Fortinet black logo

New Features

SAML Admin Authentication

Copy Link
Copy Doc ID bc40d227-4cc1-11e9-94bf-00505692583a:957811
Download PDF

SAML Admin Authentication

In 6.2, SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).

  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.

  7. In the Edit Service Provider window:
    • Enter a name for the SP.
    • Select Fortinet as the SP type.
    • Enter the SP IP address.
    • Copy down the IdP Prefix. It is required when configuring SPs.
    • If the SP is not a Fortinet product, you can instead select Custom as the SP type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.
  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position, then selecting Customize.

To configure FortiAnalyzer as the IdP in the CLI:
    config system saml
    set status enable
    set role IDP
    set cert "Fortinet"
    set server-address "10.2.90.208"
        config service-providers
            edit "faz"
                set prefix "qh62tzggiol"
                set sp-entity-id "http://10.2.90.209/metadata/"
                set sp-single-sign-on-url "https://10.2.90.209/saml/?acs"
                set sp-single-logout-url "https://10.2.90.209/saml/?sls"
            next
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).

  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP Prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.
    If this is a first-time set up, you can Import the IdP certificate you downloaded while configuring the IdP device.
  6. Confirm the information is correct and select Apply.
  7. Repeat the steps above for each FAZ/FMG that is to be set as a service provider. The FortiGate SP configuration steps mirror those of FAZ/FMG.
To configure FortiAnalyzer as the SP in the CLI:
config system saml
    set status enable
    set server-address "10.2.90.209"
    set idp-entity-id "http://10.2.90.208/saml-idp/qh62tzggiol/metadata/"
    set idp-single-sign-on-url "https://10.2.90.208/saml-idp/qh62tzggiol/login/"
    set idp-single-logout-url "https://10.2.90.208/saml-idp/qh62tzggiol/logout/"
    set idp-cert "Remote_cert_1"
end

Switching devices with SAML authentication

  • Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices (such as FGT/FMG) from within the same browser without additional authentication.

  • Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (this feature is currently only supported on FAZ/FMG).

  • When accessing FortiGate from the Quick Access menu, if FGT is set to use the default login page with SSO options, you will need to select the via Single Sign-On button to be automatically logged in.

  • The admin user must be created for both the IdP and SP, otherwise you will see an error message stating Admin xx doesn’t exist.

SAML Admin Authentication

In 6.2, SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).

  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.

  7. In the Edit Service Provider window:
    • Enter a name for the SP.
    • Select Fortinet as the SP type.
    • Enter the SP IP address.
    • Copy down the IdP Prefix. It is required when configuring SPs.
    • If the SP is not a Fortinet product, you can instead select Custom as the SP type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.
  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position, then selecting Customize.

To configure FortiAnalyzer as the IdP in the CLI:
    config system saml
    set status enable
    set role IDP
    set cert "Fortinet"
    set server-address "10.2.90.208"
        config service-providers
            edit "faz"
                set prefix "qh62tzggiol"
                set sp-entity-id "http://10.2.90.209/metadata/"
                set sp-single-sign-on-url "https://10.2.90.209/saml/?acs"
                set sp-single-logout-url "https://10.2.90.209/saml/?sls"
            next
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).

  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP Prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.
    If this is a first-time set up, you can Import the IdP certificate you downloaded while configuring the IdP device.
  6. Confirm the information is correct and select Apply.
  7. Repeat the steps above for each FAZ/FMG that is to be set as a service provider. The FortiGate SP configuration steps mirror those of FAZ/FMG.
To configure FortiAnalyzer as the SP in the CLI:
config system saml
    set status enable
    set server-address "10.2.90.209"
    set idp-entity-id "http://10.2.90.208/saml-idp/qh62tzggiol/metadata/"
    set idp-single-sign-on-url "https://10.2.90.208/saml-idp/qh62tzggiol/login/"
    set idp-single-logout-url "https://10.2.90.208/saml-idp/qh62tzggiol/logout/"
    set idp-cert "Remote_cert_1"
end

Switching devices with SAML authentication

  • Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices (such as FGT/FMG) from within the same browser without additional authentication.

  • Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (this feature is currently only supported on FAZ/FMG).

  • When accessing FortiGate from the Quick Access menu, if FGT is set to use the default login page with SSO options, you will need to select the via Single Sign-On button to be automatically logged in.

  • The admin user must be created for both the IdP and SP, otherwise you will see an error message stating Admin xx doesn’t exist.