SAML SSO with pre-authorized FortiGates
You can set up SAML SSO authentication in a Security Fabric environment by starting with a root FortiGate that has one or more pre-authorized FortiGates.
After the initial configuration, you can add more downstream FortiGates to the Security Fabric, and they are automatically configured with default values for a Service Provider.
To set up basic SAML for Security Fabric:
- Log in to the root FortiGate of the Security Fabric.
- Go to Security Fabric > Settings, and join two pre-authorized FortiGates to the root FortiGate.
- Go to User & Device > SAML SSO.
- Beside Mode, select Identity Provider (IdP).
- In the IdP certificate list, select a valid local server certificate, and click Apply.
You can use one of the default Fortinet certificates, such as Fortinet_Factory, which is also the default server certificate for FortiGate admin login over HTTPS. Alternatively you can use a customized server certificate issued by a Company Root Certificate Authority (CA).
The following example shows a customized server certificate. Regardless of whether you use a default or custom certificate, ensure that the downstream FortiGate SPs trust the issuing CA .
- Go to Security Fabric > Settings.
- In the Topology area click a pre-authorized FortiGate, and select Customize.
The Customize pane appears on the right.
- In the Customize pane, click Specify, and type an IP address in the Management IP/FQDN box and a management port in the Management Port box, and then click OK.
This information is used to automatically configure SAML SSO on downstream FortiGates.
SAML requires that administrators can access the IP of each FortiGate by using a browser. The management IP specifies the publicly (or internally) accessible IP that the administrator can access by using a browser.
- Go to User & Device > SAML SSO, and select Identify Provider (IdP) to verify the new SAML SSO configuration on the root FortiGate IdP for downstream FortiGate SPs.
- Select Service Provider (SP) to verify the configuration for downstream FortiGates.
The Default login page option is set to Normal by default, which means that admin login screen on this FortiGate offers options for local system admin login and SAML SSO login.
In the Default admin profile option, you can select one of the preconfigured profiles that gives access to FortiGate. Alternately you can create a custom profile and select it. The default profile admin_no_access must be changed later for every SSO admin.
In the IdP Settings area, the IdP certificate option uses the REMOTE_CERT_1 as the server certificate for the root FortiGate.
In the SP certificate option, you can optionally select a server certificate to be used by downstream FortiGates as client certificates when connecting to the root FortiGate. For the root FortiGate, you can select a default Fortinet server certificate or a custom certificate.