)

Outgoing claim type

Name ID

Outgoing name ID format

Unspecified

 

transform-incoming-claim.png

 

  1. Next, open Powershell with administrator rights in the ADFS server and run the following commands:

 

PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name <relying-party_name>

 

Example:


PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name FPC-SSO

  1. Verify the contents include SamlResponseSignature: MessageAndAssertion. If not, run the following command to update the value and verify again:

 

PS C:\Windows\system32> set-AdfsRelyingPartyTrust -TargetName <relying-party_name> -SamlResponseSignature MessageAndAssertion
PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name <relying-party_name>

 

Example:


PS C:\Windows\system32> set-AdfsRelyingPartyTrust -TargetName FPC-SSO -SamlResponseSignature MessageAndAssertion

PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Name FPC-SSO

 

powershell-get-adfs.png

 

 

  1. Next, from the ADFS server, browse to the following URL to download the FederationMetadata.xml file:


https://<hostname>/FederationMetadata/2007-06/FederationMetadata.xml 

 

download-adfs-metadata.png

 

  1. Open the FederationMetadata.xml file and look for the following attributes:


entityID="http://<ADFS-Server-Hostname>/adfs/services/trust"
SingleSignOnService Binding=”…..” Location=”https://<ADFS-Server-Hostname>/adfs/ls/
SingleLogoutService Binding="….." Location=”https://<ADFS-Server-Hostname>/adfs/ls/

 

  1. Compare the above value with FortiPortal SSO attributes. Make sure both values are the same:
    Note: If the value is not the same, update FortiPortal IdP attributes (under first section: Steps#4) as per ADFS FederationMetadata.xml.

FortiPortal IdP Attributes

ADFS Server

SSO IdP Entity URL

entityID

IdP Sign On Service Endpoint URL

SingleSignOnService … Location

IdP Sign On Service Redirect Endpoint URL

SingleLogoutService … Location

 

 

Test scenario:

  1. Go to the FortiPortal Login Page -> enter Active Directory user with domain -> Login with Single-Sign-On.


fpc-sso-login.png

 

  1. The page will redirect to the ADFS server login page. Proceed to login with Active Directory user credentials.

 

fpc-redirect-adfs.png

 

  1. If all the attributes are mapped correctly, the user will able to login to the FortiPortal page based on the SSO attributes value.