Configuring single-sign-on in the Security Fabric 6.2.2
In FortiOS 6.2, you can configure single-sign-on settings in the Security Fabric GUI menu. Prior to FortiOS 6.2, these settings were configured in the User & Device GUI menu.
Only the root FortiGate can be the identity provider (IdP). The downstream FortiGates can be configured as service providers (SP). |
Configuring the root FortiGate
To configure the root FortiGate as the IdP:
- Log in to the root FortiGate.
- Go to Security Fabric > Settings.
- In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Identity Provider (IdP).
- Enter an IP address in the Management IP/FQDN box.
- Enter a management port in the Management Port box.
The Management IP/FQDN will be used by the SPs to redirect the login request. The Management IP/FQDN and Management Port must be reachable from the user's device.
- Select the IdP certificate.
- Click Apply.
Configuring a downstream FortiGate as an SP
An SP must be a member of the Security Fabric before you configure it. |
To configure the downstream FortiGate from the root FortiGate:
- Log in to the root FortiGate.
- Go to Security Fabric > Settings and locate the Topology section.
- Hover over a FortiGate and click Configure.
The Configure pane opens.
- Enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
- Enter an IP address in the Management IP/FQDN box.
- Enter a management port in the Management Port box.
The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.
- Select a Default login page option.
- Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
- Click OK.
To configure the downstream FortiGate within the device:
- Log in to the downstream FortiGate.
- Go to Security Fabric > Settings.
- In the FortiGate Telemetry section, enable SAML Single Sign-On. The Mode field is automatically populated as Service Provider (SP).
- Enter an IP address in the Management IP/FQDN box.
- Enter a management port in the Management Port box.
The Management IP/FQDN will be used by the IdP and so other SPs can redirect to each other. The Management Port must be reachable from the user's device.
- Select a Default login page option.
- Select one of the following Default admin profile types: prof_admin, super_admin, or super_admin_readonly. The no_access_admin profile is set as the default.
- Click OK.
Verifying the single-sign-on configuration
After you have logged in to a Security Fabric member using SSO, you can navigate between any Security Fabric member with SSO configured.
To navigate between Security Fabric members:
- Log in to a Security Fabric member that is using SSO.
- In the top banner, click the name of the device you are logged in to. A list of Security Fabric members displays.
- Click a Security Fabric member. The login page appears.
- Select the option to log in via Single-Sign-On.
You are now logged in to the Security Fabric member with SSO. The letters "SSO" also display beside the user name in the top banner.
- Go to System > Administrators > Single-Sign-On Administrator to view the list of SSO admins created.