Integrating FortiAnalyzer management using SAML SSO

When a FortiGate acting as a Security Fabric root is configured as a SAML SSO identity provider (IdP), the FortiAnalyzer of the Security Fabric can register itself as a service provider (SP). This simplifies the configuration by enabling the setting in FortiAnalyzer to facilitate Fabric SSO access to the FortiAnalyzer once authenticated to the root FortiGate. When signed in using SSO, the FortiAnalyzer includes a Security Fabric navigation dropdown, which allows easy navigation to FortiGates in the Fabric.

To enable FortiAnalyzer as a Fabric SP in the GUI:
  1. On the root FortiGate, go to Security Fabric > Physical Topology or Logical Topology.
  2. In the topology, click the FortiAnalyzer icon and select Login to FortiAnalyzer.

  3. Enter the credentials to log in. A Security Fabric must be configured with the Fabric devices listed under the Fabric name.
    1. Go to Device Manager to verify the Fabric setup. There is an asterisk beside the root FortiGate.

  4. Edit the FortiAnalyzer SAML SSO settings:

    1. Go to System Settings > Admin > SAML SSO.
    2. For Single Sign-On Mode, select Fabric SP and enter the address to access the FortiAnalyzer in Server Address.

    3. Click Apply and log out of the FortiAnalyzer. The FortiAnalyzer will automatically register itself on the FortiGate and is a visible appliance in the list of SPs.

  5. Verify that the FortiAnalyzer registration was successful:
    1. In FortiOS, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. In the SAML Single Sign-On section click Advanced Options. There should be an entry for the FortiAnalyzer in the Service Providers table (appliance_192.168.1.103).

  6. Log in to the FortiAnalyzer. There is a new option to Login with Fabric Single Sign-On.

  7. Click Login with Fabric Single Sign-On. A dialog appears to select a Fabric IdP.

  8. Select a FortiGate. The ADOM containing that FortiGate opens.
To enable FortiAnalyzer as a Fabric SP in the CLI:
  1. In FortiAnalyzer, enable the device as a Fabric SP:
    config system saml
        set status enable
        set role FAB-SP
        set server-address ""

    FortiAnalyzer will register itself on the FortiGate as an appliance.