Integrate with FortiMail
Support level: Community
What is FortiMail?
FortiMail is a secure email gateway from Fortinet that provides protection against phishing, spam, malware, and data loss for on-premises or cloud-hosted email environments.
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.fortimailadmin.companyis the FQDN or IP address of your FortiMail admin interface.fortimailuser.companyis the FQDN or IP address of your FortiMail user/webmail portal.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
FortiMail Cloud supports SSO for webmail users. The Admin Portal SSO steps apply to FortiMail Appliance and VM.
When SSO is enabled for FortiMail webmail users, CalDAV and WebDAV authentication do not use SSO and continue to require local password authentication. If your FortiMail system is deployed in server mode, configure an LDAP profile for the domain users before enabling webmail SSO.
authentik configuration
To support the integration of FortiMail with authentik, you need to create an application/provider pair in authentik.
You can configure either Admin Portal SSO or User Portal SSO, or both, depending on the intended users and the desired scope of authentication.
- Admin Portal SSO
- User Portal SSO
Create an application and provider in authentik
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name (for example,
FortiMail Admin), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the slug value because it will be required later. - Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Temporarily set the ACS URL to
https://temp.temp. - Temporarily set the Audience to
https://temp.temp. - Under Advanced protocol settings, select any available certificate as the Signing Certificate.
- Temporarily set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name (for example,
- Click Create Application to save the new application and provider.
Download metadata file
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the name of the provider that you created in the previous section (for example,
Provider for FortiMail Admin). - Under Related objects > Metadata, click Download. This file is required in the next section.
FortiMail configuration
- Sign in to the FortiMail admin interface.
- Navigate to System > Single Sign On and open the Profile tab.
- Create a new SSO profile and configure the following settings:
- Profile name: enter a descriptive name (for example,
authentik-admin). - Metadata: upload the authentik metadata file that you downloaded in the previous section.
- Attribute used to identify email address:
http://schemas.goauthentik.io/2021/02/saml/username
- Profile name: enter a descriptive name (for example,
- Click Create or OK to save the SSO profile.
- Open the Setting tab and enable Single sign-on.
- If FortiMail displays Use different service provider for admin and webmail access, select Admin as the service provider metadata target.
- In the Service Provider Metadata section, configure the following values:
- Entity ID:
https://fortimailadmin.company/sp - Host name:
fortimailadmin.company
- Entity ID:
- Click Apply.
- Copy the following FortiMail service provider values:
- Entity ID
- ACS URL
Reconfigure the authentik provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the provider that you created for FortiMail Admin.
- Click Edit.
- Under Protocol settings, set the following values:
- ACS URL: paste the ACS URL value from FortiMail.
- Audience: paste the Entity ID value from FortiMail.
- Click Update.
Configure administrator accounts
FortiMail does not automatically provision administrator accounts through SSO. Create or edit each administrator that should use SSO:
- In the FortiMail admin interface, navigate to System > Administrator > Administrator.
- For each SSO-enabled administrator, set Authentication type to Single Sign On and set Single sign on profile to the SSO profile that you created for authentik.
Enforce SSO-only access (optional)
To show only SSO on the administrator login page, run the following commands in the FortiMail CLI:
config system appearance
set admin-sso-login-option sso-only
end
When administrator SSO-only login is enabled, the built-in admin account cannot sign in to the GUI. Keep SSH or local console access available before enabling this option.
Create an application and provider in authentik
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name (for example,
FortiMail User Portal), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the slug value because it will be required later. - Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Temporarily set the ACS URL to
https://temp.temp. - Temporarily set the Audience to
https://temp.temp. - Under Advanced protocol settings, select any available certificate as the Signing Certificate.
- Temporarily set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name (for example,
- Click Create Application to save the new application and provider.
Download metadata file
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the name of the provider that you created in the previous section (for example,
Provider for FortiMail User Portal). - Under Related objects > Metadata, click Download. This file is required in the next section.
FortiMail configuration
- Sign in to the FortiMail admin interface.
- Navigate to System > Single Sign On and open the Profile tab.
- Create a new SSO profile and configure the following settings:
- Profile name: enter a descriptive name (for example,
authentik-webmail). - Metadata: upload the authentik metadata file that you downloaded in the previous section.
- Attribute used to identify email address:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Profile name: enter a descriptive name (for example,
- Click Create or OK to save the SSO profile.
- Open the Setting tab and enable Single sign-on.
- Enable Use different service provider for admin and webmail access, and then select Webmail as the service provider metadata target.
- In the Service Provider Metadata section, configure the following values:
- Entity ID:
https://fortimailuser.company/sp2 - Host name:
fortimailuser.company
- Entity ID:
- Click Apply.
- Copy the following FortiMail service provider values:
- Entity ID
- ACS URL
Reconfigure the authentik provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the provider that you created for the FortiMail User Portal.
- Click Edit.
- Under Protocol settings, set the following values:
- ACS URL: paste the ACS URL value from FortiMail.
- Audience: paste the Entity ID value from FortiMail.
- Click Update.
Configure webmail access
- In the FortiMail admin interface, navigate to Domain & Users > Domain and edit the domain that should use SSO.
- Open Advanced Setting > Other and set Webmail single sign on to the SSO profile that you created for authentik.
Enforce SSO-only access (optional)
To show only SSO on the webmail login page, run the following commands in the FortiMail CLI:
config system appearance
set webmail-sso-login-option sso-only
end
Configuration verification
To confirm that authentik is properly configured with FortiMail, open the FortiMail portal that you configured and start the SSO login flow. After authenticating with authentik, verify that you return to FortiMail without being prompted for additional credentials.