You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).
You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.
- Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the service provider (SP) prefix to use when configuring SAML SSO on EMS.
- In EMS, go to System Settings > SAML SSO.
- Click Enable SAML SSO.
- Configure Service Provider Settings. In this configuration, EMS is the SP:
Click Upload new certificate to upload the SP certificate.
Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.
- Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:
Enter the FortiGate IP address. Your browser must be able to access this IP address.
Enter the prefix generated in FortiOS for the SP.
Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.
- Click Save.
- In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
- Double-click the FortiClient Endpoint Management Server icon.
- Click Sign in with SSO.
- EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.