Fortinet black logo

New Features

Configuring single-sign-on in the Security Fabric  6.2.2

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:150646
Download PDF

Configuring single-sign-on in the Security Fabric 6.2.2

In FortiOS 6.2, you can configure single-sign-on settings in the Security Fabric GUI menu. Prior to FortiOS 6.2, these settings were configured in the User & Device GUI menu.

Note

Only the root FortiGate can be the identity provider (IdP). The downstream FortiGates can be configured as service providers (SP).

Configuring the root FortiGate

To configure the root FortiGate as the IdP:
  1. Log in to the root FortiGate.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Identity Provider (IdP).
  4. Enter an IP address in the Management IP/FQDN box.
  5. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the SPs to redirect the login request. The Management IP/FQDN and Management Port must be reachable from the user's device.

  6. Select the IdP certificate.
  7. Click Apply.

Configuring a downstream FortiGate as an SP

Note

An SP must be a member of the Security Fabric before you configure it.

To configure the downstream FortiGate from the root FortiGate:
  1. Log in to the root FortiGate.
  2. Go to Security Fabric > Settings and locate the Topology section.
  3. Hover over a FortiGate and click Configure.

    The Configure pane opens.

  4. Enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
  5. Enter an IP address in the Management IP/FQDN box.
  6. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.

  7. Select a Default login page option.
  8. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
  9. Click OK.

To configure the downstream FortiGate within the device:
  1. Log in to the downstream FortiGate.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
  4. Enter an IP address in the Management IP/FQDN box.
  5. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.

  6. Select a Default login page option.
  7. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
  8. Click OK.

Verifying the single-sign-on configuration

After you have logged in to a Security Fabric member using SSO, you can navigate between any Security Fabric member with SSO configured.

To navigate between Security Fabric members:
  1. Log in to a Security Fabric member that is using SSO.
  2. In the top banner, click the name of the device you are logged in to. A list of Security Fabric members displays.

  3. Click a Security Fabric member. The login page appears.
  4. Select the option to log in via Single-Sign-On.

    You are now logged in to the Security Fabric member with SSO. The letters "SSO" also display beside the user name in the top banner.

  5. Go to System > Administrators > Single-Sign-On Administrator to view the list of SSO admins created.

Configuring single-sign-on in the Security Fabric 6.2.2

In FortiOS 6.2, you can configure single-sign-on settings in the Security Fabric GUI menu. Prior to FortiOS 6.2, these settings were configured in the User & Device GUI menu.

Note

Only the root FortiGate can be the identity provider (IdP). The downstream FortiGates can be configured as service providers (SP).

Configuring the root FortiGate

To configure the root FortiGate as the IdP:
  1. Log in to the root FortiGate.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Identity Provider (IdP).
  4. Enter an IP address in the Management IP/FQDN box.
  5. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the SPs to redirect the login request. The Management IP/FQDN and Management Port must be reachable from the user's device.

  6. Select the IdP certificate.
  7. Click Apply.

Configuring a downstream FortiGate as an SP

Note

An SP must be a member of the Security Fabric before you configure it.

To configure the downstream FortiGate from the root FortiGate:
  1. Log in to the root FortiGate.
  2. Go to Security Fabric > Settings and locate the Topology section.
  3. Hover over a FortiGate and click Configure.

    The Configure pane opens.

  4. Enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
  5. Enter an IP address in the Management IP/FQDN box.
  6. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.

  7. Select a Default login page option.
  8. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
  9. Click OK.

To configure the downstream FortiGate within the device:
  1. Log in to the downstream FortiGate.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
  4. Enter an IP address in the Management IP/FQDN box.
  5. Enter a management port in the Management Port box.

    The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.

  6. Select a Default login page option.
  7. Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
  8. Click OK.

Verifying the single-sign-on configuration

After you have logged in to a Security Fabric member using SSO, you can navigate between any Security Fabric member with SSO configured.

To navigate between Security Fabric members:
  1. Log in to a Security Fabric member that is using SSO.
  2. In the top banner, click the name of the device you are logged in to. A list of Security Fabric members displays.

  3. Click a Security Fabric member. The login page appears.
  4. Select the option to log in via Single-Sign-On.

    You are now logged in to the Security Fabric member with SSO. The letters "SSO" also display beside the user name in the top banner.

  5. Go to System > Administrators > Single-Sign-On Administrator to view the list of SSO admins created.