Allowing the FortiGate to override FortiCloud SSO administrator user permissions
The FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate.
To enable FortiCloud SSO in the GUI:
-
Go to System > Settings.
-
In the Single Sign-On section, enable FortiCloud SSO.
-
Set the default Administrator profile to assign: Inherit from FortiCloud, or Specify and select a profile from the dropdown.
-
Click Apply.
To enable FortiCloud SSO in the CLI:
config system global set admin-forticloud-sso-login enable set admin-forticloud-sso-default-profile <profile> end
The following administrator profiles are assigned based on the inherited or overwritten permissions:
User type |
Inherited from FortiCloud/FortiGate Cloud |
Specify |
---|---|---|
FortiCloud |
Uses the super_admin profile. |
Local user profile |
FortiCloud IAM |
Is based on the IAM permission profile's FortiOS SSO portal settings:
|
Local user profile |
FortiGate Cloud subscription tier |
Uses the super_admin profile. |
Local user profile |
FortiGate Cloud free tier |
Has read-only access. |
Cannot override |
This topic includes four use case examples:
-
Example 2: inheriting FortiCloud permissions for a FortiCloud SSO user
-
Example 3: specifying a local user profile for a FortiCloud IAM user
-
Example 4: accessing a FortiGate remotely from FortiGate Cloud
Example 1: specifying permissions for a FortiCloud SSO user
In this example, a FortiCloud SSO user is configured to override permissions and use the prof_admin profile, which is a local read-only profile.
To configure the FortiCloud SSO user:
-
Go to System > Settings.
-
In the Single Sign-On section, enable FortiCloud SSO.
-
Set Administrator profile to Specify, and select prof_admin. The FortiCloud SSO user will be created upon the first login.
-
Get the user to log in to the FortiGate:
-
On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.
-
Click Email Login.
-
Enter the FortiCloud account credentials and click Log In.
The new SSO user is created.
Since the profile has read-only access, the SSO user can only view items (such as interfaces) and cannot edit them.
-
Example 2: inheriting FortiCloud permissions for a FortiCloud SSO user
In this example, a local administrator changes the permissions of an existing FortiCloud SSO user (created in the previous example) to Inherit from FortiCloud, which means the super_admin profile will be used.
To configure the existing SSO user:
-
Go to System > Administrators and edit the user in the FortiCloud SSO Administrator section (********@gmail.com).
-
Set Administrator profile to Inherit from FortiCloud.
-
Click OK.
-
Get the user to log in to the FortiGate. Since the profile changed to super_admin, they can modify items (such as interfaces).
Example 3: specifying a local user profile for a FortiCloud IAM user
In this example, a FortiCloud IAM user is configured to have read-only SSO access based on the settings in the FortiOS SSO portal. Once the FortiCloud IAM user logs in, an administrator with super_admin access changes the permission of the IAM user to have super_admin access.
This example assumes the FortiOS SSO portal has already been added to the IAM permission profile. See Creating a permission profile and Managing permission profiles in the Identity & Access Management (IAM) Guide for more information about configuring permission profiles in FortiCloud.
To configure the FortiCloud IAM user:
-
In FortiCloud, configure the permission profile:
-
Go to Services > IAM, then click Permission Profiles.
-
Select a profile and click Edit.
-
In the FortiOS SSO portal, enable Access. Set the Access Type to Read Only.
-
Click Update.
-
-
Get the user to log in to the FortiGate:
-
On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.
-
Click IAM Login.
-
Enter the IAM account credentials and click Log In.
The new SSO user is created with a super_admin_readonly profile.
-
-
Update the IAM user permission to have super_admin access:
-
Log in to the FortiGate with a super_admin administrator account.
-
Go to System > Administrators and edit the IAM user (2022).
-
Set Administrator profile to Specify and select super_admin.
-
Click OK.
-
-
Get the user to log in to the FortiGate again. Since the profile changed to super_admin, they can modify items.
Example 4: accessing a FortiGate remotely from FortiGate Cloud
In this example, a FortiGate Cloud user with a paid subscription accesses the FortiGate remotely from FortiGate Cloud. When the user logs in with SSO, the profile has super_admin access. After the FortiGate Cloud user logs in, an administrator with super_admin access changes the permission of the FortiGate Cloud user to have prof_admin (read-only) access.
FortiGate Cloud must be accessed from a FortiGate Cloud 2.0 portal (also called FortiGate Cloud Premium) in order to have remote access using the FortiGate Cloud proxy. See Getting started with FortiGate Cloud 2.0 for more details. |
To access a FortiGate remotely from FortiGate Cloud:
-
Log in to the FortiGate Cloud 2.0 portal.
-
Go to Inventory > Asset List. Select the desired FortiGate, then click Remote Access.
FortiGate Cloud accesses the FortiGate using the FortiGate Cloud proxy and creates a super_admin user. The FortiOS interface is displayed in the current browser window.
-
Log out of FortiGate Cloud.
-
Update the FortiGate Cloud user permission to have prof_admin access:
-
Log in to the FortiGate with a super_admin administrator account.
-
Go to System > Administrators and edit the user in the FortiGate Cloud SSO Administrator section (********@gmail.com).
-
Set Administrator profile to Specify and select prof_admin.
-
Click OK.
-
-
Log in to the FortiGate Cloud 2.0 portal and access the FortiGate remotely again. Since the profile changed to prof_admin, they can only view items (such as interfaces).