Fortinet services
1. Configuring SAML for FortiGate
Step 1
Go to System > Certificate:
Click “create/import” button
Add certificate
Step 2
Go to User & Authentication > Single-Sign-On:
Click “Create New” button
Type name and click next
In Identity Provider Details select type Custom
Entity ID - <HES address>
Assertion consumer service URL - <HES address>/Saml/Login
Single logout service URL - <HES address>/Saml/Logout
Certificate - select imported certificate
Attribute used to identify users - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Click “Submit” button
Edit created config
Click edit in CLI
In CLI Console type commands:
set sp-single-sign-on-url “https://fortigate.hideez.com/remote/saml/login”
set sp-single-logout-url “https://fortigate.hideez.com/remote/saml/logout”
Close CLI Console
Step 3
Go to User & Authentication > User Groups:
Add user to SSO group
Step 4
Timeout configuration:
Run CLI Console
Type command:
Step 5
Configure firewall.
For configuring SAML refer to the next guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/736845/saml
For configuring SAML SSO in the GUI refer to this guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/989067/configuring-saml-sso-in-the-gui
Setting HES
Go to Settings -> Parameters -> SAML section
Click Add Service Provider button
Issuer - Entity ID from FortiMail
Assertion Consumer Service - ACS URL from FortiMail
Public x509 Certificate - Certificate from FortiMail
NameID Format - Email
NameID Value - Email
2. Configuring SAML for FortiMail
Setting FortiMail
Go to System -> Customization -> Single Sign On:
Toggle “Enabled” switch to on
Toggle “Webmail” switch to on
Insert IdP (HES) metadata as text or file in Identity Provider (IDP) Metadata section
Click Apply
Download SP (fortimail) metadata
Setting HES
Go to Settings -> Parameters -> SAML section:
Click Add Service Provider button:
Issuer - Entity ID from FortiMail
Assertion Consumer Service - ACS URL from FortiMail
Public x509 Certificate - Certificate from FortiMail
NameID Format - Email
NameID Value - Email
Add Assertion Attributes:
SAML Attribute - urn:oid:0.9.2342.19200300.100.1.3
User Attribute - Email