FORTIADC SAML CONFIGURATION GUIDE - Fortinet...

CONFIGURATION GUIDE

FORTIADC SAML CONFIGURATION GUIDE

2

CONFIGURATION GUIDE: FORTIADC SAML

FORTIADC SAML CONFIGURATION GUIDE

1. Configuring FortiADC

1.1. Importing Identity Provider metadata

1.2. Defining Service Provider profiles

1.3. Defining Authentication Policies

2. Configuring Virtual Servers

2.1. Creating pool with real server

2.2. Creating Virtual Servers with SAML authentication

2.3. Creating Virtual Servers for HTTPS redirect

3. Building trust relation between SP and IdP

3.1. Retrieve Service Provider Metadata

3.2. Exchange Service Provider Metadata

4. Testing SAML authentication

4.1. Enable SAML tracer plugin

4.2. Connect to web service

4.3. Authenticate SAML-SP initiated

4.4. Single Sign On with SAML

4.5. Federated Identity logout

4.6. Analyze SAML

This Configuration guide is intended to get you familiar with FortiADC and SAML based authentication. FortiADC will function as SAML Service Provider (SP) and online Testshib as Identity Provider (IdP).

Note: The Configuration Guide requires internet connectivity.

The guide covers the following topics:

In case you need help with FortiADC, you can reach out to http://docs.fortinet.com/fortiadc-d-series/admin-guides.

http://docs.fortinet.com/fortiadc-d-series/admin-guides

3


NETWORK DIAGRAM

For the SAML Configuration we will be using the environment as outlined below. All devices are pre-configured except FortiADC, which has a basic network setup.

SECURITY ASSERTION MARKUP LANGUAGE (SAML)

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

SAML SP-INITIATED AUTHENTICATION FLOW

In the workshop the Lubuntu-client (User Agent) will access web sites web.example.com / web.demo.com with SAML based authentication (Service Provider). The Lubuntu-client will authenticate at Testshib (Identity Provider) to obtain the SAML assertion (token) to again access to web sites.

4


1. CONFIGURING FORTIADC

1.1. IMPORTING IDP METADATA

Identity Providers specify which functions they support and how to connect to them in IdP-metadata definition. This IdP-metadata can often be downloaded from the identity provide, or is shared by the administrator.

The Testshib IdP-metadata needs to be imported into FAD, so we know how and where to redirect clients to. (Download or cut & paste)

<?xml version=”1.0” encoding=”UTF-8”?>

<EntityDescriptor entityID=”https://idp.testshib.org/idp/shibboleth”

xmlns=”urn:oasis:names:tc:SAML:2.0:metadata” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”

xmlns:mdalg=”urn:oasis:names:tc:SAML:metadata:algsupport” xmlns:mdui=”urn:oasis:names:tc:SAML:metadata:ui”

xmlns:shibmd=”urn:mace:shibboleth:metadata:1.0” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>

<Extensions>

<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha512” />

<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha384” />

<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha256” />

<mdalg:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1” />

<mdalg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha512” />



<mdalg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1” />

</Extensions>

<IDPSSODescriptor

protocolSupportEnumeration=”urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0

urn:oasis:names:tc:SAML:2.0:protocol”>

<Extensions>

<shibmd:Scope regexp=”false”>testshib.org</shibmd:Scope>

<mdui:UIInfo>

<mdui:DisplayName xml:lang=”en”>TestShib Test IdP</mdui:DisplayName>

<mdui:Description xml:lang=”en”>TestShib IdP. Use this as a source of attributes

for your test SP.</mdui:Description>

<mdui:Logo height=”88” width=”253”

>https://www.testshib.org/testshibtwo.jpg</mdui:Logo>

</mdui:UIInfo>

</Extensions>

5




<KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB

CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0

WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh

m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm

lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn

xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB

3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH

ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID

AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw

EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR

OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP

dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS

80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT

MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO

RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX

MLRKhDgdmA==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes256-cbc”/>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes192-cbc” />


<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>

</KeyDescriptor>

<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”

Location=”https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution”

index=”1”/>

<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”

Location=”https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution”

index=”2”/>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

<SingleSignOnService Binding=”urn:mace:shibboleth:1.0:profiles:AuthnRequest”

6


Location=”https://idp.testshib.org/idp/profile/Shibboleth/SSO”/>

<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”

Location=”https://idp.testshib.org/idp/profile/SAML2/POST/SSO”/>

<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”

Location=”https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO”/>

<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”

Location=”https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP”/>

</IDPSSODescriptor>

<AttributeAuthorityDescriptor

protocolSupportEnumeration=”urn:oasis:names:tc:SAML:1.1:protocol

urn:oasis:names:tc:SAML:2.0:protocol”>



<KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB

CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0

WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh

m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm

lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn

xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB

3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH

ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID

AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw

EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR

OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP

dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS

80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT

MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO

RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX

MLRKhDgdmA==


</ds:X509Data>

</ds:KeyInfo>


<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes192-cbc” />


<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>

7


</KeyDescriptor>

<AttributeService Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”

Location=”https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery”/>

<AttributeService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”

Location=”https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery”/>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

</AttributeAuthorityDescriptor>

<Organization>

<OrganizationName xml:lang=”en”>TestShib Two Identity Provider</OrganizationName>

<OrganizationDisplayName xml:lang=”en”>TestShib Two</OrganizationDisplayName>

<OrganizationURL xml:lang=”en”>http://www.testshib.org/testshib-two/</OrganizationURL>

</Organization>

<ContactPerson contactType=”technical”>

<GivenName>Nate</GivenName>

<SurName>Klingenstein</SurName>

<EmailAddress>[email protected]</EmailAddress>

</ContactPerson>

</EntityDescriptor>

nn Authentication Management > SAML > IDP Metadata

nn Name: Testshib

8


1.2. DEFINING SERVER PROVIDER PROFILES

We need to create SP profiles for authentication configuration on the local FAD virtual server, and for creating the unique trust relation between SAML-SP (FAD) and SAML-IdP (Testshib).

Configure Service Provider for website web.example.com

nn Authentication Management > SAML > SAML Service Provider

nn Name: example-company1

nn Entity ID: FAD-example-company1

nn IDP Metadata: Testshib

Repeat above step for second website web.demo.com

nn Authentication Management > SAML > SAML Service Provider

nn Name: demo-company1

nn Entity ID: FAD-demo-company1

nn IDP Metadata: Testshib

9


1.3. DEFINING AUTHENTICATION POLICIES

Authentication policies need to be created, so we can attach them to their respective virtual servers.

nn Server Load Balance > Application Resources > Authentication Policy

nn Add

nn Name: example-SAML

nn Save

nn Edit example-SAML

nn Add

nn Host Status: Enable

nn Type: SAML

nn Host: web.example.com

nn Path: company1

nn SAML SSO ID: example-company1

Repeat above steps for demo.

nn Server Load Balance > Application Resources > Authentication Policy

nn Add

nn Name: demo-SAML

nn Save

nn Edit demo-SAML

nn Add

nn Host Status: Enable

nn Type: SAML

nn Host: web.demo.com

nn Path: company1

nn SAML SSO ID: demo-company1

10


2. CONFIGURING VIRTUAL SERVERS

2.1. CREATING POOL WITH REAL SERVER

nn Server Load Balance > Real Server Pool

nn Add

nn Name: pool-example_demo

nn Health Check: Enable

nn Health Check List: LB_HLTHCK_ICMP

nn Save

nn Edit pool-example_demo

nn Add

nn Server Name: web1

nn Address: 20.0.0.10

nn Port: 80

nn Save

nn Save

11


2.2. CREATING VIRTUAL SERVERS WITH SAML AUTHENTICATION

To publish both web.example.com and web.demo.com we need to define two virtual server (VS), which we will secure with HTTPS for confidentiality reasons for the authentication.

Site: web.example.com

nn Server Load Balance > Virtual Server

nn Add

nn Name: vs_example

nn Type: Layer 7


nn Port: 443

nn Profile: LB_PROF_HTTPS

nn Real Server Pool: pool-example_demo

nn Auth Policy: example-SAML

nn Traffic Log: Enable

nn Save

Site: web.demo.com


nn Add

nn Name: vs_demo

nn Type: Layer 7


nn Port: 443

nn Profile: LB_PROF_HTTPS


nn Auth Policy: demo-SAML


nn Save

12


2.3. CREATING VIRTUAL SERVERS FOR HTTPS REDIRECT

To facilitate unsecured web request (HTTP) to the published websites, we redirect them to the secured web sites (HTTPS).

Site: web.example.com


nn Add

nn Name: vs_example_http

nn Type: Layer 7


nn Port: 80

nn Profile: LB_PROF_HTTP


nn Scripting: HTTP_2_HTTPS_REDIRECTION


nn Save

Site: web.demo.com


nn Add

nn Name: vs_demo_http

nn Type: Layer 7


nn Port: 80

nn Profile: LB_PROF_HTTP


nn Scripting: HTTP_2_HTTPS_REDIRECTION


nn Save

13


3. BUILDING TRUST RELATION BETWEEN SP AND IDP

3.1. RETRIEVE SERVICE PROVIDER METADATA

There needs to be a trust relation between the Service Provider and Identity Provider. This allows the Identity Provider to issue an assertion, which the User Agent (web browser) can hand over to the Service Provider to login (sending it to the Assertion Consumer Service with the correct ACS Binding Type). This assertion is issued whenever the user successfully authenticated at the Identity Provider.

The configuration details are part of the previously configured Service Provider definitions, and can be retrieved by requesting:

https://<VirtualServer>/<Service URL><Metadata Export Service Location>

Parameter Value

Virtual Server web.example.com

Service URL /SSO

Metadata Export Service Location

/Metadata

nn Browse from the Lubunutu client to https://web.example.com/SSO/Metadata and save the XML file. (renaming to example.xml should be done, to allow downloading second SP Metadata for web.demo.com)

nn Repeat the step for demo with https://web.demo.com/SSO/Metadata

Downloaded Service Provider Metadata for web.example.com contains the configured SP definition as shown below.

<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” ID=”_0d120436566f2ff8df9375337d1a81f6ba720d23” entityID=”FAD-example-company1”>

<md:Extensions xmlns:alg=”urn:oasis:names:tc:SAML:metadata:algsupport”>

<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha512”/>

<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha384”/>

<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha256”/>

<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha224”/>

<alg:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1”/>

<alg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha512”/>

14




<alg:SigningMethod Algorithm=”http://www.w3.org/2009/xmldsig11#dsa-sha256”/>

<alg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1”/>

<alg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#dsa-sha1”/>

</md:Extensions>

<md:SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>

<md:Extensions>

<init:RequestInitiator xmlns:init=”urn:oasis:names:tc:SAML:profiles:SSO:request-init” Binding=”urn:oasis:names:tc:SAML:profiles:SSO:request-init” Location=”https://web.example.com/SSO/Login”/>

</md:Extensions>

<md:KeyDescriptor>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>

<ds:KeyName>Fortigate</ds:KeyName>

<ds:X509Data>

<ds:X509SubjectName>[email protected],CN=Fortigate,OU=Fortigate,O=Fortinet,L=Vancouver,ST=British Columnbia,C=CA</ds:X509SubjectName>

<ds:X509Certificate>MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCVVMx

EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UE

ChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEQMA4G

A1UEAxMHc3VwcG9ydDEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5j

b20wHhcNMDAwNDA5MDEzNDM3WhcNMjAwNTI0MDEzNDM3WjCBmzELMAkGA1UEBhMC

Q0ExGjAYBgNVBAgTEUJyaXRpc2ggQ29sdW1uYmlhMRIwEAYDVQQHEwlWYW5jb3V2

ZXIxETAPBgNVBAoTCEZvcnRpbmV0MRIwEAYDVQQLEwlGb3J0aWdhdGUxEjAQBgNV

BAMTCUZvcnRpZ2F0ZTEhMB8GCSqGSIb3DQEJARYSZHdhbmdAZm9ydGluZXQuY29t

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUuBc/qHSh+jmqzYR7gW4ESHdV

0QMtzul8B2m42/vfLOwzO9JlS+V7Ca/AjIvLdHtyclibmQ8BREtXWDSKERNQj46R

URYi4yLC9sWvyfknJ2Fjb0loIJOWaj2NFxoZenRISFvHIJtWgWMWns/+lSkBtCXu

vXtlfQgfvxx9Q/eFvQIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA

A4IBAQBtOGBV8wk3U0G4TXUv049DhoyOpyR8i0yfsX98Sm5Q0c4BNLIqwNicy52Z

gIjMiCV2YozzKrGr9Kerf1/QQSpwUQz+18KqoYHvNyw06FX69MxDLAeIJpNqOSMK

3XyTMC9EhjGHtzhnochyIBbsDyIUVWTfzRcx6bjQznn1Htxg7khYcvs5Jla2RVb7

EVv+rC5+FQUKuWCZ6TLczOvaUjtgPgtYWMymXAc8pbzBs47S4wlVUI6QUm8IHqDj

TmbxfZ6cTxOmVTOX3ydg3vgIE2k1fFCsgsin6VL4T35wgrg/FzHgjsaDcNd25TCs

bWWXiyav1QJmHA/R9SNU3aYWuSsq


</ds:X509Data>

</ds:KeyInfo>

<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>



<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>

15


<md:EncryptionMethod Algorithm=”http://www.w3.org/2009/xmlenc11#rsa-oaep”/>

<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>

</md:KeyDescriptor>

<md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://web.example.com/SSO/SLO/Logout”/>

<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://web.example.com/SSO/SAML2/Post” index=”1”/>

</md:SPSSODescriptor>

3.2. EXCHANGE SERVICE PROVIDER METADATA

Both SP-Metadata definitions should be loaded on the Identity Server side. The procedure will depend on the software use by the IdP, for workshop it is already pre-configured at the online Testshib-IdP. (reason we need internet connectivity)

4. TESTING SAML AUTHENTICATION

4.1. ENABLE SAML TRACER PLUGIN

Open Firefox and start the SAML tracer extension to show SAML requests.

16


4.2. CONNECT EXAMPLE WEBSITE

Access the http://web.example.com/ website, experience the redirect to HTTPS as that’s a good practice for (SAML) authentication. Accept the SSL warning and add permanently the self signed Fortinet certificate.

4.3. AUTHENTICATE SAML-SP INITIATED

Select login and watch the HTTP redirect (GET) from the example website (Service Provider) to the Testshib website (Identity Provider).

17


Login with alterego/alterego and watch the HTTP redirect (POST) from Testshib (IdP) to example (SP) Assertion Consumer Service.

The internal example webpage is shown after successful SAML authentication.

4.4. SINGLE SIGN ON WITH SAML

Connect the http://web.demo.com/ website, experience the redirect to HTTPS as that’s a good practice for (SAML) authentication.

18


Select login and watch HTTP redirect (GET) from the demo website (Service Provider) to the Testshib website (Identity Provider) and the instant redirect (POST) from Testshib (IdP) to demo (SP) Assertion Consumer Service. The instant redirect is given as the user did login before to the Identity Provider.

4.5. FEDERATED IDENTITY LOGOUT

Logout from the website to globally logout (Federated Identity Logout).

Close the browser to terminate the web browser session with webservers.

Open the website(s) again and experience that you need to login again.

19


4.6. ANALYSE SAML

4.6.1. SAML IdP authentication request

Service Provider redirect (GET) binding to Identity Provider (HTTP)

Service Provider redirect (GET) binding to Identity Provider (parameters)

20


Service Provider redirect (GET) binding to Identity Provider (SAML decoded)

4.6.2. SAML ASSERTION CONSUMER SERVICE REQUEST

Identity Provider redirect (POST) binding to Service Provider (HTTP)


Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

March 1, 2017

Identity Provider redirect (POST) binding to Service Provider (parameters)

Identity Provider redirect (POST) binding to Service Provider (SAML decoded)

FORTIADC SAML CONFIGURATION GUIDE - Fortinet...

Documents

Transcript of FORTIADC SAML CONFIGURATION GUIDE - Fortinet...