Setting up SAML with FortiAuthenticator

Introduction

FortiAuthenticator works as a SAML identity provider with Nanitor. This article covers the FortiAuthenticator-specific configuration. For the general SAML setup steps (downloading metadata, configuring Nanitor, and mapping user groups), see the generic SAML guide.

FortiAuthenticator configuration

After importing the Nanitor service provider metadata into FortiAuthenticator, you'll need to set up assertion attributes so that Nanitor can identify users by name.

Adding assertion attributes

By default, FortiAuthenticator doesn't send user name attributes in the SAML response. Without these, users will show up with blank names in Nanitor.

To fix this, go to SAML IdP → Service Providers, select the Nanitor service provider, and find the Assertion Attributes section. Add these two attributes:

Email configuration

Make sure the NameID is set to send the user's email address. Nanitor uses this as the primary user identifier.

Nanitor configuration

Follow the standard steps in the generic SAML guide:

1. Download the service provider metadata from Nanitor.
2. Import it into FortiAuthenticator.
3. Copy the FortiAuthenticator SAML IdP metadata URL and add it as an identity provider in Nanitor under System Management → SAML Identity Providers.
4. Map user groups to Nanitor roles under Organization Management → Users → SAML Permissions.

Troubleshooting

Users show up with blank names?

Check that the assertion attributes givenname and surname are configured in FortiAuthenticator. You can use a browser extension like SAML-tracer to inspect the SAML response and confirm the attributes are being sent.

Users can't be found in dropdowns?

This is a symptom of blank names. Once the assertion attributes are configured correctly and users log in again, their names will be populated.

As always, if you have any issues or questions reach out to our support team. The link to the ticketing system is in the footer of this site.