Fortinet white logo
Fortinet white logo

Administration Guide

Navigating between Security Fabric members with SSO

Navigating between Security Fabric members with SSO

After you have logged in to a Security Fabric member by using SSO, you can navigate between any Security Fabric member with SSO configured. This can be done using the Security Fabric members dropdown menu or by logging in to a FortiGate SP from the root FortiGate IdP.

Security Fabric members dropdown

The Security Fabric members dropdown menu allows you to easily switch between all FortiGate devices that are connected to the Security Fabric. You can also use this menu to customize a FortiGate in the Security Fabric.

To navigate between Security Fabric members:
  1. Log in to a Security Fabric member by using SSO.
  2. In the top banner, click the name of the device you are logged into with SSO.

    A list of Security Fabric members is displayed.

  3. Click the Security Fabric member.

    You are logged in to the Security Fabric member without further authentication.

To customize a FortiGate in the Security Fabric:
  1. In the Security Fabric members dropdown menu, hover the cursor over a FortiGate so the tooltip is shown.
  2. Click Configure. The Configure pane opens.

  3. Edit the settings as required.
  4. Click OK.

Logging in to an SP from the root IdP

The following example describes how to log in to a root FortiGate IdP, and navigate to other FortiGate SPs in the Security Fabric without further authentication. The local administrator account is named test3. The local administrator account must also be available as an SSO administrator account on all downstream FortiGate SPs. Different tabs of the same browser are used to log in to the various FortiGates.

To log in to a FortiGate SP from a root FortiGate IdP:
  1. Log in to the root FortiGate IdP by using the local administrator account.

    In this example, the local administrator account is named test3.

  2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  3. In the Topology tree, click one of the downstream FortiGate SPs, and select Login to <name of FortiGate>.

    The login screen is displayed.

  4. In the login screen, select Single Sign-On.

    By using cookies in your local browser for the already-authenticated SSO administrator, FortiGate logs you in to the downstream FortiGate SP as the SSO administrator. In this example, the SSO administrator name is test3.

  5. While still logged into the root FortiGate IdP in your browser, go to the browser tab for the root FortiGate IdP, and log in to another FortiGate SP that is displayed on the Security Fabric pane in the GUI.

    SAML SSO login uses SAML_IDP session cookies of already authenticated admin users in your local browser cache to send to the root FortiGate IdP for authentication. If your browser cache is manually cleared, or you close your browser, you must authenticate again.

Tooltip

It is possible to log in to one downstream FortiGate SP in a Security Fabric, and then open another tab in your browser to connect to another FortiGate SP that is not a member of the Security Fabric.

This is useful in cases where the SSO administrator and the local system administrator on the FortiGate SP both have the same login name, but are two different entities.

Navigating between Security Fabric members with SSO

Navigating between Security Fabric members with SSO

After you have logged in to a Security Fabric member by using SSO, you can navigate between any Security Fabric member with SSO configured. This can be done using the Security Fabric members dropdown menu or by logging in to a FortiGate SP from the root FortiGate IdP.

Security Fabric members dropdown

The Security Fabric members dropdown menu allows you to easily switch between all FortiGate devices that are connected to the Security Fabric. You can also use this menu to customize a FortiGate in the Security Fabric.

To navigate between Security Fabric members:
  1. Log in to a Security Fabric member by using SSO.
  2. In the top banner, click the name of the device you are logged into with SSO.

    A list of Security Fabric members is displayed.

  3. Click the Security Fabric member.

    You are logged in to the Security Fabric member without further authentication.

To customize a FortiGate in the Security Fabric:
  1. In the Security Fabric members dropdown menu, hover the cursor over a FortiGate so the tooltip is shown.
  2. Click Configure. The Configure pane opens.

  3. Edit the settings as required.
  4. Click OK.

Logging in to an SP from the root IdP

The following example describes how to log in to a root FortiGate IdP, and navigate to other FortiGate SPs in the Security Fabric without further authentication. The local administrator account is named test3. The local administrator account must also be available as an SSO administrator account on all downstream FortiGate SPs. Different tabs of the same browser are used to log in to the various FortiGates.

To log in to a FortiGate SP from a root FortiGate IdP:
  1. Log in to the root FortiGate IdP by using the local administrator account.

    In this example, the local administrator account is named test3.

  2. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  3. In the Topology tree, click one of the downstream FortiGate SPs, and select Login to <name of FortiGate>.

    The login screen is displayed.

  4. In the login screen, select Single Sign-On.

    By using cookies in your local browser for the already-authenticated SSO administrator, FortiGate logs you in to the downstream FortiGate SP as the SSO administrator. In this example, the SSO administrator name is test3.

  5. While still logged into the root FortiGate IdP in your browser, go to the browser tab for the root FortiGate IdP, and log in to another FortiGate SP that is displayed on the Security Fabric pane in the GUI.

    SAML SSO login uses SAML_IDP session cookies of already authenticated admin users in your local browser cache to send to the root FortiGate IdP for authentication. If your browser cache is manually cleared, or you close your browser, you must authenticate again.

Tooltip

It is possible to log in to one downstream FortiGate SP in a Security Fabric, and then open another tab in your browser to connect to another FortiGate SP that is not a member of the Security Fabric.

This is useful in cases where the SSO administrator and the local system administrator on the FortiGate SP both have the same login name, but are two different entities.