Fortinet black logo

Cookbook

Manual SAML SSO configuration

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:952688
Download PDF

Manual SAML SSO configuration

You can manually configure SAML SSO on FortiGate IdP and FortiGate SPs. It requires the following tasks:

  1. Manually configure SAML SSO on the root FortiGate IdP.
  2. Manually configure SAML SSO on FortiGate SPs.

In this case the FortiGate SP is not a member of the Security Fabric. Although the FortiGate SP is not part of the Security Fabric, it will use the root FortiGate IdP for SAML SSO authentication.

On the root FortiGate IdP, you can see the difference between a FortiGate SP that joined the Security Fabric and another FortiGate SP (FGT-184) that is not part of the Security Fabric:

To manually configure SAML SSO on the root FortiGate IdP:
  1. Go to User & Device > SAML SSO, and click Identity Provider (IdP).
  2. click Create New.

  3. In the Name box, type a descriptive name.
  4. Copy the Prefix to the clipboard to use later when you configure FortiGate SPs.

    The Prefix box is automatically populated with a unique value. A prefix is required when manually configuring SAML SSO on FortiGate SP. The root FortiGate IdP uses the Prefix value to track the status of multiple, downstream FortiGates.

  5. In the SP address box, type an IP address.

    The browser used by the SSO administrator must be able to reach the IP. You can add a specific port to the IP. Separate the IP address and port number with a colon, for example, 172.18.60.185:8443.

    The SP certificate toggle is optional. When enabled, the FortiGate SP requires a server certificate that is trusted by the root FortiGate IdP.

  6. Toggle on SAML Attribute.
  7. Beside Type, select Username.
  8. Click OK.
To manually configure SAML SSO on FortiGate SPs:
  1. Go to User & Device > SAML SSO, and click Service Provider (SP).

    The SP options are displayed.

  2. In the SP address box, type an IP address.

    This must be the same IP address that you specified on the FortiGate IdP.

    The SP certificate toggle is optional. When enabled, you must provide a local server certificate that is trusted by the root FortiGate IdP.

    The Default login page option is set to Normal by default. With the normal setting, administrators can choose between local system administrator login or SAML SSO login on FortiGate SPs. When you select Single Sign On, administrators can no longer log in to the GUI in a browser by using a local system administrator account.

    The Default admin profile option is set to admin_no_access by default. You can change the setting to any of the other default profiles available on the FortiGate or a custom profile created by a local administrator on the FortiGate SP.

  3. Beside IdP type, select Fortinet Product.

    You can select Custom when you want to change the default settings for IdP single-sign-on URL and IdP single logout URL, for example:

  4. In the Prefix option paste the value from the Prefix option on the root FortiGate IdP.
  5. In IdP certificate option, select the server certificate from the FortiGate IdP.

    If the certificate is not available locally on the FortiGate SP, you must click + Import the FortiGate IdP server certificate as REMOTE_CERT from local file system.

  6. Click OK.

Manual SAML SSO configuration

You can manually configure SAML SSO on FortiGate IdP and FortiGate SPs. It requires the following tasks:

  1. Manually configure SAML SSO on the root FortiGate IdP.
  2. Manually configure SAML SSO on FortiGate SPs.

In this case the FortiGate SP is not a member of the Security Fabric. Although the FortiGate SP is not part of the Security Fabric, it will use the root FortiGate IdP for SAML SSO authentication.

On the root FortiGate IdP, you can see the difference between a FortiGate SP that joined the Security Fabric and another FortiGate SP (FGT-184) that is not part of the Security Fabric:

To manually configure SAML SSO on the root FortiGate IdP:
  1. Go to User & Device > SAML SSO, and click Identity Provider (IdP).
  2. click Create New.

  3. In the Name box, type a descriptive name.
  4. Copy the Prefix to the clipboard to use later when you configure FortiGate SPs.

    The Prefix box is automatically populated with a unique value. A prefix is required when manually configuring SAML SSO on FortiGate SP. The root FortiGate IdP uses the Prefix value to track the status of multiple, downstream FortiGates.

  5. In the SP address box, type an IP address.

    The browser used by the SSO administrator must be able to reach the IP. You can add a specific port to the IP. Separate the IP address and port number with a colon, for example, 172.18.60.185:8443.

    The SP certificate toggle is optional. When enabled, the FortiGate SP requires a server certificate that is trusted by the root FortiGate IdP.

  6. Toggle on SAML Attribute.
  7. Beside Type, select Username.
  8. Click OK.
To manually configure SAML SSO on FortiGate SPs:
  1. Go to User & Device > SAML SSO, and click Service Provider (SP).

    The SP options are displayed.

  2. In the SP address box, type an IP address.

    This must be the same IP address that you specified on the FortiGate IdP.

    The SP certificate toggle is optional. When enabled, you must provide a local server certificate that is trusted by the root FortiGate IdP.

    The Default login page option is set to Normal by default. With the normal setting, administrators can choose between local system administrator login or SAML SSO login on FortiGate SPs. When you select Single Sign On, administrators can no longer log in to the GUI in a browser by using a local system administrator account.

    The Default admin profile option is set to admin_no_access by default. You can change the setting to any of the other default profiles available on the FortiGate or a custom profile created by a local administrator on the FortiGate SP.

  3. Beside IdP type, select Fortinet Product.

    You can select Custom when you want to change the default settings for IdP single-sign-on URL and IdP single logout URL, for example:

  4. In the Prefix option paste the value from the Prefix option on the root FortiGate IdP.
  5. In IdP certificate option, select the server certificate from the FortiGate IdP.

    If the certificate is not available locally on the FortiGate SP, you must click + Import the FortiGate IdP server certificate as REMOTE_CERT from local file system.

  6. Click OK.