Fortinet black logo

Administration Guide

SAML Authentication

Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:250399
Download PDF

SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP).

FortiEDR can act as an SP to authenticate users with a third-party IdP, enabling transparent user sign-in to the FortiEDR Central Manager Console.

To set up SAML authentication in FortiEDR:
  1. Click the SAML Authentication button.

    The following window displays:

  2. Click the Download button to download and save SP data from FortiEDR, which is used by your IdP server during SAML authentication. Then, upload this FortiEDR data as is to your IdP server using a standard method.

    If your IdP requires manual configuration, you can extract the following fields from the XML file that you downloaded and use them for manual configuration:

    Field

    Description

    Entity IDLocated under the md:EntityDescriptor tag, in the entityID attribute.
    Logout Address ValueLocated under the md:SingleLogoutService tag, in the Location attribute.
    Login Address ValueLocated under the md:AssertionConsumerService tag, in the Location attribute.
    Certificate Value (Public)Located under the ds:X509Certificate tag.
  3. Fill in the following fields:

    Field

    Definition

    SAML EnabledCheck this checkbox to enable SAML authentication in FortiEDR.
    SSO URL

    Specify the URL to be used by users to log in to FortiEDR. If necessary, you can edit the suffix of this URL (shown in green) by clicking the Edit button and then modifying it as needed. You can also copy the URL to the clipboard using the Copy button (for example, in order to email the FortiEDR SAML login page to your users).

    Make sure that the suffix does not include any spaces and is comprised of only letters, numbers and underscores

    IDP DescriptionSpecify a free-text description. For example, you may want to specify the IdP server that you are using here.
    IDP Metadata

    Upload the IdP metadata to FortiEDR. You can either upload an *.XML file or a URL. To upload a file, click the File radio button and then click the Select File button to navigate to and select the applicable *.XML file. To upload a URL, click the URL radio button and then specify the requisite URL.

    Attribute Name

    Specify the name of the attribute to be read by FortiEDR, in order to determine the permissions and role to be assigned to that user in FortiEDR. This attribute must be included as part of the response from the identify provider server to FortiEDR when a user attempts to log in to FortiEDR.

    Role/Group Mapping

    Specify an attribute value for the User, Local Admin, Admin and API groups. You must specify a value for at least one of these user roles. Each of these groups corresponds to a different role in FortiEDR.

    Note that if more than a single role is mapped to the user, FortiEDR expects to get multiple roles as a list of values and not in bulk in the SAML assertion that is sent by IdP.

  4. Click Save.

The examples below describe how the Azure, Okta or FortiAuthenticator SSO services can be used as an IdP that provides authorization and authentication for users attempting to access the FortiEDR Central Manager console. It demonstrates how to exchange metadata between the two entities, how to define group attributes and how to associate them with SAML users so that user permissions are dictated by the Group/Roles mapping in FortiEDR SAML configuration.

SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP).

FortiEDR can act as an SP to authenticate users with a third-party IdP, enabling transparent user sign-in to the FortiEDR Central Manager Console.

To set up SAML authentication in FortiEDR:
  1. Click the SAML Authentication button.

    The following window displays:

  2. Click the Download button to download and save SP data from FortiEDR, which is used by your IdP server during SAML authentication. Then, upload this FortiEDR data as is to your IdP server using a standard method.

    If your IdP requires manual configuration, you can extract the following fields from the XML file that you downloaded and use them for manual configuration:

    Field

    Description

    Entity IDLocated under the md:EntityDescriptor tag, in the entityID attribute.
    Logout Address ValueLocated under the md:SingleLogoutService tag, in the Location attribute.
    Login Address ValueLocated under the md:AssertionConsumerService tag, in the Location attribute.
    Certificate Value (Public)Located under the ds:X509Certificate tag.
  3. Fill in the following fields:

    Field

    Definition

    SAML EnabledCheck this checkbox to enable SAML authentication in FortiEDR.
    SSO URL

    Specify the URL to be used by users to log in to FortiEDR. If necessary, you can edit the suffix of this URL (shown in green) by clicking the Edit button and then modifying it as needed. You can also copy the URL to the clipboard using the Copy button (for example, in order to email the FortiEDR SAML login page to your users).

    Make sure that the suffix does not include any spaces and is comprised of only letters, numbers and underscores

    IDP DescriptionSpecify a free-text description. For example, you may want to specify the IdP server that you are using here.
    IDP Metadata

    Upload the IdP metadata to FortiEDR. You can either upload an *.XML file or a URL. To upload a file, click the File radio button and then click the Select File button to navigate to and select the applicable *.XML file. To upload a URL, click the URL radio button and then specify the requisite URL.

    Attribute Name

    Specify the name of the attribute to be read by FortiEDR, in order to determine the permissions and role to be assigned to that user in FortiEDR. This attribute must be included as part of the response from the identify provider server to FortiEDR when a user attempts to log in to FortiEDR.

    Role/Group Mapping

    Specify an attribute value for the User, Local Admin, Admin and API groups. You must specify a value for at least one of these user roles. Each of these groups corresponds to a different role in FortiEDR.

    Note that if more than a single role is mapped to the user, FortiEDR expects to get multiple roles as a list of values and not in bulk in the SAML assertion that is sent by IdP.

  4. Click Save.

The examples below describe how the Azure, Okta or FortiAuthenticator SSO services can be used as an IdP that provides authorization and authentication for users attempting to access the FortiEDR Central Manager console. It demonstrates how to exchange metadata between the two entities, how to define group attributes and how to associate them with SAML users so that user permissions are dictated by the Group/Roles mapping in FortiEDR SAML configuration.