1 of 1

FortiAuthenticator SAML 2.0 SSO Integration

This guide explains how to integrate FortiAuthenticator as a SAML 2.0 Identity Provider (IdP) for AIR.

✅ This method supports IdP-initiated SAML SSO. Role mapping is handled via FortiAuthenticator Groups and AIR roleTags.

Prerequisites

Access to FortiAuthenticator with admin privileges
Access to AIR as an administrator
Users to be authenticated must have their email field populated
Ensure network connectivity between AIR and FortiAuthenticator (via server address used in configuration)

Step 1: Prepare FortiAuthenticator

Log in to FortiAuthenticator with an admin account.
Go to Authentication → User Management → User Groups.

Create user groups that will act as AIR role mappings:
- Use the prefix air_role. followed by the role tag used in AIR. Example: air_role.global_admin
- Only roles that will be actively used for login need to be created.

Step 2: Configure FortiAuthenticator as SAML IdP

Navigate to Authentication → SAML IdP → General.
Enable "Enable SAML Identity Provider portal" setting.
In the Server Address field, enter the address AIR will use to reach FortiAuthenticator. Make sure AIR can access this URL over the network.

Step 3: Create Service Provider in FortiAuthenticator

Go to Authentication → SAML IdP → Service Providers.
Click Create New to register the AIR as a new SP (Service Provider).
Fill in:
- SP Name: Choose a meaningful name (e.g., AIR-Instance-X

Step 4: Configure SSO in AIR

In a new tab, log in to AIR with an admin user.
Go to Settings → Security, scroll to the SSO section.
Enable FortiAuthenticator and copy the ACS URL at the bottom.

Step 5: Complete SP Configuration in FortiAuthenticator

Go back to your created SP in FortiAuthenticator.
Under SP Metadata, fill in:
- SP Entity ID → Paste the ACS URL from AIR
- SP ACS (Login) URL → Paste the ACS URL again

Step 6: Export IdP Metadata

Open the newly created SP entry.
Click Download IdP Metadata.

Step 7: Upload Metadata to AIR

Return to AIR → Settings → Security → SSO section.
Use the Upload IdP Metadata option to upload the file.
🔄 Alternatively, you can copy values from Forti and paste them into AIR manually.
Click Save.

Step 8: Test the Integration

Log out of AIR.
Click Login with FortiAuthenticator on the login screen.
You’ll be redirected to FortiAuthenticator. After successful authentication, you’ll be redirected back to AIR.

Troubleshooting

If login fails, check the following:

🔌 Network Issues: Make sure AIR can reach FortiAuthenticator’s Server Address.
👥 Role Mapping: Ensure the user is assigned to at least one Forti group named air_role.X where X matches a role tag in AIR.
- View AIR role tags via Settings → User Management → User Roles.

Example Group Mapping for Predefined Roles

AIR Role Name

AIR Role Tag

Forti Group Name

FortiAuthenticator SAML 2.0 SSO Integration

This guide explains how to integrate FortiAuthenticator as a SAML 2.0 Identity Provider (IdP) for AIR.

✅ This method supports IdP-initiated SAML SSO. Role mapping is handled via FortiAuthenticator Groups and AIR roleTags.

Prerequisites

Access to FortiAuthenticator with admin privileges
Access to AIR as an administrator
Users to be authenticated must have their email field populated
Ensure network connectivity between AIR and FortiAuthenticator (via server address used in configuration)

Step 1: Prepare FortiAuthenticator

Log in to FortiAuthenticator with an admin account.
Go to Authentication → User Management → User Groups.

Create user groups that will act as AIR role mappings:
- Use the prefix air_role. followed by the role tag used in AIR. Example: air_role.global_admin
- Only roles that will be actively used for login need to be created.

Step 2: Configure FortiAuthenticator as SAML IdP

Navigate to Authentication → SAML IdP → General.
Enable "Enable SAML Identity Provider portal" setting.
In the Server Address field, enter the address AIR will use to reach FortiAuthenticator. Make sure AIR can access this URL over the network.

Step 3: Create Service Provider in FortiAuthenticator

Go to Authentication → SAML IdP → Service Providers.
Click Create New to register the AIR as a new SP (Service Provider).
Fill in:
- SP Name: Choose a meaningful name (e.g., AIR-Instance-X

Step 4: Configure SSO in AIR

In a new tab, log in to AIR with an admin user.
Go to Settings → Security, scroll to the SSO section.
Enable FortiAuthenticator and copy the ACS URL at the bottom.

Step 5: Complete SP Configuration in FortiAuthenticator

Go back to your created SP in FortiAuthenticator.
Under SP Metadata, fill in:
- SP Entity ID → Paste the ACS URL from AIR
- SP ACS (Login) URL → Paste the ACS URL again

Step 6: Export IdP Metadata

Open the newly created SP entry.
Click Download IdP Metadata.

Step 7: Upload Metadata to AIR

Return to AIR → Settings → Security → SSO section.
Use the Upload IdP Metadata option to upload the file.
🔄 Alternatively, you can copy values from Forti and paste them into AIR manually.
Click Save.

Step 8: Test the Integration

Log out of AIR.
Click Login with FortiAuthenticator on the login screen.
You’ll be redirected to FortiAuthenticator. After successful authentication, you’ll be redirected back to AIR.

Troubleshooting

If login fails, check the following:

🔌 Network Issues: Make sure AIR can reach FortiAuthenticator’s Server Address.
👥 Role Mapping: Ensure the user is assigned to at least one Forti group named air_role.X where X matches a role tag in AIR.
- View AIR role tags via Settings → User Management → User Roles.

Example Group Mapping for Predefined Roles

AIR Role Name

AIR Role Tag

Forti Group Name