Fortinet black logo

EMS Administration Guide

Logging into EMS using SAML and 2FA with FortiToken

Logging into EMS using SAML and 2FA with FortiToken

Security Assertion Markup Language (SAML) allows identity providers (IdPs) to pass authorization credentials to service providers (SPs). This example configures a FortiGate as the IdP and EMS as the SP. This configuration creates a user account on the FortiGate and leverages factor authentication with FortiToken.

Note

Using FortiGate as an IdP for EMS requires that the FortiGate is part of a Security Fabric.

To configure the FortiGate as the IdP:
  1. In FortiOS, go to Security Fabric > Settings.
  2. From the IdP certificate dropdown list, select the desired certificate.
  3. Download the IdP certificate so that you can use it on EMS.

  4. Click Advanced Options.

  5. In the IP address field, specify the IP address that the EMS will contact to verify identity.

  6. Under Service Providers, click Create New.

  7. In the SP address field, enter the IP address that EMS will request the identity from.

To configure the user account in FortiOS with two-factor authentication (2FA):

This example provisions a FortiToken via email. Therefore, you must first configure SMTP settings in FortiOS.

  1. In FortiOS, go to System > Settings.

  2. Under Email Service, configure an email service. Provide authentication credentials if you are using a custom server which requires such credentials. See Email alerts.

  3. Go to System > Administrators. Click Create New > Administrator.

  4. Configure the desired username, password, administrator profile, and email address to send the token activation code to.

  5. Enable Two-factor Authentication.

  6. For Authentication Type, select FortiToken.

  7. From the Token dropdown list, select the desired available token.

  8. Click OK.

  9. FortiOS sends the activation code to the email address that you configured. Configure FortiToken on your smartphone or physical token.

To configure EMS as an SP using the FortiGate as the IdP:
  1. Log in to EMS with a local administrator account.

  2. Go to System Settings > SAML SSO.

  3. Click Enable SAML SSO.

  4. In the SP Address field, enter the EMS IP address.

  5. In the IdP Address field, enter the FortiGate IP address.

  6. For IdP Certificate, upload the certifcaate that you downloaded in To configure the FortiGate as the IdP:.

To test the configuration:
  1. Log out of EMS.

  2. To avoid caching, close all browser windows or open a private browsing session.

  3. Go to the EMS HTTPS login page. Click Sign in with SSO.

  4. Enter the username and password that you configured in To configure the user account in FortiOS with two-factor authentication (2FA):.

  5. If the username and password are correct, the system prompts you to enter your token code. Enter the code to log in to EMS.

Note

By default, administrators that you created in EMS via SAML SSO are given restricted administrator rights, regardless of the configuration in FortiOS. You can log in to EMS as a superadministrator to give the newly created administrator the desired rights.

Logging into EMS using SAML and 2FA with FortiToken

Security Assertion Markup Language (SAML) allows identity providers (IdPs) to pass authorization credentials to service providers (SPs). This example configures a FortiGate as the IdP and EMS as the SP. This configuration creates a user account on the FortiGate and leverages factor authentication with FortiToken.

Note

Using FortiGate as an IdP for EMS requires that the FortiGate is part of a Security Fabric.

To configure the FortiGate as the IdP:
  1. In FortiOS, go to Security Fabric > Settings.
  2. From the IdP certificate dropdown list, select the desired certificate.
  3. Download the IdP certificate so that you can use it on EMS.

  4. Click Advanced Options.

  5. In the IP address field, specify the IP address that the EMS will contact to verify identity.

  6. Under Service Providers, click Create New.

  7. In the SP address field, enter the IP address that EMS will request the identity from.

To configure the user account in FortiOS with two-factor authentication (2FA):

This example provisions a FortiToken via email. Therefore, you must first configure SMTP settings in FortiOS.

  1. In FortiOS, go to System > Settings.

  2. Under Email Service, configure an email service. Provide authentication credentials if you are using a custom server which requires such credentials. See Email alerts.

  3. Go to System > Administrators. Click Create New > Administrator.

  4. Configure the desired username, password, administrator profile, and email address to send the token activation code to.

  5. Enable Two-factor Authentication.

  6. For Authentication Type, select FortiToken.

  7. From the Token dropdown list, select the desired available token.

  8. Click OK.

  9. FortiOS sends the activation code to the email address that you configured. Configure FortiToken on your smartphone or physical token.

To configure EMS as an SP using the FortiGate as the IdP:
  1. Log in to EMS with a local administrator account.

  2. Go to System Settings > SAML SSO.

  3. Click Enable SAML SSO.

  4. In the SP Address field, enter the EMS IP address.

  5. In the IdP Address field, enter the FortiGate IP address.

  6. For IdP Certificate, upload the certifcaate that you downloaded in To configure the FortiGate as the IdP:.

To test the configuration:
  1. Log out of EMS.

  2. To avoid caching, close all browser windows or open a private browsing session.

  3. Go to the EMS HTTPS login page. Click Sign in with SSO.

  4. Enter the username and password that you configured in To configure the user account in FortiOS with two-factor authentication (2FA):.

  5. If the username and password are correct, the system prompts you to enter your token code. Enter the code to log in to EMS.

Note

By default, administrators that you created in EMS via SAML SSO are given restricted administrator rights, regardless of the configuration in FortiOS. You can log in to EMS as a superadministrator to give the newly created administrator the desired rights.