# Facial Biometrics Integration Guide via SAML-SSL Protocol *** #### Prerequisites Before starting this tutorial, it is essential that you already have a customer portal configured in FaceSign. If you have not done so yet, please follow the Creation and [**Portal Setup on FaceSign.**](https://facesign.gitbook.io/biometria/guia-rapido-de-integracao) *** ### Part 1: Enabling the SAML Protocol on the FaceSign Portal The first step is to obtain the SAML configuration data from your FaceSign portal. To do this, follow the steps below: 1. **Access the FaceSign biometric portal** with your administrator credentials.

2. In the side menu, navigate to **Clients** and, in the list, open the edit page for the portal that will be used in the integration.

3. Within the client settings, go to the **"Features"**.

4. Enable the option **"Enable SAML protocol?"**.

5. After enabling the option, a new tab called **"SAML"** will appear. Access it and **separate the information** (SAML XML, IDP Metadata, etc.) that will be used in the Fortigate configuration later.

*** ### Part 2: Configuring SAML on the Fortigate With the **FaceSign** data in hand, the next step is to configure the Fortigate to accept SAML authentication. #### 1. Create a New SAML Service 1. Navigate to **User & Authentication > SAML**. 2. Click **Create New**.

3. Fill in the fields according to the table below. The exact values for `Entity ID`, `Single Sign-On URL` and `Single Logout URL` must be obtained from the SAML metadata provided by FaceSign in the previous step.

| Field | Description | | -------------------------- | ------------------------------------------------------- | | **Service Provider Name** | A name to identify the service (e.g., `FaceSign-SAML`). | | **SP Entity ID** | Identifier of your VPN (hostname, IP, etc.). | | **SP ACS (Consumer) URL** | Fortigate callback URL. | | **SP SLS (Logout) URL** | Fortigate logout URL. | | **IdP Entity ID** | Obtained from FaceSign metadata. | | **IdP Single Sign-On URL** | Obtained from FaceSign metadata. | | **IdP Single Logout URL** | Obtained from FaceSign metadata. | | **IdP Certificate** | Enter the certificate sent by the FaceSign technician. | | **User Name** | user | | **Group Name** | group | *** #### 2. Create a New SAML User Group 1. Go to **User & Authentication > User groups**. 2. Click **Create New**. 3. **Name the group:** `VPN-Access-Facesign`. 4. In **Type**, select `Firewall`. 5. In **Members**, click **Add** and select the SAML service created in the previous step (`FaceSign-SAML`). 6. Save the group.

*** #### 3. Configure the VPN Access Profile **A. Enable and Configure the SSL VPN** 1. Go to **VPN > SSL-VPN Settings**.

2. Set the **Listen on Interface(s)** (listening interface). 3. Enable **Tunnel Mode**. 4. In **Authentication/Portal Mapping**, click **Create New** and configure: * **Portal:** `tunnel-access` * **User Group:** Select the group `VPN-Access-Facesign` created earlier.

**B. Adjust the Firewall Policy** 1. Go to **Policy & Objects > IPv4 Policy**. 2. Create a new policy with the following settings:

| Field | Value | | ---------------------- | ----------------------------------------------------------- | | **Incoming Interface** | SSL-VPN tunnel interface | | **Outgoing Interface** | Your local network interface (e.g., `lan`). | | **Source** | The VPN address and the user group `VPN-Access-Facesign`. | | **Destination** | `all` (or the specific addresses of your internal network). | | **Service** | `ALL` (or specific services such as `PING`, `SMB`). | | **NAT** | Enabled, if necessary. | 3. Save the policy. *** ### Part 3: Testing the Connection 1. Access the URL of your SSL VPN (e.g., `https://` ). 2. You will be automatically redirected to the FaceSign authentication page. 3. Log in with your registered email. 4. Perform biometric authentication by facial recognition. 5. After approval, you will be redirected back to the Fortigate SSL-VPN portal. 6. Click **"Connect"** to establish the VPN tunnel connection.

#### **Success!** You are connected to the internal network with the security of facial biometrics *** ### Support and Contact For technical support or questions, use the FaceSign Admin Portal or contact our team through the official channels.