Technical Tip: SAML SSO login for FortiGate administrators with JumpCloud acting as SAML IdP

ckumar_FTNT · ‎07-01-2021

Description
This article describes how to setup both Jumpcloud and FortiGate for SAML SSO for Admin login with FortiGate acting as SP.

The main purpose is to provide Windows users with Single Sign-On (SSO) access.

Solution
From GUI go to Security Fabric -> Fabric Connectors -> Security Fabric Setup and select 'Single Sign-On' Settings.

From CLI.

FGT-Chetu # show system saml
# config system saml
    set status enable
    set default-profile "super_admin"
    set idp-entity-id "https://sso.jumpcloud.com/saml2/saml2/JumpCloudlab"
    set idp-single-sign-on-url "https://sso.jumpcloud.com/saml2/saml2"
    set idp-single-logout-url "https://console.jumpcloud.com/userconsole"
    set idp-cert "REMOTE_Cert_4"
    set server-address "10.5.25.13"
end

On the JumpCloud-IDP.

- SP Entity ID: Use the same as FortiGate SP Entity ID.

http://10.5.25.13/metadata/
- ACS URL: Use the same as in the SP ACS (login) URL
https://10.5.25.13/saml/?acs

Tip: If the page is continually loading, it means there is a mismatch in the above URL’s.

User Attributes Settings.

- Default Relay State is an optional, it is possible to leave as it is.

- Login URL: Use the same as in the SP portal URL.
https://10.5.25.13/saml/login/

- IDP URL: This is the idp-single-sign-on-url not the Entity ID.
https://sso.jumpcloud.com/saml2/saml2

Tip: When Admin access is configrued, SP except to receive the 'username' object (in the field it can be username/email-id).

Failure of receiving the username object in the Assertion it will pop-up an error 'No username is found in SAML assertion.'