This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for FortiAuthenticator using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.

To set up Multi-Pass with FortiAuthenticator, ensure you meet the following requirements: 

- FortiAuthenticator (FAC) Licensing

- MPAS Subscription

- Administrator rights on MPAS realm and FAC instance

Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

Configuration of FortiAuthenticator

1. Log in to your FortiAuthenticator admin console.
   
2. Navigate to Authentication.
   
3. Select SAML IdP.
   
4. Click on Service Providers, click on Create New.
   

1. Provide an SP Name:
1. Enter mpas as the Service Provider name.
2. Create an IdP Prefix:
1. Click on the + icon next to the IdP prefix field.
2. You can either generate a random prefix or create your own custom prefix.
3. Once the prefix is set, click OK to confirm.
   

1. Click on Save.
   

1. Return to your Service Provider menu:
1. Navigate back to the Service Provider menu in your FortiAuthenticator admin console.
2. Confirm the IdP Prefix:
1. Ensure that the correct IdP prefix is selected.
3. Download Metadata:
1. Scroll down and click on the IdP Metadata button to download the metadata XML file.
   

1. Navigate to your MPAS realm administrator console.
2. Click on Identity Providers.
3. Click on Add Provider.
4. Select SAML v2.0.
   

1. Optionally, provide an alternative alias.
2. Set the display name to FortiAuthenticator.
3. Turn off the User entity descriptor option.
4. Click on Browse… to locate and upload the metadata file you just created.
5. Scroll down and click on Add to complete the process.
   

1. Once the IdP is added, open your IdP settings in MPAS.
2. Click on the SAML 2.0 Service Provider Metadata link.
3. This will display or download the metadata file for your Service Provider.
   

This metadata is essential for configuring and validating your SAML integration.

1. Right-click on the page displaying the metadata.
2. Select Save as.
3. Save the file with an .xml file extension.
   

1. Return to the FAC SAML IdP page.
2. Click on Import SP Metadata.
3. Upload the XML file you just saved.
4. Click on OK to complete the process.
   

1. Navigate to your MPAS account console:
1. https://ca.auth.kzero.com/realms/<realm-name>/account
2. Click on Try Another Way.
3. Select FortiAuthenticator.
   

1. Enter your local realm user credentials in the designated fields.
2. Click on Login to complete the authentication process.
   

1. Upon successful authentication, you will be redirected to MPAS.
2. Click on Accept to agree to the terms and conditions.
3. Fill out any missing requirements.
4. Click on Save to complete the setup.
   

You have successfully used the FortiAuthenticator as an identity provider for Kelvin Zero’s Multi-Pass system (MPAS).

This confirms that your SAML integration is correctly configured and operational. Congratulations!