I am exploring the SAML part of FortiAuthenticator. Luckily my SAML configuration between FG and FAC working as expected. Now, I am trying to add FML to participate in SAML. Searching the web I found a cookbook related to Azure AD and FML SAML configuration. Configuring SSO on FortiMail | FortiMail 7.2.0 | Fortinet Document Library
Appreciate it if anyone could share a link or document that could help me achieve my goal.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @R_F
I haven't found specific cookbook for SAML integration between FortiAuthenticator (FAC) and FortiMail (FML).
But in principle it is all the same as other SAML configurations.
So if you followed and made "Azure AD as SAML IDP for FortiMail SSO authentication" then there is Azure AD service as SAML IdP. That IdP stands for Identity Provider. A party which actually does authentication and authorize users on SP (Service Provider), by telling (indirectly) to that SP that particular user is (or is not) allowed to use services provided by SP after successful authentication and so after authorization.
Configuration which allows SAML between IdP and SP is basically configuration of trusted encrypted and bi-directionally authenticated channel between those two SAML entities. That's why Entity IDs, certificates and metadata are there, to exchange identity info about respective counterparty. Thus IdP know which SP is authorized to ask for user credentials verification and SP know whom to ask for that user verification. And that trusted channel is guarantee that those will talk only to verified provider and data carried will be OK.
Therefore your FML will be that SP (again as in Azure case), but in role of IdP there will be FAC, not Azure.
So IdP parts of FML's SAML will be taken from how you'll set your FAC. And vice verso.
Setup for authorized SPs on FAC is described here:
https://docs.fortinet.com/document/fortiauthenticator/6.5.3/administration-guide/19212/service-provi...
SAML in Cookbook for FAC is here, but as said nothing specific for FML there.
https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/362779/saml-authentication
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi @R_F ,
I couldn't find a single document either. But below documents will give you some inputs one how to Configure FAC as SAML IDP and FML as SAML SP. The procedure should be similar as your FortiGate. So I would suggest you perform the steps in FAC same as how you did for FortiGate and export the Metadata and import them in FortiMail as described in below articles.
https://docs.fortinet.com/document/fortiauthenticator/6.5.3/administration-guide/817031/saml-idp
https://docs.fortinet.com/document/fortimail/7.2.0/cookbook/464375/configuring-sso-on-fortimail
If any challenge after performing the steps, please let us know.
Best Regards,
Saneesh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.