In FortiAuthenticator, follow the steps below:

1. Enable the SAML Identity Provider portal.
2. Set either an IP or FQDN (preferred) server address and a prefix.
3. Select the correct realm. In this case, select LDAP.
4. Create a remote group. Add users/admins and a filter for the group.

1. Download the IDP server certificate highlighted above.
                                                        

   

    

2. Create an SP:
                                                             

   

    

Add the following claim, filling in details as necessary:
SAML attribute: 'username'.
User attribute: Remote LDAP Server: samAccountName (or Username attribute: configured in Auth, Remote Auth Servers, LDAP).
                               

Follow the steps below in FortiGate:

1. Enable SSO Admin login.

2. For the IdP address, provide the IP or FQDN (preferred) and a prefix. The details should be the same as configured in step 2.

3. Upload the certificate downloaded in step 4.
                                                   

   

    

   Alternatively, run the following in the CLI (the details provided are examples):
   
   

   config system saml
       set status enable
       set default-profile "super_admin"
       set idp-entity-id "http://fortiauth.local/saml-idp/fgtadm/metadata/"
       set idp-single-sign-on-url "https://fortiauth.local/saml-idp/fgtadm/login/"
       set idp-single-logout-url "https://fortiauth.local/saml-idp/fgtadm/logout/"
       set idp-cert "fortiauth.local_SAN"
       set server-address "10.191.19.149:4443"

   end

    

4. Logout from FortiGate, refresh, select the SSO option, and auth with LDAP credentials on FortiAuthenticator (IDP):

    

   

    

   

    

5. Login to the firewall as an SSO admin. If the steps are completed, this will succeed.
                                                                                           
   

   

    

                                                                      
6. Right now, there are no options to configure SAML SSO-admin authentication per VDOM based. As a workaround, these steps could be performed (if it fits):
   1. If possible, set FortiGate's SSO URL to an FQDN and use DNS to point to different VDOM IPs to make some users hit the FortiGate with different IPs using the same FQDN.
   2. Add VDOM to admin account's VDOM list, (not ideal if permission is a problem).
   3. Change the SSO URL to the VDOM's IP that is needed. Refer to this article on how to resolve two different IPs per FQDN.
   
   

If there is a requirement to bind admin users to the SAML accounts and provide access to the specific VDOM, then follow Technical Tip: FortiGate - Admin login with remote Radius and vdom access profile:

• FortiAuthenticator acting as a RADIUS Server.
• FortiGate is configured as a RADIUS client, with remote admin wildcard group, and VDOM override enabled.