Fortinet services

1. Configuring SAML for FortiGate

Step 1

Go to System > Certificate:
  • Click “create/import” button
  • Add certificate

Step 2

Go to User & Authentication > Single-Sign-On:
  • Click “Create New” button
  • Type name and click next
  • In Identity Provider Details select type Custom
  • Entity ID - <HES address>
  • Assertion consumer service URL - <HES address>/Saml/Login
  • Single logout service URL - <HES address>/Saml/Logout
  • Certificate - select imported certificate
  • Attribute used to identify users - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Click “Submit” button
  • Edit created config
  • Click edit in CLI
  • In CLI Console type commands:
    • set sp-single-sign-on-url “https://fortigate.hideez.com/remote/saml/login”
    • set sp-single-logout-url “https://fortigate.hideez.com/remote/saml/logout”
  • Close CLI Console

Step 3

Go to User & Authentication > User Groups:
  • Add user to SSO group

Step 4

Timeout configuration:
  • Run CLI Console
  • Type command:
config system global
set remoteauthtimeout 180
end
config vpn ssl settings
set login-timeout 180
end

Step 5

Configure firewall.

Setting HES

  1. 1.
    Go to Settings -> Parameters -> SAML section
  2. 2.
    Click Add Service Provider button
    • Issuer - Entity ID from FortiMail
    • Assertion Consumer Service - ACS URL from FortiMail
    • Public x509 Certificate - Certificate from FortiMail
    • NameID Format - Email
    • NameID Value - Email

2. Configuring SAML for FortiMail

Setting FortiMail

Go to System -> Customization -> Single Sign On:
  • Toggle “Enabled” switch to on
  • Toggle “Webmail” switch to on
  • Insert IdP (HES) metadata as text or file in Identity Provider (IDP) Metadata section
  • Click Apply
  • Download SP (fortimail) metadata
Write a caption

Setting HES

Go to Settings -> Parameters -> SAML section:
  • Click Add Service Provider button:
    • Issuer - Entity ID from FortiMail
    • Assertion Consumer Service - ACS URL from FortiMail
    • Public x509 Certificate - Certificate from FortiMail
    • NameID Format - Email
    • NameID Value - Email
  • Add Assertion Attributes:
    • SAML Attribute - urn:oid:0.9.2342.19200300.100.1.3
    • User Attribute - Email
Write a caption