When Security Fabric is enabled, the root FortiGate will be configured as the Identify Provider (IdP) by default. When added to the Security Fabric, downstream FortiGates will automatically be configured as Service Providers (SP) and provided all the links required for SAML communication. Administrators must still be authorized on each device, but log in credentials are shared between devices. Once authorized, an administrator can move between fabric devices without logging in again.
Optionally, the downstream FortiGate can also be manually configured as an SP and then linked to the root FortiGate. See SAML SSO for instructions.
The authentication service is provided by the root FortiGate using local system admin accounts for authentication. Any of the administrator account types can be used for SAML log in. After successful authentication, the administrator logs in to the first downstream FortiGate SP (see SAML SSO), and can then connect to other downstream FortiGates that have the SSO account properly configured, without needing to provide credentials again.