When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using SAML SSO.
The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.
- In FortiAnalyzer, go to System Settings > Admin > SAML SSO.
- For Single Sign-On Mode, click Fabric SP and enter the SP Address.
- Click Apply.
FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view the list of SPs.
- In FortiAnalyzer, enable the device as a Fabric SP:
config system saml set status enable set role FAB-SP set server-address "172.17.48.225:4253" end
FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:
show system saml config service-providers edit "appliance_172.17.48.225:4253" set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz" set sp-entity-id "http://172.17.48.225:4253/metadata/" set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs" set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls" set sp-portal-url "https://172.17.48.225:4253/saml/login/" config assertion-attributes edit "username" next edit "profilename" set type profile-name next end next end
- Log in to the root FortiGate.
- In the toolbar, click the device name to display the Security Fabric members dropdown.
- Hover over the FortiAnalyzer and click Login.
- Log in to the FortiAnalyzer using SAML SSO.
- In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.