Okta Developer Edition organization.
Applications
tab, click Add Applications > Create New App.Create a New Application Integration
dialog, select SAML 2.0 and click Create. General Settings
dialog, in the App name field, enter the application name and click Next.Configure SAML
dialog, in the SAML Settings
section, in the Single Sign On URL field, enter or paste the SP ACS URL
and in the Audience URI field, enter or paste the SP Entity ID
.ATTRIBUTE STATEMENTS (OPTIONAL)
section, set the mapping as shown in the following image:SSO Configuration
page in FortiSOAR™.Help Okta Support understand how you configured this application
dialog, select I’m an Okta customer adding an internal app, and This is an internal app that we have created.Sign On
tab of your newly created SAML application gets displayed. Keep this page open in a separate tab or browser window as you will require the information present on this page to complete the Identity Provider Configuration
section in FortiSOAR™.Identity Provider Configuration
section, enter the IdP details as shown in the following image:Advanced Properties SAML Advanced Settings
pane in the Security Configuration
section.ATTRIBUTE STATEMENTS (OPTIONAL)
section in Okta, as specified in step 3. You can change the default user attribute mapping later if required.Assign Applications
dialog as shown in the following image:Admin
console, click Apps.SAML
page, click + on the right bottom corner, to add a new SAML Application.Enable SSO for SAML Application
page, click SETUP MY OWN CUSTOM APP.Certificate
. Service Provider Details
page, enter the Entity ID and ACS URL from the Service Provider
section in FortiSOAR™. Log on to FortiSOAR™ and navigate to Settings > Authentication > SSO Configuration, go the Service Provider
section to get the details. See Configuring SAML in FortiSOAR™.Identity Provider Configuration
section, enter the Google IdP details and certificate as shown in the following image: Note
If you change the hostname for your FortiSOAR™ system, you will require to delete the old ADFS configuration and re-configure ADFS.
This procedure uses ADFS 3.0
and uses samlportal.example.com
as the ADFS website. The values you use in your setup will be based on your ADFS website address. See ADFS integration with SAML 2.0 for more information.
Federation Service Properties
dialog, in the General Settings
tab, confirm that the DNS entries and certificate names are correct. Note the Federation Service Identifier
, since you will use as the Entity ID in the Identity Provider Configuration
in the FortiSOAR™ UI. Services
panel, browse to Certificates
and export the Token-Signing certificate using the following steps. Certificate Export
wizard.Identity Provider Configuration
in the FortiSOAR™ UI.Service Provider Configuration
section.Add Relying Party Trust Wizard
click Start.Select Data Source
panel, select the Import data about the relying party from a file option and click Browse to navigate to the SAML metadata file that you have saved in Step 2 and then click Next.Specify Display Name
panel set the display name and then click Next.Configure Multi-factor Authentication Now?
panel configure MFA and then click Next.Choose Issuance Authorization Rules
panel, select the Permit all users to access this relying party option and then click Next.Ready to Add Trust
panel, click Next.Finish
panel, ensure that the Open the Edit Claim Rules dialog statement is selected and then click Close. This opens the Edit Claim Rules Wizard
.You must edit the claim rules to enable communication with FortiSOAR™ SAML
Configure Claim Rule
dialog, in Claim rule name, enter a name to the claim rule. For example, name the claim rule as Get LDAP Attributes
.LDAP Attribute
column and map that to E-Mail Address in the Outgoing Claim Type
column. LDAP Attribute
column and map that to Email in the Outgoing Claim Type
column.Outgoing Claim Type
column.LDAP Attribute
column and map that to Last Name in the Outgoing Claim Type
column.Outgoing Claim Type
column.LDAP Attribute
column and map that to First Name in the Outgoing Claim Type
column.Outgoing Claim Type
column and the values that you specify in the Outgoing Claim Type
column must match the what you enter in the right-side field in the User Attribute Map in the Identity Provider Configuration
in the FortiSOAR™ UI.LDAP Attribute
column and map that to Roles in the Outgoing Claim Type
column.Outgoing Claim Type
column. Add Transform Claim Rule Wizard
, in Claim rule name, enter a name to the claim rule. For example, name the claim rule as Email to Name ID
.Outgoing claim type
drop-down list, select Name ID and select the Pass through all claim values option and click Finish and then click OK.Identity Provider Configuration
section, enter the IdP details.https://samlportal.example.com/adfs/services/trust
<server_address>/adfs/ls
. For example, https://samlportal.example.com/adfs/ls
<server_address>/adfs/ls?wa=wsignout1.0
. For example, https://samlportal.example.com/adfs/ls?wa=wsignout1.0
Outgoing Claim Type
column in the management console of ADFS. For more information, see Configuring ADFS Relying Party Claim Rules.User Attribute Map
, under Fields
, click the editable field name (right side field name), to map it to the attribute that will be received from the IdP. The non-editable field name (left-side field name) is the FortiSOAR™ attribute. For example, in the following image, you map the FortiSOAR™ attribute firstname
to the IdP attribute First Name
.Version 5.0.0 and later provides you with the ability to map the role and team of SSO users in FortiSOAR™ based on their roles defined in the IdP. Thereby you can set the role of an SSO user in FortiSOAR™ based on the role you have defined in your IdP.
To achieve this FortiSOAR™ has added a new configuration in the SSO Configuration
page where you can map the role that you have specified in the IdP to a FortiSOAR™ role and team. The relationship between the IdP role and the FortiSOAR™ role is one to many, i.e., one IdP role can map to multiple FortiSOAR™ roles.
SAML supports attribute-based authorization. Therefore, you should configure attribute roles
in your IdP that will contain roles of your SSO users on the IdP.
If you have not set up mapped roles of SSO users in FortiSOAR™, or if FortiSOAR™ receives a response from the IdP that does not contain any roles, or receives a response that does not map to any of the FortiSOAR™ roles, then the SSO user will be assigned the default roles.
The following sections define how you can configure IdPs, i.e., OneLogin, Okta, or Auth0 to send the SSO user role information to FortiSOAR™ when the user is logging on to FortiSOAR™ (SSO login).
For mapping of roles in ADFS, see the Configuring ADFS Relying Party Claim Rules section.
For any other IdP, configure roles as per the IdP requirements and contact the IdP support personnel if you face any issues.
App Configuration
screen, go to the Parameters
section and click Add Field, which displays the New Field dialog. New Field
dialog, in the Field name type Roles
, ensure that you check Include in SAML assertion checkbox in the Flags
section, and then click Save.Edit Field Roles
dialog, from the Value drop-down list, select User Roles and click Save.*.*
Authorization Extension
page, create a new group and associate required members (users) and roles with this group.Dashboards
page) and click Applications.Setting
page for the application: