3.16.3

Fortinet services

1. Configuring SAML for FortiGate

Step 1

Go to System > Certificate:

  • Click “create/import” button

  • Add certificate

Step 2

Go to User & Authentication > Single-Sign-On:

  • Click “Create New” button

  • Type name and click next

  • In Identity Provider Details select type Custom

  • Entity ID - <HES address>

  • Assertion consumer service URL - <HES address>/Saml/Login

  • Single logout service URL - <HES address>/Saml/Logout

  • Certificate - select imported certificate

  • Attribute used to identify users - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Click “Submit” button

  • Edit created config

  • Click edit in CLI

  • In CLI Console type commands:

    • set sp-single-sign-on-url “https://fortigate.hideez.com/remote/saml/login”

    • set sp-single-logout-url “https://fortigate.hideez.com/remote/saml/logout”

  • Close CLI Console

Step 3

Go to User & Authentication > User Groups:

  • Add user to SSO group

Step 4

Timeout configuration:

  • Run CLI Console

  • Type command:

config system global
   set remoteauthtimeout 180
end
config vpn ssl settings
   set login-timeout 180
end

Step 5

Configure firewall.

For configuring SAML refer to the next guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/736845/saml

For configuring SAML SSO in the GUI refer to this guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/989067/configuring-saml-sso-in-the-gui

Setting HES

  1. Go to Settings -> Parameters -> SAML section

  2. Click Add Service Provider button

    • Issuer - Entity ID from FortiMail

    • Assertion Consumer Service - ACS URL from FortiMail

    • Public x509 Certificate - Certificate from FortiMail

    • NameID Format - Email

    • NameID Value - Email

2. Configuring SAML for FortiMail

Setting FortiMail

Go to System -> Customization -> Single Sign On:

  • Toggle “Enabled” switch to on

  • Toggle “Webmail” switch to on

  • Insert IdP (HES) metadata as text or file in Identity Provider (IDP) Metadata section

  • Click Apply

  • Download SP (fortimail) metadata

Setting HES

Go to Settings -> Parameters -> SAML section:

  • Click Add Service Provider button:

    • Issuer - Entity ID from FortiMail

    • Assertion Consumer Service - ACS URL from FortiMail

    • Public x509 Certificate - Certificate from FortiMail

    • NameID Format - Email

    • NameID Value - Email

  • Add Assertion Attributes:

    • SAML Attribute - urn:oid:0.9.2342.19200300.100.1.3

    • User Attribute - Email