SAML SSO enables a single FortiGate device to act as the identify provider (IdP), while other FortiGate devices act as service providers (SP) and redirect logins to the IdP.
Only the root FortiGate can be the identity provider (IdP). The downstream FortiGates can be configured as service providers (SP).
The process is as follows:
- Configuring the root FortiGate as the IdP
- Configuring a downstream FortiGate as an SP
- Configuring certificates for SAML SSO
- Verifying the single-sign-on configuration
You can also use the CLI. See CLI commands for SAML SSO.