# Fortinet services

###  **1.** Configuring SAML for FortiGate

#### Step 1

Go to System > Certificate:

* Click “create/import” button
* Add certificate<br>

#### Step 2

Go to User & Authentication > Single-Sign-On:

* Click “Create New” button
* Type name and click next

![](https://lh6.googleusercontent.com/HKvNe3j3u5xbnRplp2gublxvwfbKN0IG40vpBe4a4y2sdITW7WgngcV6E81q79hgPtjeLdLZXOj-tr3el-gPTd2M4zJTaKK-Et7-xqhHjAkU7EP1ERx0U-u0rMXvabDcE9NFW6tdLaCzj4sZA8AhukU)

* In Identity Provider Details select type **Custom**
* Entity ID - \<HES address>
* Assertion consumer service URL - \<HES address>/Saml/Login
* Single logout service URL - \<HES address>/Saml/Logout
* Certificate - select imported certificate
* Attribute used to identify users - <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress>
* Click “Submit” button

![](https://content.gitbook.com/content/RdTysrljwe610dPFG7tE/blobs/sblUuMtzIrBOhk9a6SkP/image.png)

* Edit created config

![](https://lh3.googleusercontent.com/7_CghTVM6BWQuJmVB5ghMGgv7nMzui8scf_tO7_YXnUMTm7uYjqWxOLk9GpjFc4SJ7Dcqv2T3TaXZ8f1B17yRlvplvIGT3UkFb_XQgCahNl9JKQe4NPArZPICqXuM4j8OtsRXNqNPp_Fb8JyvLeg1vg)

* Click edit in CLI

![](https://lh4.googleusercontent.com/bGiWX4WmkCciBtvqrJc4co3KH3tdmlJQA3p1wSSmu6PQWkGYpUo-YZlR3pXTaqjbeUQo56_X0E4nu9qc3BJVJ5U2NIj5HVwIbh80M9qE361Sg5TBTS9T2PDI-LZ_0LbllkJVKt3o7Fk0oU7NLaP7FFA)

* In CLI Console type commands:
  * set sp-single-sign-on-url “<https://fortigate.hideez.com/remote/saml/login”>
  * set sp-single-logout-url “<https://fortigate.hideez.com/remote/saml/logout”>
* Close CLI Console

#### Step 3

Go to User & Authentication > User Groups:

* Add user to SSO group

#### Step 4

Timeout configuration:

* Run CLI Console
* Type command:

```
config system global
   set remoteauthtimeout 180
end
config vpn ssl settings
   set login-timeout 180
end
```

#### Step 5

Configure firewall.

For configuring SAML refer to the next guide - <https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/736845/saml>

For configuring SAML SSO in the GUI refer to this guide - <https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/989067/configuring-saml-sso-in-the-gui>

### **Setting HES**

1. Go to Settings -> Parameters -> SAML section
2. Click **Add Service Provider** button
   * Issuer - **Entity ID** from FortiMail
   * Assertion Consumer Service - **ACS URL** from FortiMail
   * Public x509 Certificate - **Certificate** from FortiMail
   * NameID Format - **Email**
   * NameID Value - **Email**

### 2. Configuring SAML for FortiMail

#### Setting FortiMail <a href="#setting-fortimail" id="setting-fortimail"></a>

Go to System -> Customization -> Single Sign On:

* Toggle “Enabled” switch to on
* Toggle “Webmail” switch to on
* Insert IdP (HES) metadata as text or file in **Identity Provider (IDP) Metadata** section
* Click Apply
* Download SP (fortimail) metadata

![](https://lh6.googleusercontent.com/AvHCNK69t_d3pWsXUjuBDKnHafH_a7xb6Dg3P8JlOOcZyC3aBUL38s6v5FBFRPfnZ550e1-mHJ_9IOIrLc6-w29gVJKLTGo9o49Vl9arh5wxl4jSWKUXK_wuXa-7hxPLWgZJ1wMTvvsjeTj6keOOrL0)Write a caption

#### Setting HES <a href="#setting-hes" id="setting-hes"></a>

Go to Settings -> Parameters -> SAML section:

* Click Add Service Provider button:
  * Issuer - **Entity ID** from FortiMail
  * Assertion Consumer Service - **ACS URL** from FortiMail
  * Public x509 Certificate - **Certificate** from FortiMail
  * NameID Format - **Email**
  * NameID Value - **Email**
* Add Assertion Attributes:
  * SAML Attribute - **urn:oid:0.9.2342.19200300.100.1.3**
  * User Attribute - **Email**

![](https://lh3.googleusercontent.com/mbKpiNQaLomNvuqWGdkz5lr-3_RvUJ2F1IJB3b884GNUj1vgcsID2QTKt_wLKrhHxer3woMsH3Az_nx1Z90-P92fF1dDeKI4Cint909k-fNAUQVbOrAwU6b93FeKC50bXpHI-H-bqnTRUFZ7zS7rnt8)Write a caption