Fortinet black logo

EMS supports SAML SSO for login using FortiOS as an IdP

Copy Link
Copy Doc ID 98b4e085-ff54-11e9-8977-00505692583a:272391
Download PDF

EMS supports SAML SSO for login using FortiOS as an IdP

EMS 6.2.2 adds the ability to use SAML single sign on (SSO) using FortiOS as an Identity Provider (IdP).

Currently, EMS supports manually configuring settings for SAML SSO. SAML SSO requires that EMS has HTTPS remote access enabled and a hostname or IP address that FortiOS can access.

Caution

You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.

To configure SAML SSO in FortiOS:
  1. Configure the FortiGate as an IdP:
    1. Go to User & Device > SAML SSO.
    2. Set the Mode to Identity Provider (IdP).
    3. In the IdP address field, enter the FortiOS IP address or FQDN.
    4. From the IdP certificate dropdown list, select the SSL IdP certificate.
    5. Click Download to download the certificate for use during EMS configuration.
  2. Add a Service Provider (SP):
    1. In the Service Providers table, click Create New.
    2. Enter the SP name, prefix, type, and address. You can use the default autogenerated prefix or click Generate unique prefix. Copy the prefix, as you need it when configuring the SP.
    3. In the SP type field, select Fortinet Product.
    4. (Optional) Configure an SP certificate from EMS.
    5. Click OK.

To configure SAML SSO in EMS:
  1. In EMS, go to System Settings > SAML SSO.
  2. Select Enable SAML SSO.
  3. Under Service Provider Settings, in the SP Address field, enter the EMS IP address or FQDN.
  4. (Optional) For SP Certificate, import the SP certificate.
  5. Under Identity Provider Settings, in the IdP Address field, enter the IP address or FQDN of the FortiGate configured as the IdP.
  6. In the Prefix field, enter the prefix generated in FortiOS for the SP.
  7. In the IdP Certificate field, click Upload new certificate to upload the IdP certificate. Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS.

To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login. This includes local administrators/LDAP and RADIUS users configured in FortiOS for authentication purposes.
Note

When an administrator logs in to EMS with SSO for the first time, they will have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.

EMS supports SAML SSO for login using FortiOS as an IdP

EMS 6.2.2 adds the ability to use SAML single sign on (SSO) using FortiOS as an Identity Provider (IdP).

Currently, EMS supports manually configuring settings for SAML SSO. SAML SSO requires that EMS has HTTPS remote access enabled and a hostname or IP address that FortiOS can access.

Caution

You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.

To configure SAML SSO in FortiOS:
  1. Configure the FortiGate as an IdP:
    1. Go to User & Device > SAML SSO.
    2. Set the Mode to Identity Provider (IdP).
    3. In the IdP address field, enter the FortiOS IP address or FQDN.
    4. From the IdP certificate dropdown list, select the SSL IdP certificate.
    5. Click Download to download the certificate for use during EMS configuration.
  2. Add a Service Provider (SP):
    1. In the Service Providers table, click Create New.
    2. Enter the SP name, prefix, type, and address. You can use the default autogenerated prefix or click Generate unique prefix. Copy the prefix, as you need it when configuring the SP.
    3. In the SP type field, select Fortinet Product.
    4. (Optional) Configure an SP certificate from EMS.
    5. Click OK.

To configure SAML SSO in EMS:
  1. In EMS, go to System Settings > SAML SSO.
  2. Select Enable SAML SSO.
  3. Under Service Provider Settings, in the SP Address field, enter the EMS IP address or FQDN.
  4. (Optional) For SP Certificate, import the SP certificate.
  5. Under Identity Provider Settings, in the IdP Address field, enter the IP address or FQDN of the FortiGate configured as the IdP.
  6. In the Prefix field, enter the prefix generated in FortiOS for the SP.
  7. In the IdP Certificate field, click Upload new certificate to upload the IdP certificate. Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS.

To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login. This includes local administrators/LDAP and RADIUS users configured in FortiOS for authentication purposes.
Note

When an administrator logs in to EMS with SSO for the first time, they will have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.