Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    SAML SSO with FortiGate as IdP

    SAML SSO with FortiGate as IdP

    You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

    To configure SAML SSO:
    1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

    2. In EMS, go to Administration > SAML SSO.
    3. Click Enable SAML SSO.
    4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
    5. Configure Service Provider Settings:

      Setting

      Description

      SP Address

      Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

      SP Entity ID

      This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

      SP ACS (login URL)

      SP Certificate

      Click Upload new certificate to upload the SP certificate.

      Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

    6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

      Setting

      Description

      IdP Entity ID

      Enter the IdP entity ID value that you copied from FortiOS.

      IdP single sign-on URL

      Enter the IdP single sign-on URL value that you copied from FortiOS.

      IdP Certificate

      Click Upload new certificate to upload the IdP certificate.

      Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

    7. In Access Control, click Add to assign the roles for the group members:

      1. Create a member with the Super Administrator role and the highest Priority.

      2. Assign the access of other group members.

      3. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:

        1. Configure domain access. This enables finer control over the specific authorization levels assigned to administrators.

        2. Click Finish.

      4. Configure other settings as needed.

      5. Click Save.

        Note

        Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.
    8. Click Save.
    9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
    Note

    For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
    To log in to EMS using SSO:
    1. Double-click the FortiClient Endpoint Management Server icon.
    2. Click Sign in with SSO.
    3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
    Note

    When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
    Previous
    Next

    SAML SSO with FortiGate as IdP

    SAML SSO with FortiGate as IdP

    You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

    To configure SAML SSO:
    1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

    2. In EMS, go to Administration > SAML SSO.
    3. Click Enable SAML SSO.
    4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
    5. Configure Service Provider Settings:

      Setting

      Description

      SP Address

      Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

      SP Entity ID

      This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

      SP ACS (login URL)

      SP Certificate

      Click Upload new certificate to upload the SP certificate.

      Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

    6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

      Setting

      Description

      IdP Entity ID

      Enter the IdP entity ID value that you copied from FortiOS.

      IdP single sign-on URL

      Enter the IdP single sign-on URL value that you copied from FortiOS.

      IdP Certificate

      Click Upload new certificate to upload the IdP certificate.

      Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

    7. In Access Control, click Add to assign the roles for the group members:

      1. Create a member with the Super Administrator role and the highest Priority.

      2. Assign the access of other group members.

      3. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:

        1. Configure domain access. This enables finer control over the specific authorization levels assigned to administrators.

        2. Click Finish.

      4. Configure other settings as needed.

      5. Click Save.

        Note

        Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.
    8. Click Save.
    9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
    Note

    For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
    To log in to EMS using SSO:
    1. Double-click the FortiClient Endpoint Management Server icon.
    2. Click Sign in with SSO.
    3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
    Note

    When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
    Previous
    Next