SAML 2.0 FSSO with FortiAuthenticator and Centrify

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator with Centrify Identity Service, a cloud-based or on-premises service. This solution can help mitigate one of the leading points of attack in data breaches: compromised credentials. The FortiAuthenticator will act as the Service Provider (SP) and Centrify as the Identity Provider (IdP).

Centrify Identity Service improves end-user productivity and secures access to cloud, mobile, and on-premises apps via SSO, user provisioning, and multi-factor authentication.

This configuration assumes that you have already created a Centrify tenant admin account, and added a local and an SSO user group to FortiAuthenticator both called saml_users.

1. Configure DNS and FortiAuthenticator’s FQDN

On the FortiAuthenticator, go to System > Dashboard > Status. In the System Information widget, select Change next to Device FQDN.

Enter a domain name; for this example, This will help identify where the FortiAuthenticator is located in the DNS hierarchy.

Enter the same name for the Host Name. This is so you can add the FortiAuthenticator to the FortiGate’s DNS list, so that the local DNS lookup of this FQDN can be resolved.

On the FortiGate, open the CLI Console and enter the following command to add the FortiAuthenticator’s host name and Internet-facing IP address to the FortiGate’s DNS database:

config system dns-database
      config dns-entry
         edit 1
            set hostname
            set ip
      set domain

2. Enable FSSO and SAML on the FortiAuthenticator

On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

Enter a Secret key and select OK to apply your changes. This key will be used on the FortiGate to add the FortiAuthenticator as the FSSO server.

Then go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. The FortiAuthenticator generates all of the required URLs:

  • Portal URLCaptive Portal URL for the FortiGate and user.
  • Entity ID – Used in the Centrify SAML IdP application setup.
  • ACS (login) URL – Assertion POST URL used by the SAML IdP.

Enable Text-based list under SAML assertions and enter Memberof in the field provided. This attribute will be configured later on the Centrify tenant to be included in the SAML response to the FortiAuthenticator.

Enable Implicit group membership and assign the saml_users group from the dropdown menu. This will place SAML authenticated users into this group.


Keep this window open as these URLs will be needed during the IdP application configuration and for testing.

Note that, at this point, you will not be able to save these settings, as other IdP information — IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint — needs to be entered. You can fill in these fields and save the configuration after you have completed the IdP application configuration.

3. Add SAML connector to Centrify for IdP metadata

Login to the Centrify tenant as an administrator and go to Apps > Add Web Apps.
Under the Custom tab, scroll down to SAML and select Add. Select Yes to agree to add the SAML web app and then select Close.

The SAML configuration page will open automatically onto the Settings tab.

Go to Trust to view the Identity Provider Configuration section. Select the Signing Certificate dropdown and Download both the Centrify signing certificate and the metadata file – these will be uploaded to the FortiAuthenticator.

Then go to SAML Response and select Add.

Add the FirstName, LastName, Email, and Memberof user attributes. Then select Save.

4. Import the IdP certificate and metadata on the FortiAuthenticator

On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > SAML Authentication and import the IdP metadata and certificate downloaded earlier.

This will automatically fill the IdP fields (as shown in the example). Make sure to select OK to save these changes.

Select Download SP metadata – this will be uploaded to the Centrify tenant.

Then go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate filter.

Enter a name and the FortiGate’s wan-interface IP address, and select OK.

Once created, enable Fortinet Single Sign-On (FSSO). Select Create New to create an SSO group filtering object (as shown already created in the example), and select OK to apply all changes.

Note that the name entered for the filter must be the same as the group name created for SAML users (saml_users). The two user groups must have the exact same name or SSO information will not be pushed to the FortiGate.

5. Upload the SP metadata to the Centrify tenant

On the Centrify tenant, back on the Trust tab, scroll down to the Service Provider Configuration section. Select Choose File to upload the SP metadata from the FortiAuthenticator.

Once uploaded, the XML box will automatically populate. Make sure to select Save.

Optionally, you can go to Settings and enter a Name and Description. Then upload a custom Logo as required (as shown in the example). Again, be sure to select Save.

6. Configure FSSO on the FortiGate

On the FortiGate, go to Security Fabric > Fabric Connectors and select Create New.

Under SSO/Identity select Fortinet Single Sign-On Agent, enter a Name, the FortiAuthenticator’s Internet-interface IP address, and the password, which must match the secret key entered at the beginning of the FortiAuthenticator configuration process.

Select Apply & Refresh.

The SAML user group name has been successfully pushed to the FortiGate from the FortiAuthenticator, appearing when you select View.

You may have to wait a few minutes before the user group appears.

Once created, the server will be listed. Mouse over the entry under the Users/Groups column and make sure that the FSSO group has been pushed down.

Then go to User & Device > User Groups and create a new FSSO user group. Successfully authenticated users via SAML FSSO will be placed in this group.

Enter a Name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

7. Configure captive portal and security policies

On the FortiGate, go to Network > Interfaces and edit the internal interface.

Under Admission Control, set Security Mode to Captive Portal.

Set Authentication Portal to External, and enter the SAML authentication portal URL.

Set User Access to Restricted to Groups, and set User Groups to any local group, as you’ll notice the FSSO group is not available; this local group won’t be used for access.

Next go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

Then create an FQDN object of your Centrify tenant portal:

  • <your-tenant-id>

As this is an FQDN, make sure to set Type to FQDN.

Then go to Policy & Objects > IPv4 Policy and create all policies shown in the examples:

  • a policy for DNS,
  • for access from FortiAuthenticator,
  • for Centrify bypass,
  • and the last policy for FSSO, including the SAML user group.

When finished, right-click each policy (except the FSSO policy), select Edit in CLI, and enter the following command:

      set captive-portal-exempt enable

This setting exempts users of these policies from the captive portal interface.

Results: Testing

To test the connection, as the user, open a new browser window and attempt to browse the Internet. The browser will redirect to the FortiAuthenticator SAML portal, which pushes the browser to the SAML IdP.

Alternatively, you can directly navigate to the portal URL.

Enter valid Centrify account credentials and select Next.

You will need to verify your account on your first login. An eight-digit code is sent to your email. Use the code to verify your identity and log into the portal.

The user assertion pushes to the FortiAuthenticator where the user is successfully authenticated. Take note of the user IP and group name.
View user information including IP address, source, and user group on the FortiAuthenticator under Monitor > SSO > SSO Sessions.
Confirm that the user has been authenticated via FSSO and place in the correct user group on the FortiGate under Monitor > Firewall User Monitor.


Where instead of providing Internet, the FortiAuthenticator provides a service to the FortiGate.
The two user groups must have the exact same name or SSO information will not be pushed to the FortiGate.
In the example,
In the example,