Skip to main content
Skip table of contents

FortiGate SSLVPN SAML Integration

To be able use SAML as an authentication method you need to have Authentication Realms enabled FortiOS@6.4 or above.

This document explains how to implement MonoSign with FortiGate. It covers Single Sign-On. Before you continue, it is better to start with FortiGate’s Single Sign-On implementation page.

View FortiGate SSO Metadata

In order to configure the SAML key on MonoSign for FortiGate SSO, you need to have various information provided by FortiGate. First, navigate to User & Authentication > Single Sign-On and click Create new.

You will see Service Provider Configuration like in the image below.

For now, we will stop here on the FortiGate side and create a MonoSign application and related SAML key by using the information provided by FortiGate.

Creating an Application and Access Key on MonoSign

Create your application on MonoSign and configure your access policy. Once you create, click Keys and Add New Key to create a SAML access key.

In the opened modal, choose SAML as Key Type and switch to SAML2 Settings. Fill in the necessary fields according to the information provided by FortiGate. Correspondings of the fields are as below.



Assertion Consumer Url

FortiGate SSO ACS URL from Service provider configuration

Entity Id

FortiGate SSO Issuer URL from Service provider configuration

Click Save and you are gonna see your configuration for your access key as follows.

Configuration Single Sign-On for FortiGate

We are gonna move on to where we left off on the FortiGate Identity Source Change page which is mentioned in the first chapter. Fill in the Name field and click Next. Choose the Type field as Custom and fill in the necessary fields according to the access key created on MonoSign. Correspondings of the fields are as below.



Entity ID

Entity Id from the application SAML key

Assertion consumer service URL

Sign On Service from the application SAML key

Single logout service URL

Logout Service from the application SAML key


The certificate issued to access key - can be downloadable from the key detail.

Attribute used to identify users


Attribute used to identify groups


By clicking Submit you will create a SAML configuration.

Next, create a new User Group and assign created SAML configuration to it. To do so, first, make sure you have a related group on MonoSign. if do not, create one and assign the desired users to it. second, navigate to User & Authentication > User Groups and click Create New. The form should look as follows.

Next, create a new SSL-VPN Realm. Navigate to VPN > SSL-VPN Realms and click Create New. Type the Name and click OK. Open CLI Console located at the top right and execute the following commands to set Virtual Host.

config vpn ssl web realm
edit {realm-name}
set virtual-host {virtual-host-name}

If you check realms, you will see that Virtual Host is exposed on UI as follows so you can change it any time on the edit page.

Next, add new Authentication/Portal Mapping to SSL-VPN Settings. Navigate to VPN > SSL-VPN Settings and scroll down. Authentication/portal mappings are located at the bottom of the page. Add new mapping by choosing created User Group and Realm and click OK.

Next, create a new or edit the existing Firewall Policy. Navigate to Policy & Objects > Firewall Policy and choose one or click Create New. Add Created User Group to Source as follows.

SSL VPN SAML Connection

To be able to connect to VPN via SAML you need FortiClient@6.4 or above for Windows and FortiClient@6.4.4 or above for MacOS

In order to establish a VPN connection using SAML, the SSO option should be enabled for a VPN connection. Create a new or edit the existing connection and fill the necessary fields according to configurations made in chapter three. Correspondings of the fields are as below.



Remote Gateway

Virtual host of created SSL-VPN Realm


Port number specified in SSL-VPN Settings

Enable Single Sign On


Use External Browser


For the connection, Connect button will be replaced with SAML Login as follows.

By clicking the SAML Login button you will be redirected to the MonoSign login page and asked to log in. After successful login, information stating that a VPN connection is established will be displayed and you can close windows and check FortiClient.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.