FortiAuthenticator SAML 2.0 SSO Integration

This guide explains how to integrate FortiAuthenticator as a SAML 2.0 Identity Provider (IdP) for AIR.

Prerequisites

• Access to FortiAuthenticator with admin privileges.

• Access to AIR as an administrator.

• Users to be authenticated must have their email field populated.

• Ensure network connectivity between AIR and FortiAuthenticator.

Step 1: Prepare FortiAuthenticator

1. Log in to FortiAuthenticator with an admin account.

2. Go to Authentication → User Management → User Groups.

1. Create user groups that will act as AIR role mappings:

• Use the prefix AIR_role. followed by the role tag used in AIR. Example: AIR_role.global_admin

• Only roles that will be actively used for login need to be created.

1. Assign users to their corresponding AIR role groups.

Step 2: Configure FortiAuthenticator as SAML IdP

1. Navigate to Authentication → SAML IdP → General.\

   
2. Enable “Enable SAML Identity Provider portal.”

3. In the Server Address field, enter the address that AIR will use to reach FortiAuthenticator.

4. (Optional) Select a default IdP certificate for compatibility.

5. Click Save to store the settings.

Step 3: Create a Service Provider in FortiAuthenticator

1. Go to Authentication → SAML IdP → Service Providers.

2. Click Create New to register AIR.

3. Fill in the following:

   • SP Name: e.g. AIR-Instance-X.

   • IdP Prefix: Auto-generate or enter manually.

   • Server Certificate: Select or use default.

4. Click Save to create the SP.\

   

Step 4: Configure SSO in AIR

1. In a new tab, log in to AIR with an admin user.

2. Go to Settings → Security, scroll to the SSO section.

3. Enable FortiAuthenticator and copy the ACS URL.

Step 5: Complete SP Configuration in FortiAuthenticator

1. Return to the SP config in FortiAuthenticator.

2. Under SP Metadata, fill in:

   • SP Entity ID → Paste ACS URL.

   • SP ACS (Login) URL → Paste ACS URL again.\

3. Under Assertion Attributes, configure:

   • Subject Name ID → email.

   • Format → urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

4. Add the following assertions:

   SAML Attribute

   User Attribute

   Required

   groups

   FAC local group

   ✅

   firstName

   First name

   ❌

   lastName

   Last name

   ❌

1. Click Save

Step 6: Export IdP Metadata

1. Open the newly created SP entry.

2. Click Download IdP Metadata.\

   

Step 7: Upload Metadata to AIR

1. Go back to AIR → Settings → Security → SSO

2. Click Upload IdP Metadata.

Alternatively, enter the values manually

1. Click Save.

Step 8: Test the Integration

1. Log out of AIR.

2. Click Login with FortiAuthenticator.

3. After authenticating via Forti, you’ll be redirected to AIR.

Troubleshooting

If login fails, check:

• Network access between AIR and FortiAuthenticator.

• Group mapping (user must belong to an AIR_role.X group).\

  
• User has a valid email address

• Review SAML logs from both ends if needed

Example Role Mappings