| You should complete the Verifying Domain Ownership steps before completing this configuration. This will allow you to manually add one of your users to test the SSO (SAML2) configuration after completing the configuration steps. These features are only available for premium service level licenses (Free 25 user Premium (for Partners only) and Premium (purchased by customer), it is not available for free and standard service level licenses.) |
The Security Awareness and Training Service allows customers and partners to share metadata to establish a baseline of trust and interoperability using the XML based Security Assertion Markup Language (SAML) standard.
Using one of your existing SAML2 single sign-on solutions to authenticate users when they log in to the system allows users to use an existing credential set (email / password / MFA (optional)) when logging in to the system. Users will not have to use a Fortinet assigned credential set (email / password / emailed MFA token) when logging in to the service.
| Configuring a single sign-on solution allows users to authenticate to the Fortinet Security Awareness and Training Service. Before users can log in, they must first be imported into the service. This is covered in a later chapter. Currently, the service does not support account creation during the single sign-on log in process. |
Different solution providers have different configuration steps for configuring a SAML2 app for authentication with third-party services. Customers will need to work with their internal IT department or service provider to configure the SAML2 application for the Fortinet Security Awareness and Training Service.
If you require assistance configuring the Authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.
There are three main steps to configuring single sign-on for the Fortinet Security Awareness and Training Service:
- Copying the ACS and Entity ID to your Identity Provider’s configuration.
- Mapping the Identity Provider attributes to your idP settings.
- Provide the Metadata URL or XML Metadata from your Identity Provider
How to configure SAML2 single sign-on (SSO)
1) Select Authentication from the navigation menu on the left-hand side of the screen:
2) In your SSO/SAML2 application configuration, enter the Assertion Consumer service (ACS) URL and the Service Provider metadata (SP Entity ID) in the appropriate fields.
Assertion Consumer service (ACS) URL: https://app.training.fortinet.com/auth/saml2/sp/saml2-acs.php/app.training.fortinet.com
Service Provider metadata(SP Entity ID): https://app.training.fortinet.com/auth/saml2/sp/metadata.php
3) Map the Identity Provider attributes to your idP settings. Note that the Names are case sensitive and must be entered exactly as in the service / table below:
Name of User Profile Field | Mapped SAML Attributes | Examples |
Username | The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute). | Google: Email or Primary Email Microsoft: Unique User Identifier |
The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute). | Google: Email or Primary Email Microsoft: user.mail | |
First_name | The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary First Name attribute). | Google: First Name Microsoft: user.givenName |
Last_name | The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the Last Name attribute). | Google: Last Name Microsoft: user.surname (or sn) |
Unique User Identifier (Microsoft only) | The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute). | Microsoft: user.mail |
| For Google configurations, you can refer to this article: https://helpdesk.ftnt.info/en/support/solutions/articles/73000594013-how-do-i-configure-saml2-single-sign-on-authentication-to-use-google-workspace-sso- For Microsoft configurations, you will need to first delete the existing entries and create new entries using the table above. You can also refer to your Microsoft documentation (Federated Services / Azure (Entra)). |
If you wish to configure access to the service through the user apps (Microsoft and Google), sometimes called the Start URL, refer to this article: https://helpdesk.ftnt.info/en/support/solutions/articles/73000613866-how-do-i-configure-google-workspace-so-that-learners-can-access-the-security-awareness-and-training-s
You will need to open a ticket in order to get your tenant name. Email infosec_awareness@fortinet.com asking for your tenant name. The url will be: https://app.training.fortinet.com/local/bridge/launch.php?name=<tenant_name>
Ensure that you add the users you wish to access the app via your SSO/SAML2 configuration interface.
4) For Microsoft and other vendors, paste the Metadata URL from your Identity Provider into the field at the bottom of the Authentication screen (Step 3). For Google, you must download the xml file, select the option for XML File and either drag and drop or choose the XML File from Step 3 at the bottom of the authentication screen, then select Save Changes:
After configuring the Authentication method, you should create a single test user and verify that the login sequence works.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article