Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
80211WiGuy
New Contributor III

SAML IdP - Sending specific asertion attribute (role) to SP based on user LDAP group membership

Hey Gang,

I'm not really sure what the right terminology is for this but I expect its a pretty common request.  We've created a few special groups in LDAP and dropped users into those various groups.  Based on the user's group membership, we want to send a single relevant role back to the SP when the user logs in via SAML.  FAC pulls the user groups from LDAP just fine for all our other use cases but we've never had to restrict down which groups are provided in auth responses, and we're not sure if the LDAP group being directly provided to the SP is best practice.  Right now when we chose LDAP group as role, the response sent to the SP is all groups a user is a member of which doesn't work for our purposes, nor does it seem secure/private to provide all that irrelevant info.

 

Are there any best practice guides floating around for this sort of use case?

6 REPLIES 6
rbraha
Staff
Staff

Hi @80211WiGuy 

You can achieve this by configuring CN of the Group on FGT and on FAC side you can configure as assertion attribute  Ldap group membership.

 

111.png

 

80211WiGuy
New Contributor III

Hi RB,

Sorry, I dont understand why the FGT is involved here.  We are trying to solve a FAC SAML IdP and Service Provider authentication issue.  The user would not even be behind a FGT if they were trying to authenticate to the Service Provider from home.

Sx11
Staff
Staff

Hi 80211WiGuy,

 

if the requirement is to send a single relevant role back to the SP then you might check the option of using attributes from a remote RADIUS server.

 

 

FortiAuthenticator can include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.

There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:

  • A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers.

https://docs.fortinet.com/document/fortiauthenticator/6.3.0/release-notes/568509/whats-new#SAML_IdP_...

 

Description in the Service Providers tab:

https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/19212/service-

 

SAML Attribute:

Remote RADIUS server:

  • RADIUS attribute

When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:

  • Vendor: The RADIUS vendor name.

  • Attribute ID: The attribute within the vendor's RADIUS dictionary.

 

Regards

sx11
80211WiGuy
New Contributor III

Thanks Sx11, we'll assess if this is a possibility.

80211WiGuy
New Contributor III

Hi Sx11, is there a way to use the RADIUS server built into FAC for this?

Sx11

Hi 80211WiGuy, this will work only with an integration with a remote Radius server.

sx11
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors