Skip to content
AIR Knowledge Base

FortiAuthenticator SAML 2.0 SSO Integration with AIR

This guide explains how to integrate FortiAuthenticator as a SAML 2.0 Identity Provider (IdP) for AIR.

✅ This method supports IdP-initiated SAML SSO. Role mapping is handled via FortiAuthenticator Groups and AIR roleTags.

Prerequisites

Section titled “Prerequisites”
  • Access to FortiAuthenticator with admin privileges
  • Access to AIR as an administrator
  • Users to be authenticated must have their email field populated
  • Ensure network connectivity between AIR and FortiAuthenticator (via server address used in configuration)

Step 1: Prepare FortiAuthenticator

Section titled “Step 1: Prepare FortiAuthenticator”

  1. Log in to FortiAuthenticator with an admin account.

  2. Go to Authentication → User Management → User Groups.

  1. Create user groups that will act as AIR role mappings:

    • Use the prefix air_role. followed by the role tag used in AIR.
      Example: air_role.global_admin
    • Only roles that will be actively used for login need to be created.

  2. Assign users to their corresponding AIR role groups.

Step 2: Configure FortiAuthenticator as SAML IdP

Section titled “Step 2: Configure FortiAuthenticator as SAML IdP”

  1. Navigate to Authentication → SAML IdP → General.

  2. Enable “Enable SAML Identity Provider portal” setting.

  3. In the Server Address field, enter the address AIR will use to reach FortiAuthenticator.
    Make sure AIR can access this URL over the network.

  4. (Optional) Select a default IdP certificate.
    This is recommended for metadata download compatibility.

  5. Click Save to store your settings.

Step 3: Create Service Provider in FortiAuthenticator

Section titled “Step 3: Create Service Provider in FortiAuthenticator”

  1. Go to Authentication → SAML IdP → Service Providers.

  2. Click Create New to register the AIR as a new SP (Service Provider).

  3. Fill in:

    • SP Name: Choose a meaningful name (e.g., AIR-Instance-X)
    • IdP Prefix: Auto-generate or enter manually
    • Server Certificate: Select one, or Use default setting in SAML IdP General page if using the default certificate

  4. Click Save to create the SP.

Step 4: Configure SSO in AIR

Section titled “Step 4: Configure SSO in AIR”

  1. In a new tab, log in to AIR with an admin user.

  2. Go to Settings → Security, scroll to the SSO section.

  3. Enable FortiAuthenticator and copy the ACS URL at the bottom.

Step 5: Complete SP Configuration in FortiAuthenticator

Section titled “Step 5: Complete SP Configuration in FortiAuthenticator”

  1. Go back to your created SP in FortiAuthenticator.

  2. Under SP Metadata, fill in:

    • SP Entity ID → Paste the ACS URL from AIR
    • SP ACS (Login) URL → Paste the ACS URL again

  3. Under Assertion Attributes, configure:

    • Subject Name ID → Set to email
    • Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  4. Add the following SAML assertions:

    SAML AttributeUser AttributeRequired
    groupsGroup
    firstNameFirst Name
    lastNameLast Name

  5. Click Save.

Step 6: Export IdP Metadata

Section titled “Step 6: Export IdP Metadata”

  1. Open the newly created SP entry.

  2. Click Download IdP Metadata.

Step 7: Upload Metadata to AIR

Section titled “Step 7: Upload Metadata to AIR”

  1. Return to AIR → Settings → Security → SSO section.

  2. Use the Upload IdP Metadata option to upload the file.

    🔄 Alternatively, you can copy values from Forti and paste them into AIR manually.

  3. Click Save.

Step 8: Test the Integration

Section titled “Step 8: Test the Integration”

  1. Log out of AIR.

  2. Click Login with FortiAuthenticator on the login screen.

  3. You’ll be redirected to FortiAuthenticator. After successful authentication, you’ll be redirected back to AIR.

Troubleshooting

Section titled “Troubleshooting”

If login fails, check the following:

  • 🔌 Network Issues: Make sure AIR can reach FortiAuthenticator’s Server Address.

  • 👥 Role Mapping: Ensure the user is assigned to at least one Forti group named air_role.X where X matches a role tag in AIR.

    • View AIR role tags via Settings → User Management → User Roles.

  • 📧 Email Field: Users without an email field in Forti cannot log in.

  • 📄 Logs: If the issue persists, collect SAML logs from both AIR and Forti and contact support.

Example Group Mapping for Predefined Roles

Section titled “Example Group Mapping for Predefined Roles”
AIR Role NameAIR Role TagForti Group Name
Global Adminglobal_adminair_role.global_admin
Organization Adminorganization_adminair_role.organization_admin
L1 & L2 Analystl1_l2_analystair_role.l1_l2_analyst
Maintenance Engineermaintenance_engineerair_role.maintenance_engineer
L3 & L4 Analystl3_l4_analystair_role.l3_l4_analyst
Responder responderair_role.responder