Fortinet white logo
Fortinet white logo

Administration Guide

Enabling SAML authentication in a Security Fabric

Enabling SAML authentication in a Security Fabric

When FortiGate is configured as a SAML SSO IdP in a Security Fabric, FortiAnalyzer can register itself to FortiGate as an SAML service provider, allowing for simplified configuration of SAML authentication.

When FortiAnalyzer is configured as a Fabric SP, a default SSO administrator is automatically created for each Security Fabric. When a user logs in through Fabric SSO, the Fabric IdP provides the user's profile name. If FortiAnalyzer has a profile with a matching name, the profile is assigned to the user. Otherwise, the profile of the SSO administrator is assigned to the user by default.

Before configuring FortiAnalyzer as a Fabric SP, Security Fabric Connection and FortiAnalyzer Logging must be configured on the root FortiGate.

Note

When ADOMs are enabled, SSO users can only access the ADOM that includes the root FortiGate.

To configure FortiAnalyzer as a Fabric SP:
  1. Enable SAML SSO on the root FortiGate in the Security Fabric. For more information, see the FortiGate documentation in the Fortinet Document Library.
  2. On FortiAnalyzer, enable the Fabric SP Single Sign-On Mode.
    1. Go to System Settings > SAML SSO.
    2. Select Fabric SP as the Single Sign-On Mode.
    3. Enter the address of the FortiAnalyzer SP.
    4. Select a Default Admin Profile.
    5. Click Apply.

    The FortiAnalyzer will automatically detect the IdP FortiGate and register itself as a SAML SP. This process may take up to ten minutes. Once completed, IdP information is displayed in the Fabric SP table on FortiAnalyzer, and SP information can be viewed in FortiOS.

  3. Sign in using Fabric SSO.
    Users are presented with the Login via Fabric Single Sign-On option on the FortiAnalyzer login page. When more than one Security Fabric with SAML SSO enabled is configured, you are presented with the option to select which Fabric login to use.

    Fabric devices configured to the IdP can be accessed through the Security Fabric members dropdown which appears in the top-right corner of the toolbar.

Enabling SAML authentication in a Security Fabric

Enabling SAML authentication in a Security Fabric

When FortiGate is configured as a SAML SSO IdP in a Security Fabric, FortiAnalyzer can register itself to FortiGate as an SAML service provider, allowing for simplified configuration of SAML authentication.

When FortiAnalyzer is configured as a Fabric SP, a default SSO administrator is automatically created for each Security Fabric. When a user logs in through Fabric SSO, the Fabric IdP provides the user's profile name. If FortiAnalyzer has a profile with a matching name, the profile is assigned to the user. Otherwise, the profile of the SSO administrator is assigned to the user by default.

Before configuring FortiAnalyzer as a Fabric SP, Security Fabric Connection and FortiAnalyzer Logging must be configured on the root FortiGate.

Note

When ADOMs are enabled, SSO users can only access the ADOM that includes the root FortiGate.

To configure FortiAnalyzer as a Fabric SP:
  1. Enable SAML SSO on the root FortiGate in the Security Fabric. For more information, see the FortiGate documentation in the Fortinet Document Library.
  2. On FortiAnalyzer, enable the Fabric SP Single Sign-On Mode.
    1. Go to System Settings > SAML SSO.
    2. Select Fabric SP as the Single Sign-On Mode.
    3. Enter the address of the FortiAnalyzer SP.
    4. Select a Default Admin Profile.
    5. Click Apply.

    The FortiAnalyzer will automatically detect the IdP FortiGate and register itself as a SAML SP. This process may take up to ten minutes. Once completed, IdP information is displayed in the Fabric SP table on FortiAnalyzer, and SP information can be viewed in FortiOS.

  3. Sign in using Fabric SSO.
    Users are presented with the Login via Fabric Single Sign-On option on the FortiAnalyzer login page. When more than one Security Fabric with SAML SSO enabled is configured, you are presented with the option to select which Fabric login to use.

    Fabric devices configured to the IdP can be accessed through the Security Fabric members dropdown which appears in the top-right corner of the toolbar.