SAML SSO enables a single FortiGate device to act as the Identify Provider (IdP), while other FortiGate devices act as Service Providers (SP) and redirect logins to the IdP.
All administrators must be actively added to each SP. When an administrator first logs in to an SP, a temporary account is created with the no access profile assigned, and the device administrator must enable access for each account on each device.
Following is an overview of the process:
- Configuring a FortiGate as the IdP.
- Configuring FGT_B as an SP.
- Creating a new system administrator on the IdP (FGT_A)
- Logging in to FGT_B using SSO.
- Granting permissions to new SSO administrator accounts.
- Logging in to FGT_B again using SSO.
You can also use the CLI. See CLI commands for SAML SSO.