FORTIADC SAML CONFIGURATION GUIDE - Fortinet...
-
Upload
nguyennguyet -
Category
Documents
-
view
284 -
download
9
Transcript of FORTIADC SAML CONFIGURATION GUIDE - Fortinet...
CONFIGURATION GUIDE
FORTIADC SAML CONFIGURATION GUIDE
2
CONFIGURATION GUIDE: FORTIADC SAML
FORTIADC SAML CONFIGURATION GUIDE
1. Configuring FortiADC
1.1. Importing Identity Provider metadata
1.2. Defining Service Provider profiles
1.3. Defining Authentication Policies
2. Configuring Virtual Servers
2.1. Creating pool with real server
2.2. Creating Virtual Servers with SAML authentication
2.3. Creating Virtual Servers for HTTPS redirect
3. Building trust relation between SP and IdP
3.1. Retrieve Service Provider Metadata
3.2. Exchange Service Provider Metadata
4. Testing SAML authentication
4.1. Enable SAML tracer plugin
4.2. Connect to web service
4.3. Authenticate SAML-SP initiated
4.4. Single Sign On with SAML
4.5. Federated Identity logout
4.6. Analyze SAML
This Configuration guide is intended to get you familiar with FortiADC and SAML based authentication. FortiADC will function as SAML Service Provider (SP) and online Testshib as Identity Provider (IdP).
Note: The Configuration Guide requires internet connectivity.
The guide covers the following topics:
In case you need help with FortiADC, you can reach out to http://docs.fortinet.com/fortiadc-d-series/admin-guides.
3
CONFIGURATION GUIDE: FORTIADC SAML
NETWORK DIAGRAM
For the SAML Configuration we will be using the environment as outlined below. All devices are pre-configured except FortiADC, which has a basic network setup.
SECURITY ASSERTION MARKUP LANGUAGE (SAML)
Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.
SAML SP-INITIATED AUTHENTICATION FLOW
In the workshop the Lubuntu-client (User Agent) will access web sites web.example.com / web.demo.com with SAML based authentication (Service Provider). The Lubuntu-client will authenticate at Testshib (Identity Provider) to obtain the SAML assertion (token) to again access to web sites.
4
CONFIGURATION GUIDE: FORTIADC SAML
1. CONFIGURING FORTIADC
1.1. IMPORTING IDP METADATA
Identity Providers specify which functions they support and how to connect to them in IdP-metadata definition. This IdP-metadata can often be downloaded from the identity provide, or is shared by the administrator.
The Testshib IdP-metadata needs to be imported into FAD, so we know how and where to redirect clients to. (Download or cut & paste)
<?xml version=”1.0” encoding=”UTF-8”?>
<EntityDescriptor entityID=”https://idp.testshib.org/idp/shibboleth”
xmlns=”urn:oasis:names:tc:SAML:2.0:metadata” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”
xmlns:mdalg=”urn:oasis:names:tc:SAML:metadata:algsupport” xmlns:mdui=”urn:oasis:names:tc:SAML:metadata:ui”
xmlns:shibmd=”urn:mace:shibboleth:metadata:1.0” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<Extensions>
<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha512” />
<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha384” />
<mdalg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha256” />
<mdalg:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1” />
<mdalg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha512” />
<mdalg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” />
<mdalg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” />
<mdalg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1” />
</Extensions>
<IDPSSODescriptor
protocolSupportEnumeration=”urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:2.0:protocol”>
<Extensions>
<shibmd:Scope regexp=”false”>testshib.org</shibmd:Scope>
<mdui:UIInfo>
<mdui:DisplayName xml:lang=”en”>TestShib Test IdP</mdui:DisplayName>
<mdui:Description xml:lang=”en”>TestShib IdP. Use this as a source of attributes
for your test SP.</mdui:Description>
<mdui:Logo height=”88” width=”253”
>https://www.testshib.org/testshibtwo.jpg</mdui:Logo>
</mdui:UIInfo>
</Extensions>
5
CONFIGURATION GUIDE: FORTIADC SAML
<!-- new signing key -->
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
MLRKhDgdmA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes256-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes192-cbc” />
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>
</KeyDescriptor>
<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”
Location=”https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution”
index=”1”/>
<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution”
index=”2”/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding=”urn:mace:shibboleth:1.0:profiles:AuthnRequest”
6
CONFIGURATION GUIDE: FORTIADC SAML
Location=”https://idp.testshib.org/idp/profile/Shibboleth/SSO”/>
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Location=”https://idp.testshib.org/idp/profile/SAML2/POST/SSO”/>
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
Location=”https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO”/>
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP”/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration=”urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol”>
<!-- new SSL/TLS -->
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
MLRKhDgdmA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes256-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes192-cbc” />
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>
7
CONFIGURATION GUIDE: FORTIADC SAML
</KeyDescriptor>
<AttributeService Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”
Location=”https://idp.testshib.org:8443/idp/profile/SAML1/SOAP/AttributeQuery”/>
<AttributeService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery”/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor>
<Organization>
<OrganizationName xml:lang=”en”>TestShib Two Identity Provider</OrganizationName>
<OrganizationDisplayName xml:lang=”en”>TestShib Two</OrganizationDisplayName>
<OrganizationURL xml:lang=”en”>http://www.testshib.org/testshib-two/</OrganizationURL>
</Organization>
<ContactPerson contactType=”technical”>
<GivenName>Nate</GivenName>
<SurName>Klingenstein</SurName>
<EmailAddress>[email protected]</EmailAddress>
</ContactPerson>
</EntityDescriptor>
nn Authentication Management > SAML > IDP Metadata
nn Name: Testshib
8
CONFIGURATION GUIDE: FORTIADC SAML
1.2. DEFINING SERVER PROVIDER PROFILES
We need to create SP profiles for authentication configuration on the local FAD virtual server, and for creating the unique trust relation between SAML-SP (FAD) and SAML-IdP (Testshib).
Configure Service Provider for website web.example.com
nn Authentication Management > SAML > SAML Service Provider
nn Name: example-company1
nn Entity ID: FAD-example-company1
nn IDP Metadata: Testshib
Repeat above step for second website web.demo.com
nn Authentication Management > SAML > SAML Service Provider
nn Name: demo-company1
nn Entity ID: FAD-demo-company1
nn IDP Metadata: Testshib
9
CONFIGURATION GUIDE: FORTIADC SAML
1.3. DEFINING AUTHENTICATION POLICIES
Authentication policies need to be created, so we can attach them to their respective virtual servers.
nn Server Load Balance > Application Resources > Authentication Policy
nn Add
nn Name: example-SAML
nn Save
nn Edit example-SAML
nn Add
nn Host Status: Enable
nn Type: SAML
nn Host: web.example.com
nn Path: company1
nn SAML SSO ID: example-company1
Repeat above steps for demo.
nn Server Load Balance > Application Resources > Authentication Policy
nn Add
nn Name: demo-SAML
nn Save
nn Edit demo-SAML
nn Add
nn Host Status: Enable
nn Type: SAML
nn Host: web.demo.com
nn Path: company1
nn SAML SSO ID: demo-company1
10
CONFIGURATION GUIDE: FORTIADC SAML
2. CONFIGURING VIRTUAL SERVERS
2.1. CREATING POOL WITH REAL SERVER
nn Server Load Balance > Real Server Pool
nn Add
nn Name: pool-example_demo
nn Health Check: Enable
nn Health Check List: LB_HLTHCK_ICMP
nn Save
nn Edit pool-example_demo
nn Add
nn Server Name: web1
nn Address: 20.0.0.10
nn Port: 80
nn Save
nn Save
11
CONFIGURATION GUIDE: FORTIADC SAML
2.2. CREATING VIRTUAL SERVERS WITH SAML AUTHENTICATION
To publish both web.example.com and web.demo.com we need to define two virtual server (VS), which we will secure with HTTPS for confidentiality reasons for the authentication.
Site: web.example.com
nn Server Load Balance > Virtual Server
nn Add
nn Name: vs_example
nn Type: Layer 7
nn Address: 30.0.0.100
nn Port: 443
nn Profile: LB_PROF_HTTPS
nn Real Server Pool: pool-example_demo
nn Auth Policy: example-SAML
nn Traffic Log: Enable
nn Save
Site: web.demo.com
nn Server Load Balance > Virtual Server
nn Add
nn Name: vs_demo
nn Type: Layer 7
nn Address: 30.0.0.101
nn Port: 443
nn Profile: LB_PROF_HTTPS
nn Real Server Pool: pool-example_demo
nn Auth Policy: demo-SAML
nn Traffic Log: Enable
nn Save
12
CONFIGURATION GUIDE: FORTIADC SAML
2.3. CREATING VIRTUAL SERVERS FOR HTTPS REDIRECT
To facilitate unsecured web request (HTTP) to the published websites, we redirect them to the secured web sites (HTTPS).
Site: web.example.com
nn Server Load Balance > Virtual Server
nn Add
nn Name: vs_example_http
nn Type: Layer 7
nn Address: 30.0.0.100
nn Port: 80
nn Profile: LB_PROF_HTTP
nn Real Server Pool: pool-example_demo
nn Scripting: HTTP_2_HTTPS_REDIRECTION
nn Traffic Log: Enable
nn Save
Site: web.demo.com
nn Server Load Balance > Virtual Server
nn Add
nn Name: vs_demo_http
nn Type: Layer 7
nn Address: 30.0.0.101
nn Port: 80
nn Profile: LB_PROF_HTTP
nn Real Server Pool: pool-example_demo
nn Scripting: HTTP_2_HTTPS_REDIRECTION
nn Traffic Log: Enable
nn Save
13
CONFIGURATION GUIDE: FORTIADC SAML
3. BUILDING TRUST RELATION BETWEEN SP AND IDP
3.1. RETRIEVE SERVICE PROVIDER METADATA
There needs to be a trust relation between the Service Provider and Identity Provider. This allows the Identity Provider to issue an assertion, which the User Agent (web browser) can hand over to the Service Provider to login (sending it to the Assertion Consumer Service with the correct ACS Binding Type). This assertion is issued whenever the user successfully authenticated at the Identity Provider.
The configuration details are part of the previously configured Service Provider definitions, and can be retrieved by requesting:
https://<VirtualServer>/<Service URL><Metadata Export Service Location>
Parameter Value
Virtual Server web.example.com
Service URL /SSO
Metadata Export Service Location
/Metadata
nn Browse from the Lubunutu client to https://web.example.com/SSO/Metadata and save the XML file. (renaming to example.xml should be done, to allow downloading second SP Metadata for web.demo.com)
nn Repeat the step for demo with https://web.demo.com/SSO/Metadata
Downloaded Service Provider Metadata for web.example.com contains the configured SP definition as shown below.
<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” ID=”_0d120436566f2ff8df9375337d1a81f6ba720d23” entityID=”FAD-example-company1”>
<md:Extensions xmlns:alg=”urn:oasis:names:tc:SAML:metadata:algsupport”>
<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha512”/>
<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha384”/>
<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#sha256”/>
<alg:DigestMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#sha224”/>
<alg:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1”/>
<alg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha512”/>
14
CONFIGURATION GUIDE: FORTIADC SAML
<alg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha384”/>
<alg:SigningMethod Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>
<alg:SigningMethod Algorithm=”http://www.w3.org/2009/xmldsig11#dsa-sha256”/>
<alg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1”/>
<alg:SigningMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#dsa-sha1”/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
<md:Extensions>
<init:RequestInitiator xmlns:init=”urn:oasis:names:tc:SAML:profiles:SSO:request-init” Binding=”urn:oasis:names:tc:SAML:profiles:SSO:request-init” Location=”https://web.example.com/SSO/Login”/>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:KeyName>Fortigate</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>[email protected],CN=Fortigate,OU=Fortigate,O=Fortinet,L=Vancouver,ST=British Columnbia,C=CA</ds:X509SubjectName>
<ds:X509Certificate>MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UE
ChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEQMA4G
A1UEAxMHc3VwcG9ydDEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5j
b20wHhcNMDAwNDA5MDEzNDM3WhcNMjAwNTI0MDEzNDM3WjCBmzELMAkGA1UEBhMC
Q0ExGjAYBgNVBAgTEUJyaXRpc2ggQ29sdW1uYmlhMRIwEAYDVQQHEwlWYW5jb3V2
ZXIxETAPBgNVBAoTCEZvcnRpbmV0MRIwEAYDVQQLEwlGb3J0aWdhdGUxEjAQBgNV
BAMTCUZvcnRpZ2F0ZTEhMB8GCSqGSIb3DQEJARYSZHdhbmdAZm9ydGluZXQuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUuBc/qHSh+jmqzYR7gW4ESHdV
0QMtzul8B2m42/vfLOwzO9JlS+V7Ca/AjIvLdHtyclibmQ8BREtXWDSKERNQj46R
URYi4yLC9sWvyfknJ2Fjb0loIJOWaj2NFxoZenRISFvHIJtWgWMWns/+lSkBtCXu
vXtlfQgfvxx9Q/eFvQIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA
A4IBAQBtOGBV8wk3U0G4TXUv049DhoyOpyR8i0yfsX98Sm5Q0c4BNLIqwNicy52Z
gIjMiCV2YozzKrGr9Kerf1/QQSpwUQz+18KqoYHvNyw06FX69MxDLAeIJpNqOSMK
3XyTMC9EhjGHtzhnochyIBbsDyIUVWTfzRcx6bjQznn1Htxg7khYcvs5Jla2RVb7
EVv+rC5+FQUKuWCZ6TLczOvaUjtgPgtYWMymXAc8pbzBs47S4wlVUI6QUm8IHqDj
TmbxfZ6cTxOmVTOX3ydg3vgIE2k1fFCsgsin6VL4T35wgrg/FzHgjsaDcNd25TCs
bWWXiyav1QJmHA/R9SNU3aYWuSsq
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes192-cbc”/>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes256-cbc”/>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>
15
CONFIGURATION GUIDE: FORTIADC SAML
<md:EncryptionMethod Algorithm=”http://www.w3.org/2009/xmlenc11#rsa-oaep”/>
<md:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>
</md:KeyDescriptor>
<md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://web.example.com/SSO/SLO/Logout”/>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://web.example.com/SSO/SAML2/Post” index=”1”/>
</md:SPSSODescriptor>
3.2. EXCHANGE SERVICE PROVIDER METADATA
Both SP-Metadata definitions should be loaded on the Identity Server side. The procedure will depend on the software use by the IdP, for workshop it is already pre-configured at the online Testshib-IdP. (reason we need internet connectivity)
4. TESTING SAML AUTHENTICATION
4.1. ENABLE SAML TRACER PLUGIN
Open Firefox and start the SAML tracer extension to show SAML requests.
16
CONFIGURATION GUIDE: FORTIADC SAML
4.2. CONNECT EXAMPLE WEBSITE
Access the http://web.example.com/ website, experience the redirect to HTTPS as that’s a good practice for (SAML) authentication. Accept the SSL warning and add permanently the self signed Fortinet certificate.
4.3. AUTHENTICATE SAML-SP INITIATED
Select login and watch the HTTP redirect (GET) from the example website (Service Provider) to the Testshib website (Identity Provider).
17
CONFIGURATION GUIDE: FORTIADC SAML
Login with alterego/alterego and watch the HTTP redirect (POST) from Testshib (IdP) to example (SP) Assertion Consumer Service.
The internal example webpage is shown after successful SAML authentication.
4.4. SINGLE SIGN ON WITH SAML
Connect the http://web.demo.com/ website, experience the redirect to HTTPS as that’s a good practice for (SAML) authentication.
18
CONFIGURATION GUIDE: FORTIADC SAML
Select login and watch HTTP redirect (GET) from the demo website (Service Provider) to the Testshib website (Identity Provider) and the instant redirect (POST) from Testshib (IdP) to demo (SP) Assertion Consumer Service. The instant redirect is given as the user did login before to the Identity Provider.
4.5. FEDERATED IDENTITY LOGOUT
Logout from the website to globally logout (Federated Identity Logout).
Close the browser to terminate the web browser session with webservers.
Open the website(s) again and experience that you need to login again.
19
CONFIGURATION GUIDE: FORTIADC SAML
4.6. ANALYSE SAML
4.6.1. SAML IdP authentication request
Service Provider redirect (GET) binding to Identity Provider (HTTP)
Service Provider redirect (GET) binding to Identity Provider (parameters)
20
CONFIGURATION GUIDE: FORTIADC SAML
Service Provider redirect (GET) binding to Identity Provider (SAML decoded)
4.6.2. SAML ASSERTION CONSUMER SERVICE REQUEST
Identity Provider redirect (POST) binding to Service Provider (HTTP)
CONFIGURATION GUIDE: FORTIADC SAML
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales
EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500
APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730
LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990
March 1, 2017
Identity Provider redirect (POST) binding to Service Provider (parameters)
Identity Provider redirect (POST) binding to Service Provider (SAML decoded)