FortiMail SSO with PortalGuard Setup


The following recipe guides you through the process of enabling FortiMail webmail single sign on and then configuring the PortalGuard Relying Party.

Before we begin you’ll need to make sure your FortiMail unit is licensed and has a working config for hostnamae/domain and DNS. Additionally, your unit must be running in Server or Gateway mode and at least one protect domain should be configured. 

Enabling FortiMail Webmail Single Sign On

First we’ll need to enable single sign on for FortiMail webmail. Make sure your on Advanced Mode.

  1. Go to System > Customization > Appearance.
  2. Expand the Webmail Portal section.
  3. Select “3rd Party/Single Sign on from the Login page drop down list. 
  4. Select Edit.
  5. Enter the Identity Provider (IDP) Metadata URL. A PortalGuard metadata URL is typically in the following format:
  6. Copy the FortiMail server provider metadata URL on this same form
  7. Open another browser and go to the URL to download the metadata file.



 Configuring PortalGuard Relying Party

Now to use the PortGuard server and configure PortalGuard relying party. 

  1. Create a new Relying Party in the Identity Provider Configuration Editor.
  2. Enter a Name & Description.
  3. Enter the Identifier used by your FortiMail. This is the metadata file you downloaded in the previous section. 
  4. Enter the Assertion Consumer URL for your FortiMail, which is typically in the format of (where is the hostname and domain of the FortiMail – this can be found in the metadata file by searching for AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=)

 Creating Identity Claims

Now we’ll need to enter the Identity Claims tab and create a couple of new claims.

  1. Create a new claim in the Identity Claims tab and enter the email address in the name section.
  2. Select “” from the Pre-define Types button.
  3. Select String Field from the Value Type dropdown menu and enter the field that holds the user email address in the Field Name. Select Save.
  4. Create a second claim in the Identity Claims tab and enter the following information:
    – Enter EmailAddresstoNameID in the name section
    – Do not check the Send as NameID option
    – Enter urn:oid:0.9.2342.19200300.100.1.3 in the Scheme Type section. It must be manually entered
    – Select String Field from the Value Type dropdown menu
    – Enter “mail” or whichever fields holds the user email address in the Field Name section and then select Save.
  5. Enter the remaining config information in the ldp-initiated and Authorization tabs
  6. Save the Relying Party configuration and Apply To Identity Provider.