Fortinet black logo

Administration Guide

Integrating FortiAnalyzer management using SAML SSO

Integrating FortiAnalyzer management using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using SAML SSO.

The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.

To enable FortiAnalyzer as a Fabric SP in the GUI:
  1. In FortiAnalyzer, go to System Settings > Admin > SAML SSO.
  2. For Single Sign-On Mode, click Fabric SP and enter the SP Address.

  3. Click Apply.

    FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view the list of SPs.

To enable FortiAnalyzer as a Fabric SP in the CLI:
  1. In FortiAnalyzer, enable the device as a Fabric SP:
    config system saml
        set status enable
        set role FAB-SP
        set server-address "172.17.48.225:4253"
    end

    FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:

    show system saml
        config service-providers
            edit "appliance_172.17.48.225:4253"
                set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz"
                set sp-entity-id "http://172.17.48.225:4253/metadata/"
                set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs"
                set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls"
                set sp-portal-url "https://172.17.48.225:4253/saml/login/"
                config assertion-attributes
                    edit "username"
                    next
                    edit "profilename"
                        set type profile-name
                    next
                end
            next
        end
To navigate between devices using SAML SSO:
  1. Log in to the root FortiGate.
  2. In the toolbar, click the device name to display the Security Fabric members dropdown.
  3. Hover over the FortiAnalyzer and click Login.

  4. Log in to the FortiAnalyzer using SAML SSO.
  5. In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.

Integrating FortiAnalyzer management using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using SAML SSO.

The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.

To enable FortiAnalyzer as a Fabric SP in the GUI:
  1. In FortiAnalyzer, go to System Settings > Admin > SAML SSO.
  2. For Single Sign-On Mode, click Fabric SP and enter the SP Address.

  3. Click Apply.

    FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view the list of SPs.

To enable FortiAnalyzer as a Fabric SP in the CLI:
  1. In FortiAnalyzer, enable the device as a Fabric SP:
    config system saml
        set status enable
        set role FAB-SP
        set server-address "172.17.48.225:4253"
    end

    FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:

    show system saml
        config service-providers
            edit "appliance_172.17.48.225:4253"
                set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz"
                set sp-entity-id "http://172.17.48.225:4253/metadata/"
                set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs"
                set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls"
                set sp-portal-url "https://172.17.48.225:4253/saml/login/"
                config assertion-attributes
                    edit "username"
                    next
                    edit "profilename"
                        set type profile-name
                    next
                end
            next
        end
To navigate between devices using SAML SSO:
  1. Log in to the root FortiGate.
  2. In the toolbar, click the device name to display the Security Fabric members dropdown.
  3. Hover over the FortiAnalyzer and click Login.

  4. Log in to the FortiAnalyzer using SAML SSO.
  5. In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.