Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.2 EMS Administration Guide
    7.2.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    SAML SSO with FortiGate as IdP

    SAML SSO with FortiGate as IdP

    You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

    To configure SAML SSO:
    1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

    2. In EMS, go to Administration > SAML SSO.
    3. Click Enable SAML SSO.
    4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
    5. Configure Service Provider Settings:

      Setting

      Description

      SP Address

      Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

      SP Entity ID

      This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

      SP ACS (login URL)

      SP Certificate

      Click Upload new certificate to upload the SP certificate.

      Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

    6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

      Setting

      Description

      IdP Entity ID

      Enter the IdP entity ID value that you copied from FortiOS.

      IdP single sign-on URL

      Enter the IdP single sign-on URL value that you copied from FortiOS.

      IdP Certificate

      Click Upload new certificate to upload the IdP certificate.

      Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

    7. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
      Note

      Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.

    8. Click Save.
    9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
    Note

    For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
    To log in to EMS using SSO:
    1. Double-click the FortiClient Endpoint Management Server icon.
    2. Click Sign in with SSO.
    3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
    Note

    When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
    Previous
    Next

    SAML SSO with FortiGate as IdP

    SAML SSO with FortiGate as IdP

    You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

    To configure SAML SSO:
    1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

    2. In EMS, go to Administration > SAML SSO.
    3. Click Enable SAML SSO.
    4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
    5. Configure Service Provider Settings:

      Setting

      Description

      SP Address

      Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

      SP Entity ID

      This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

      SP ACS (login URL)

      SP Certificate

      Click Upload new certificate to upload the SP certificate.

      Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

    6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

      Setting

      Description

      IdP Entity ID

      Enter the IdP entity ID value that you copied from FortiOS.

      IdP single sign-on URL

      Enter the IdP single sign-on URL value that you copied from FortiOS.

      IdP Certificate

      Click Upload new certificate to upload the IdP certificate.

      Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

    7. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
      Note

      Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.

    8. Click Save.
    9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
    Note

    For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
    To log in to EMS using SSO:
    1. Double-click the FortiClient Endpoint Management Server icon.
    2. Click Sign in with SSO.
    3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
    Note

    When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
    Previous
    Next