SAML authentication
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP).
FortiEDR can act as an SP to authenticate users with a third-party IdP, enabling transparent user sign-in to the FortiEDR Central Manager Console.
To set up SAML authentication in FortiEDR:
- Click the SAML Authentication button.
The following window displays:
- Click the Download button to download and save SP data from FortiEDR, which is used by your IdP server during SAML authentication. Then, upload this FortiEDR data as is to your IdP server using a standard method.
If your IdP requires manual configuration, you can extract the following fields from the XML file that you downloaded and use them for manual configuration:
Field
Description
Entity ID Located under the md:EntityDescriptor
tag, in theentityID
attribute.Logout Address Value Located under the md:SingleLogoutService
tag, in theLocation
attribute.Login Address Value Located under the md:AssertionConsumerService
tag, in theLocation
attribute.Certificate Value (Public) Located under the ds:X509Certificate
tag. - Fill in the following fields:
Field
Definition
SAML Enabled Check this checkbox to enable SAML authentication in FortiEDR. SSO URL Specify the URL to be used by users to log in to FortiEDR. If necessary, you can edit the suffix of this URL (shown in green) by clicking the Edit button and then modifying it as needed. You can also copy the URL to the clipboard using the Copy button (for example, in order to email the FortiEDR SAML login page to your users).
Make sure that the suffix does not include any spaces and is comprised of only letters, numbers and underscores.
IDP Description Specify a free-text description. For example, you may want to specify the IdP server that you are using here. IDP Metadata Upload the IdP metadata to FortiEDR. You can either upload an XML file or a URL. To upload a file, click the File radio button and then click the Select File button to navigate to and select the applicable *.XML file. To upload a URL, click the URL radio button and then specify the requisite URL.
Attribute Name Specify the name of the attribute to be read by FortiEDR, in order to determine the permissions and role to be assigned to that user in FortiEDR. This attribute must be included as part of the response from the identify provider server to FortiEDR when a user attempts to log in to FortiEDR.
Role/Group Mapping Specify an attribute value for the User, Local Admin, Admin and API groups. You must specify a value for at least one of these user roles. Each of these groups corresponds to a different role in FortiEDR.
Note that if more than a single role is mapped to the user, FortiEDR expects to get multiple roles as a list of values and not in bulk in the SAML assertion that is sent by IdP.
- Click Save.
The examples below describe how the Azure, Okta or FortiAuthenticator SSO services can be used as an IdP that provides authorization and authentication for users attempting to access the FortiEDR Central Manager console. It demonstrates how to exchange metadata between the two entities, how to define group attributes and how to associate them with SAML users so that user permissions are dictated by the Group/Roles mapping in FortiEDR SAML configuration.