Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.6 Administration Guide
    7.4.6
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Enabling SAML authentication in a Security Fabric

    Enabling SAML authentication in a Security Fabric

    When FortiGate is configured as a SAML SSO IdP in a Security Fabric, FortiAnalyzer can register itself to FortiGate as an SAML service provider, allowing for simplified configuration of SAML authentication.

    When FortiAnalyzer is configured as a Fabric SP, a default SSO administrator is automatically created for each Security Fabric. When a user logs in through Fabric SSO, the Fabric IdP provides the user's profile name. If FortiAnalyzer has a profile with a matching name, the profile is assigned to the user. Otherwise, the profile of the SSO administrator is assigned to the user by default.

    Before configuring FortiAnalyzer as a Fabric SP, FortiAnalyzer Logging and Security Fabric Connection must be configured on the root FortiGate.

    Note

    When ADOMs are enabled, SSO users can only access the ADOM that includes the root FortiGate.
    To configure FortiAnalyzer as a Fabric SP:

    1. Before configuring FortiAnalyzer as a Fabric SP, configure the following on the root FortiGate:

      1. To enable FortiAnalyzer Logging on the root FortiGate, see Logging to FortiAnalyzer in the FortiGate / FortiOS Administration Guide.

      2. To configure a Security Fabric Connection on the root FortiGate, see Configuring the root FortiGate and downstream FortiGates in the FortiGate / FortiOS Administration Guide.

      3. To enable SAML Single Sign-on on the root FortiGate, see Configuring the root FortiGate as the IdP in the FortiGate / FortiOS Administration Guide.

    2. In the FortiAnalyzer GUI, enable the Fabric SP Single Sign-On Mode.

      1. Go to System Settings > SAML SSO.

      2. Select Fabric SP as the Single Sign-On Mode.

      3. Enter the address of the FortiAnalyzer SP.

      4. Select a Default Admin Profile.

      5. Click Apply.

        The FortiAnalyzer will automatically detect the IdP FortiGate and register itself as a SAML SP. This process may take up to ten minutes. Once completed, IdP information is displayed in the Fabric IdPs table on FortiAnalyzer, and SP information can be viewed in FortiOS.

    3. In the FortiAnalyzer CLI, enable user-auto-create for the Fabric SP using the following command:

      config system saml

      set user-auto-create enable

      end

      Note

      The user-auto-create setting must be enabled to automatically create an SSO admin which will be used for the security fabric.

      This admin can be found in the FortiAnalyzer GUI under System Settings > Administrators with the name "CSF_SSO_FG<serial number>".

    4. When logging into FortiAnalyzer, the Fabric SSO user can click Login via Fabric Single Sign-On.

      The user can then select which Fabric IdP to use. In this example, the user selects csf-v64b.

      The user is then logged into FortiAnalyzer with access according to the selected Default Admin Profile.

    Previous
    Next

    Enabling SAML authentication in a Security Fabric

    Enabling SAML authentication in a Security Fabric

    When FortiGate is configured as a SAML SSO IdP in a Security Fabric, FortiAnalyzer can register itself to FortiGate as an SAML service provider, allowing for simplified configuration of SAML authentication.

    When FortiAnalyzer is configured as a Fabric SP, a default SSO administrator is automatically created for each Security Fabric. When a user logs in through Fabric SSO, the Fabric IdP provides the user's profile name. If FortiAnalyzer has a profile with a matching name, the profile is assigned to the user. Otherwise, the profile of the SSO administrator is assigned to the user by default.

    Before configuring FortiAnalyzer as a Fabric SP, FortiAnalyzer Logging and Security Fabric Connection must be configured on the root FortiGate.

    Note

    When ADOMs are enabled, SSO users can only access the ADOM that includes the root FortiGate.
    To configure FortiAnalyzer as a Fabric SP:

    1. Before configuring FortiAnalyzer as a Fabric SP, configure the following on the root FortiGate:

      1. To enable FortiAnalyzer Logging on the root FortiGate, see Logging to FortiAnalyzer in the FortiGate / FortiOS Administration Guide.

      2. To configure a Security Fabric Connection on the root FortiGate, see Configuring the root FortiGate and downstream FortiGates in the FortiGate / FortiOS Administration Guide.

      3. To enable SAML Single Sign-on on the root FortiGate, see Configuring the root FortiGate as the IdP in the FortiGate / FortiOS Administration Guide.

    2. In the FortiAnalyzer GUI, enable the Fabric SP Single Sign-On Mode.

      1. Go to System Settings > SAML SSO.

      2. Select Fabric SP as the Single Sign-On Mode.

      3. Enter the address of the FortiAnalyzer SP.

      4. Select a Default Admin Profile.

      5. Click Apply.

        The FortiAnalyzer will automatically detect the IdP FortiGate and register itself as a SAML SP. This process may take up to ten minutes. Once completed, IdP information is displayed in the Fabric IdPs table on FortiAnalyzer, and SP information can be viewed in FortiOS.

    3. In the FortiAnalyzer CLI, enable user-auto-create for the Fabric SP using the following command:

      config system saml

      set user-auto-create enable

      end

      Note

      The user-auto-create setting must be enabled to automatically create an SSO admin which will be used for the security fabric.

      This admin can be found in the FortiAnalyzer GUI under System Settings > Administrators with the name "CSF_SSO_FG<serial number>".

    4. When logging into FortiAnalyzer, the Fabric SSO user can click Login via Fabric Single Sign-On.

      The user can then select which Fabric IdP to use. In this example, the user selects csf-v64b.

      The user is then logged into FortiAnalyzer with access according to the selected Default Admin Profile.

    Previous
    Next