Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
80211WiGuy
New Contributor III

Created on ‎02-06-2024 08:05 AM Edited on ‎02-06-2024 08:07 AM

SAML IdP - Sending specific asertion attribute (role) to SP based on user LDAP group membership

Hey Gang,

I'm not really sure what the right terminology is for this but I expect its a pretty common request.  We've created a few special groups in LDAP and dropped users into those various groups.  Based on the user's group membership, we want to send a single relevant role back to the SP when the user logs in via SAML.  FAC pulls the user groups from LDAP just fine for all our other use cases but we've never had to restrict down which groups are provided in auth responses, and we're not sure if the LDAP group being directly provided to the SP is best practice.  Right now when we chose LDAP group as role, the response sent to the SP is all groups a user is a member of which doesn't work for our purposes, nor does it seem secure/private to provide all that irrelevant info.

 

Are there any best practice guides floating around for this sort of use case?

Labels:
455
0 Kudos
6 REPLIES 6
rbraha
Staff
Staff

Created on ‎02-07-2024 08:16 AM

Hi @80211WiGuy 

You can achieve this by configuring CN of the Group on FGT and on FAC side you can configure as assertion attribute  Ldap group membership.

 

111.png

 

423
80211WiGuy
New Contributor III
In response to rbraha

Created on ‎02-07-2024 09:18 AM Edited on ‎02-07-2024 09:18 AM

Hi RB,

Sorry, I dont understand why the FGT is involved here.  We are trying to solve a FAC SAML IdP and Service Provider authentication issue.  The user would not even be behind a FGT if they were trying to authenticate to the Service Provider from home.

414
0 Kudos
Sx11
Staff
Staff

Created on ‎02-08-2024 03:10 AM

Hi 80211WiGuy,

 

if the requirement is to send a single relevant role back to the SP then you might check the option of using attributes from a remote RADIUS server.

 

 

FortiAuthenticator can include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.

There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:

  • A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers.

https://docs.fortinet.com/document/fortiauthenticator/6.3.0/release-notes/568509/whats-new#SAML_IdP_...

 

Description in the Service Providers tab:

https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/19212/service-

 

SAML Attribute:

Remote RADIUS server:

  • RADIUS attribute

When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:

  • Vendor: The RADIUS vendor name.

  • Attribute ID: The attribute within the vendor's RADIUS dictionary.

 

Regards

sx11
401
80211WiGuy
New Contributor III
In response to Sx11

Created on ‎02-08-2024 06:10 AM

Thanks Sx11, we'll assess if this is a possibility.

388
0 Kudos
80211WiGuy
New Contributor III
In response to Sx11

Created on ‎02-08-2024 11:15 AM

Hi Sx11, is there a way to use the RADIUS server built into FAC for this?

372
0 Kudos
Sx11
Staff
Staff
In response to 80211WiGuy

Created on ‎02-13-2024 06:31 AM

Hi 80211WiGuy, this will work only with an integration with a remote Radius server.

sx11
315
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.