Fortinet services

1. Configuring SAML for FortiGate

Step 1

Go to System > Certificate:

• Click “create/import” button

• Add certificate

Step 2

Go to User & Authentication > Single-Sign-On:

• Click “Create New” button

• Type name and click next

• In Identity Provider Details select type Custom

• Entity ID - <HES address>

• Assertion consumer service URL - <HES address>/Saml/Login

• Single logout service URL - <HES address>/Saml/Logout

• Certificate - select imported certificate

• Attribute used to identify users - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

• Click “Submit” button

• Edit created config

• Click edit in CLI

• In CLI Console type commands:

  • set sp-single-sign-on-url “https://fortigate.hideez.com/remote/saml/login”

  • set sp-single-logout-url “https://fortigate.hideez.com/remote/saml/logout”

• Close CLI Console

Step 3

Go to User & Authentication > User Groups:

• Add user to SSO group

Step 4

Timeout configuration:

• Run CLI Console

• Type command:

config system global
   set remoteauthtimeout 180
end
config vpn ssl settings
   set login-timeout 180
end

Step 5

Configure firewall.

For configuring SAML refer to the next guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/736845/saml

For configuring SAML SSO in the GUI refer to this guide - https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/989067/configuring-saml-sso-in-the-gui

Setting HES

1. Go to Settings -> Parameters -> SAML section

2. Click Add Service Provider button

   • Issuer - Entity ID from FortiMail

   • Assertion Consumer Service - ACS URL from FortiMail

   • Public x509 Certificate - Certificate from FortiMail

   • NameID Format - Email

   • NameID Value - Email

2. Configuring SAML for FortiMail

Setting FortiMail

Go to System -> Customization -> Single Sign On:

• Toggle “Enabled” switch to on

• Toggle “Webmail” switch to on

• Insert IdP (HES) metadata as text or file in Identity Provider (IDP) Metadata section

• Click Apply

• Download SP (fortimail) metadata

Setting HES

Go to Settings -> Parameters -> SAML section:

• Click Add Service Provider button:

  • Issuer - Entity ID from FortiMail

  • Assertion Consumer Service - ACS URL from FortiMail

  • Public x509 Certificate - Certificate from FortiMail

  • NameID Format - Email

  • NameID Value - Email

• Add Assertion Attributes:

  • SAML Attribute - urn:oid:0.9.2342.19200300.100.1.3

  • User Attribute - Email