Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiManager 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    SAML admin authentication

    SAML admin authentication

    SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiManager can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

    Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

    Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

    When FortiManager is registered to FortiCloud, you can enable Allow admins to login with FortiCloud. This feature allows administrators to log in to FortiManager using their FortiCloud SSO account credentials. See FortiCloud SSO admin authentication .

    Admin user creation

    The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

    Alternatively, you can configure the ADOM and profile names in the SP to match the IdP. When this is done, you can create one SAML SSO wildcard admin user on the SP to match all users on the IdP server.

    FortiGate Quick Access

    When accessing FortiGate from the Quick Access menu, if FortiGate is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

    Asymmetric cryptographic algorithms

    The IdP and SP can use different cryptographic algorithms for the Signature Algorithm and Digest Method settings. For example, if the IdP uses SHA-256 as the Signature Algorithm and Digest Method, the SP can use SHA-256 or SHA-512.

    To configure FortiManager as the identity provider:

    1. Go to System Settings > SAML SSO.

    2. Configure the following information:

      Server Address

      		 Use the browser-accessible address of this device for single sign-on redirection.
      Allow admins to login with FortiCloud Enable to allow admins to log in using their FortiCloud account. The FortiCloud account must be registered to this device. This feature is unavailable if this device is not registered to FortiCare. See FortiCloud SSO admin authentication .

      Single Sign-On Mode

      Select Identity Provider (IdP).

      IdP Certificate

      Choose a certificate in the dropdown menu, and click the Download button to get the IdP certificate, used later to configure SPs.

      Signature Algorithm

      Select a signature algorithm from RSA-SHA256 to RSA-SHA512.

      Digest Method

      Select a digest method of SHA256 or SHA512.

      Login Page Template

      (Optional) A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.

    3. In the SP Settings table, select Create New to add a service provider.

    4. In the Create Service Provider window, configure the following information:

      Name Enter a name for the service provider.
      IdP Prefix Copy the IdP prefix. This will be required when configuring your service providers.

      SP Type

      Select Fortinet as the SP Type.

      If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

      SP Address

      Enter the IP address of the service provider.

      SAML Attributes

      SAML attributes can be added to a service provider to specify ADOM and/or profile names.

      FortiManager acting as IdP supports the following SAML attributes:

      • Type: Username, Attribute: username
      • Type: Profile Name, Attribute: profilename
      • Type: ADOM, Attribute: adoms
      • Type: Group Match, Attribute: groupmatch
      SAML SSO Wildcard users

      As long as the SP has the same user profile and ADOM names as the IdP, you do not need to re-create each user from the IdP on the SP. Instead, you can create one SAML SSO wildcard admin user on the SP with the Match all users on remote server setting enabled to match all users on the IdP server. When logging in as an SSO user on the SP, the user is assigned the same profile and ADOMs as are configured on the IdP. See Creating administrators.

      Using the groupmatch attribute for SSO users

      You can specify that an SSO user must match a specific user group on the IdP by configuring the ext-auth-group-match setting for the SSO user. See Creating administrators.

      When an SSO user has a group configured using the ext-auth-group-match setting, the login will be granted when the IdP user and SSO user have the same group value, and the group exists on the IdP. If the IdP user and SP SSO user have different group values, the login will fail.

    5. Select OK to save changes to the service provider.

    6. Click Apply to save the IdP configuration.

    To configure FortiManager as a service provider:

    1. Go to System Settings > SAML SSO.

    2. Configure the following information:

      Server Address

      Enter the which is the browser accessible address for this device.

      Single Sign-On Mode

      Select Service Provider (SP).

      Custom SP Entity ID

      Optionally, enable this setting to manually customize the SP Entity ID.

      SP Certificate

      Select an SP certificate.

      Signature Algorithm

      Select a signature algorithm from RSA-SHA256 to RSA-SHA512.

      Digest Method

      Select a digest method of SHA256 or SHA512.

      Default Login Page

      Select one of the following options:

      • Normal: User sees a normal login page with an SSO option.

      • Single-Sign On: Automatically redirects the user to the IdP's SSO login page.

      Auto Create Admin

      Select one of the following options:

      • Enable: Automatically create SSO admins if they do not exist.

      • Disable: SSO admins must be predefined.

    3. Optionally, configure the Signing Options:

      Authentication Request Signed

      Enable this setting to require that all authentication requests sent by the FortiManager service provider are signed. A valid SP certificate is required to enable this option.

      Logout Request Signed

      FortiManager as SP will sign the SAML Request during logout. A valid SP certificate is required to enable this option.

      Require Assertions Signed from IdP

      Enable this setting to require that all assertions received from the IdP are signed.

      Require Logout Response Signed

      FortiManager as SP will require the SAML Response to be signed by IdP during logout.

    4. Configure the IdP Settings:

      IdP Type

      Select the IdP type as Fortinet or Custom.

      IdP Address

      Enter the IdP Address that you obtained while configuring the Fortinet IdP device.

      This option is only for the Fortinet IdP type.

      Prefix

      Enter the Prefix that you obtained while configuring the Fortinet IdP device.

      This option is only for the Fortinet IdP type.

      IdP Entity ID

      Enter the IdP entity ID obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Login URL

      Enter the IdP login URL obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Logout URL

      Enter the IdP logout URL obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Certificate

      Select the IdP certificate. If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.

    1. Confirm that the information is correct and select Apply.

    2. Repeat the steps for each FortiManager that is to be set as a service provider.

    Supported SAML attribute overrides

    The following SAML attributes are accepted by FortiManager SAML service provider.

    SAML Attribute

    Description
    username

    The username of the local/SSO user. This attribute is mandatory.

    Example:

    <Attribute Name="username">

    <AttributeValue>user1</AttributeValue>

    </Attribute>
    profilename

    The Profile assigned to the user. If a matching profile exists on the FortiManager, it will be assigned to the user. This attribute is optional.

    Example:

    <Attribute Name="profilename">

    <AttributeValue>SSOPROFILE</AttributeValue>

    </Attribute>
    adoms

    The ADOM(s) to which the user will have access. Multiple ADOMs can be specified in the SAML assertion if supported by the IdP. This attribute is optional.

    Example:

    <Attribute Name="adoms">

    <AttributeValue>ADOM1</AttributeValue>

    <AttributeValue>ADOM2</AttributeValue>

    </Attribute>

    You can use the following command in the CLI to verify the correct adoption of the SAML attributes by FortiManager.

    diagnose system admin-session list

    For example:

    diagnose system admin-session list

    *** entry 0 ***

    session_id: 57410 (seq: 0)

    username: user1

    admin template: SSO

    from: SSO(192.168.50.188) (type 7)

    profile: SSOPROFILE

    adom: adom1

    session length: 3 (seconds)

    Previous
    Next

    SAML admin authentication

    SAML admin authentication

    SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiManager can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

    Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

    Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

    When FortiManager is registered to FortiCloud, you can enable Allow admins to login with FortiCloud. This feature allows administrators to log in to FortiManager using their FortiCloud SSO account credentials. See FortiCloud SSO admin authentication .

    Admin user creation

    The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

    Alternatively, you can configure the ADOM and profile names in the SP to match the IdP. When this is done, you can create one SAML SSO wildcard admin user on the SP to match all users on the IdP server.

    FortiGate Quick Access

    When accessing FortiGate from the Quick Access menu, if FortiGate is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

    Asymmetric cryptographic algorithms

    The IdP and SP can use different cryptographic algorithms for the Signature Algorithm and Digest Method settings. For example, if the IdP uses SHA-256 as the Signature Algorithm and Digest Method, the SP can use SHA-256 or SHA-512.

    To configure FortiManager as the identity provider:

    1. Go to System Settings > SAML SSO.

    2. Configure the following information:

      Server Address

      		 Use the browser-accessible address of this device for single sign-on redirection.
      Allow admins to login with FortiCloud Enable to allow admins to log in using their FortiCloud account. The FortiCloud account must be registered to this device. This feature is unavailable if this device is not registered to FortiCare. See FortiCloud SSO admin authentication .

      Single Sign-On Mode

      Select Identity Provider (IdP).

      IdP Certificate

      Choose a certificate in the dropdown menu, and click the Download button to get the IdP certificate, used later to configure SPs.

      Signature Algorithm

      Select a signature algorithm from RSA-SHA256 to RSA-SHA512.

      Digest Method

      Select a digest method of SHA256 or SHA512.

      Login Page Template

      (Optional) A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.

    3. In the SP Settings table, select Create New to add a service provider.

    4. In the Create Service Provider window, configure the following information:

      Name Enter a name for the service provider.
      IdP Prefix Copy the IdP prefix. This will be required when configuring your service providers.

      SP Type

      Select Fortinet as the SP Type.

      If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

      SP Address

      Enter the IP address of the service provider.

      SAML Attributes

      SAML attributes can be added to a service provider to specify ADOM and/or profile names.

      FortiManager acting as IdP supports the following SAML attributes:

      • Type: Username, Attribute: username
      • Type: Profile Name, Attribute: profilename
      • Type: ADOM, Attribute: adoms
      • Type: Group Match, Attribute: groupmatch
      SAML SSO Wildcard users

      As long as the SP has the same user profile and ADOM names as the IdP, you do not need to re-create each user from the IdP on the SP. Instead, you can create one SAML SSO wildcard admin user on the SP with the Match all users on remote server setting enabled to match all users on the IdP server. When logging in as an SSO user on the SP, the user is assigned the same profile and ADOMs as are configured on the IdP. See Creating administrators.

      Using the groupmatch attribute for SSO users

      You can specify that an SSO user must match a specific user group on the IdP by configuring the ext-auth-group-match setting for the SSO user. See Creating administrators.

      When an SSO user has a group configured using the ext-auth-group-match setting, the login will be granted when the IdP user and SSO user have the same group value, and the group exists on the IdP. If the IdP user and SP SSO user have different group values, the login will fail.

    5. Select OK to save changes to the service provider.

    6. Click Apply to save the IdP configuration.

    To configure FortiManager as a service provider:

    1. Go to System Settings > SAML SSO.

    2. Configure the following information:

      Server Address

      Enter the which is the browser accessible address for this device.

      Single Sign-On Mode

      Select Service Provider (SP).

      Custom SP Entity ID

      Optionally, enable this setting to manually customize the SP Entity ID.

      SP Certificate

      Select an SP certificate.

      Signature Algorithm

      Select a signature algorithm from RSA-SHA256 to RSA-SHA512.

      Digest Method

      Select a digest method of SHA256 or SHA512.

      Default Login Page

      Select one of the following options:

      • Normal: User sees a normal login page with an SSO option.

      • Single-Sign On: Automatically redirects the user to the IdP's SSO login page.

      Auto Create Admin

      Select one of the following options:

      • Enable: Automatically create SSO admins if they do not exist.

      • Disable: SSO admins must be predefined.

    3. Optionally, configure the Signing Options:

      Authentication Request Signed

      Enable this setting to require that all authentication requests sent by the FortiManager service provider are signed. A valid SP certificate is required to enable this option.

      Logout Request Signed

      FortiManager as SP will sign the SAML Request during logout. A valid SP certificate is required to enable this option.

      Require Assertions Signed from IdP

      Enable this setting to require that all assertions received from the IdP are signed.

      Require Logout Response Signed

      FortiManager as SP will require the SAML Response to be signed by IdP during logout.

    4. Configure the IdP Settings:

      IdP Type

      Select the IdP type as Fortinet or Custom.

      IdP Address

      Enter the IdP Address that you obtained while configuring the Fortinet IdP device.

      This option is only for the Fortinet IdP type.

      Prefix

      Enter the Prefix that you obtained while configuring the Fortinet IdP device.

      This option is only for the Fortinet IdP type.

      IdP Entity ID

      Enter the IdP entity ID obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Login URL

      Enter the IdP login URL obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Logout URL

      Enter the IdP logout URL obtained from your custom IdP.

      This option is only for the Custom IdP type.

      IdP Certificate

      Select the IdP certificate. If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.

    1. Confirm that the information is correct and select Apply.

    2. Repeat the steps for each FortiManager that is to be set as a service provider.

    Supported SAML attribute overrides

    The following SAML attributes are accepted by FortiManager SAML service provider.

    SAML Attribute

    Description
    username

    The username of the local/SSO user. This attribute is mandatory.

    Example:

    <Attribute Name="username">

    <AttributeValue>user1</AttributeValue>

    </Attribute>
    profilename

    The Profile assigned to the user. If a matching profile exists on the FortiManager, it will be assigned to the user. This attribute is optional.

    Example:

    <Attribute Name="profilename">

    <AttributeValue>SSOPROFILE</AttributeValue>

    </Attribute>
    adoms

    The ADOM(s) to which the user will have access. Multiple ADOMs can be specified in the SAML assertion if supported by the IdP. This attribute is optional.

    Example:

    <Attribute Name="adoms">

    <AttributeValue>ADOM1</AttributeValue>

    <AttributeValue>ADOM2</AttributeValue>

    </Attribute>

    You can use the following command in the CLI to verify the correct adoption of the SAML attributes by FortiManager.

    diagnose system admin-session list

    For example:

    diagnose system admin-session list

    *** entry 0 ***

    session_id: 57410 (seq: 0)

    username: user1

    admin template: SSO

    from: SSO(192.168.50.188) (type 7)

    profile: SSOPROFILE

    adom: adom1

    session length: 3 (seconds)

    Previous
    Next