Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

FortiAuthenticator and FML SAML Configuration

I am exploring the SAML part of FortiAuthenticator. Luckily my SAML configuration between FG and FAC working as expected. Now, I am trying to add FML to participate in SAML. Searching the web I found a cookbook related to Azure AD and FML SAML configuration. Configuring SSO on FortiMail | FortiMail 7.2.0 | Fortinet Document Library


Appreciate it if anyone could share a link or document that could help me achieve my goal.


Hi @R_F 

I haven't found specific cookbook for SAML integration between FortiAuthenticator (FAC) and FortiMail (FML).
But in principle it  is all the same as other SAML configurations.
So if you followed and made "Azure AD as SAML IDP for FortiMail SSO authentication" then there is Azure AD service as SAML IdP. That IdP stands for Identity Provider. A party which actually does authentication and authorize users on SP (Service Provider), by telling (indirectly) to that SP that particular user is (or is not) allowed to use services provided by SP after successful authentication and so after authorization.

Configuration which allows SAML between IdP and SP is basically configuration of trusted encrypted and bi-directionally authenticated channel between those two SAML entities. That's why Entity IDs, certificates and metadata are there, to exchange identity info about respective counterparty. Thus IdP know which SP is authorized to ask for user credentials verification and SP know whom to ask for that user verification. And that trusted channel is guarantee that those will talk only to verified provider and data carried will be OK.


Therefore your FML will be that SP (again as in Azure case), but in role of IdP there will be FAC, not Azure.
So IdP parts of FML's SAML will be taken from how you'll set your FAC. And vice verso.

Setup for authorized SPs on FAC is described here: 

SAML in Cookbook for FAC is here, but as said nothing specific for FML there. 


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Hi @R_F ,


I couldn't find a single document either. But below documents will give you some inputs one how to Configure FAC as SAML IDP and FML as SAML SP. The procedure should be similar as your FortiGate. So I would suggest you perform the steps in FAC same as how you did for FortiGate and export the Metadata and import them in FortiMail as described in below articles. 


If any challenge after performing the steps, please let us know.


Best Regards,



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors