Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
cskuan
Staff
Staff

Created on ‎04-02-2019 01:27 AM

Article Id 191726

Technical Tip: FortiAuthenticator as a SAML Service Provider (SP) from an Azure (IdP)

Description
This article describes how to configure FortiAuthenticator as SAML SP to accept user identity information from Azure

Solution
Most SAML IdP services will return the username in the Subject NameID assertion, group attribute and others in the assertion. Below are the samples of the SAML assertions





- FSSO requires group membership of each user with an active SSO session.
- By default groups are not enabled in the SAML Assertion.
- Always make sure or request the IdP vendor to enable that and insert groups attribute.

Different SAML IdP services require different methods of retrieving the group information.

Group information is obtained from very specific (hardcoded) SAML assertions, below is a common example of how to obtain:


In Azure, group name is not send back in the assertion, an Object ID (UUID) is sent instead.

Example:

- The common method cannot be used to obtain the group attribute as shown above
- Always request the UUID from Azure.
- Create an SSO Group on FortiAuthenticator and fill up the UUID
The “SSO Service Provider enhancements” feature was in FortiAuthenticator v4.3.x, group attribute in now obtained from Azure then converts Azure's group membership UUIDs into names.


2492
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.