Fortinet white logo
Fortinet white logo

Administration Guide

Allowing the FortiGate to override FortiCloud SSO administrator user permissions

Allowing the FortiGate to override FortiCloud SSO administrator user permissions

The FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate.

To enable FortiCloud SSO in the GUI:
  1. Go to System > Settings.

  2. In the Single Sign-On section, enable FortiCloud SSO.

  3. Set the default Administrator profile to assign: Inherit from FortiCloud, or Specify and select a profile from the dropdown.

  4. Click Apply.

To enable FortiCloud SSO in the CLI:
config system global
    set admin-forticloud-sso-login enable
    set admin-forticloud-sso-default-profile <profile>
end

The following administrator profiles are assigned based on the inherited or overwritten permissions:

User type

Inherited from FortiCloud/FortiGate Cloud

Specify

FortiCloud

Uses the super_admin profile.

Local user profile

FortiCloud IAM

Is based on the IAM permission profile's FortiOS SSO portal settings:

  • If Access is disabled = no access
  • If Access is enabled and the Access Type is set to SuperAdmin = super_admin profile
  • If Access is enabled and the Access Type is set to Read Only= super_admin_readonly profile

Local user profile

FortiGate Cloud subscription tier

Uses the super_admin profile.

Local user profile

FortiGate Cloud free tier

Has read-only access.

Cannot override

This topic includes four use case examples:

Example 1: specifying permissions for a FortiCloud SSO user

In this example, a FortiCloud SSO user is configured to override permissions and use the prof_admin profile, which is a local read-only profile.

To configure the FortiCloud SSO user:
  1. Go to System > Settings.

  2. In the Single Sign-On section, enable FortiCloud SSO.

  3. Set Administrator profile to Specify, and select prof_admin. The FortiCloud SSO user will be created upon the first login.

  4. Get the user to log in to the FortiGate:

    1. On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.

    2. Click Email Login.

    3. Enter the FortiCloud account credentials and click Log In.

      The new SSO user is created.

      Since the profile has read-only access, the SSO user can only view items (such as interfaces) and cannot edit them.

Example 2: inheriting FortiCloud permissions for a FortiCloud SSO user

In this example, a local administrator changes the permissions of an existing FortiCloud SSO user (created in the previous example) to Inherit from FortiCloud, which means the super_admin profile will be used.

To configure the existing SSO user:
  1. Go to System > Administrators and edit the user in the FortiCloud SSO Administrator section (********@gmail.com).

  2. Set Administrator profile to Inherit from FortiCloud.

  3. Click OK.

  4. Get the user to log in to the FortiGate. Since the profile changed to super_admin, they can modify items (such as interfaces).

Example 3: specifying a local user profile for a FortiCloud IAM user

In this example, a FortiCloud IAM user is configured to have read-only SSO access based on the settings in the FortiOS SSO portal. Once the FortiCloud IAM user logs in, an administrator with super_admin access changes the permission of the IAM user to have super_admin access.

This example assumes the FortiOS SSO portal has already been added to the IAM permission profile. See Creating a permission profile and Managing permission profiles in the Identity & Access Management (IAM) Guide for more information about configuring permission profiles in FortiCloud.

To configure the FortiCloud IAM user:
  1. In FortiCloud, configure the permission profile:

    1. Go to Services > IAM, then click Permission Profiles.

    2. Select a profile and click Edit.

    3. In the FortiOS SSO portal, enable Access. Set the Access Type to Read Only.

    4. Click Update.

  2. Get the user to log in to the FortiGate:

    1. On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.

    2. Click IAM Login.

    3. Enter the IAM account credentials and click Log In.

      The new SSO user is created with a super_admin_readonly profile.

  3. Update the IAM user permission to have super_admin access:

    1. Log in to the FortiGate with a super_admin administrator account.

    2. Go to System > Administrators and edit the IAM user (2022).

    3. Set Administrator profile to Specify and select super_admin.

    4. Click OK.

  4. Get the user to log in to the FortiGate again. Since the profile changed to super_admin, they can modify items.

Example 4: accessing a FortiGate remotely from FortiGate Cloud

In this example, a FortiGate Cloud user with a paid subscription accesses the FortiGate remotely from FortiGate Cloud. When the user logs in with SSO, the profile has super_admin access. After the FortiGate Cloud user logs in, an administrator with super_admin access changes the permission of the FortiGate Cloud user to have prof_admin (read-only) access.

Note

FortiGate Cloud must be accessed from a FortiGate Cloud 2.0 portal (also called FortiGate Cloud Premium) in order to have remote access using the FortiGate Cloud proxy. See Getting started with FortiGate Cloud 2.0 for more details.

To access a FortiGate remotely from FortiGate Cloud:
  1. Log in to the FortiGate Cloud 2.0 portal.

  2. Go to Inventory > Asset List. Select the desired FortiGate, then click Remote Access.

    FortiGate Cloud accesses the FortiGate using the FortiGate Cloud proxy and creates a super_admin user. The FortiOS interface is displayed in the current browser window.

  3. Log out of FortiGate Cloud.

  4. Update the FortiGate Cloud user permission to have prof_admin access:

    1. Log in to the FortiGate with a super_admin administrator account.

    2. Go to System > Administrators and edit the user in the FortiGate Cloud SSO Administrator section (********@gmail.com).

    3. Set Administrator profile to Specify and select prof_admin.

    4. Click OK.

  5. Log in to the FortiGate Cloud 2.0 portal and access the FortiGate remotely again. Since the profile changed to prof_admin, they can only view items (such as interfaces).

More Links

Allowing the FortiGate to override FortiCloud SSO administrator user permissions

Allowing the FortiGate to override FortiCloud SSO administrator user permissions

The FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate.

To enable FortiCloud SSO in the GUI:
  1. Go to System > Settings.

  2. In the Single Sign-On section, enable FortiCloud SSO.

  3. Set the default Administrator profile to assign: Inherit from FortiCloud, or Specify and select a profile from the dropdown.

  4. Click Apply.

To enable FortiCloud SSO in the CLI:
config system global
    set admin-forticloud-sso-login enable
    set admin-forticloud-sso-default-profile <profile>
end

The following administrator profiles are assigned based on the inherited or overwritten permissions:

User type

Inherited from FortiCloud/FortiGate Cloud

Specify

FortiCloud

Uses the super_admin profile.

Local user profile

FortiCloud IAM

Is based on the IAM permission profile's FortiOS SSO portal settings:

  • If Access is disabled = no access
  • If Access is enabled and the Access Type is set to SuperAdmin = super_admin profile
  • If Access is enabled and the Access Type is set to Read Only= super_admin_readonly profile

Local user profile

FortiGate Cloud subscription tier

Uses the super_admin profile.

Local user profile

FortiGate Cloud free tier

Has read-only access.

Cannot override

This topic includes four use case examples:

Example 1: specifying permissions for a FortiCloud SSO user

In this example, a FortiCloud SSO user is configured to override permissions and use the prof_admin profile, which is a local read-only profile.

To configure the FortiCloud SSO user:
  1. Go to System > Settings.

  2. In the Single Sign-On section, enable FortiCloud SSO.

  3. Set Administrator profile to Specify, and select prof_admin. The FortiCloud SSO user will be created upon the first login.

  4. Get the user to log in to the FortiGate:

    1. On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.

    2. Click Email Login.

    3. Enter the FortiCloud account credentials and click Log In.

      The new SSO user is created.

      Since the profile has read-only access, the SSO user can only view items (such as interfaces) and cannot edit them.

Example 2: inheriting FortiCloud permissions for a FortiCloud SSO user

In this example, a local administrator changes the permissions of an existing FortiCloud SSO user (created in the previous example) to Inherit from FortiCloud, which means the super_admin profile will be used.

To configure the existing SSO user:
  1. Go to System > Administrators and edit the user in the FortiCloud SSO Administrator section (********@gmail.com).

  2. Set Administrator profile to Inherit from FortiCloud.

  3. Click OK.

  4. Get the user to log in to the FortiGate. Since the profile changed to super_admin, they can modify items (such as interfaces).

Example 3: specifying a local user profile for a FortiCloud IAM user

In this example, a FortiCloud IAM user is configured to have read-only SSO access based on the settings in the FortiOS SSO portal. Once the FortiCloud IAM user logs in, an administrator with super_admin access changes the permission of the IAM user to have super_admin access.

This example assumes the FortiOS SSO portal has already been added to the IAM permission profile. See Creating a permission profile and Managing permission profiles in the Identity & Access Management (IAM) Guide for more information about configuring permission profiles in FortiCloud.

To configure the FortiCloud IAM user:
  1. In FortiCloud, configure the permission profile:

    1. Go to Services > IAM, then click Permission Profiles.

    2. Select a profile and click Edit.

    3. In the FortiOS SSO portal, enable Access. Set the Access Type to Read Only.

    4. Click Update.

  2. Get the user to log in to the FortiGate:

    1. On the FortiOS login screen, click Sign in with FortiCloud. The FortiCloud log in page opens.

    2. Click IAM Login.

    3. Enter the IAM account credentials and click Log In.

      The new SSO user is created with a super_admin_readonly profile.

  3. Update the IAM user permission to have super_admin access:

    1. Log in to the FortiGate with a super_admin administrator account.

    2. Go to System > Administrators and edit the IAM user (2022).

    3. Set Administrator profile to Specify and select super_admin.

    4. Click OK.

  4. Get the user to log in to the FortiGate again. Since the profile changed to super_admin, they can modify items.

Example 4: accessing a FortiGate remotely from FortiGate Cloud

In this example, a FortiGate Cloud user with a paid subscription accesses the FortiGate remotely from FortiGate Cloud. When the user logs in with SSO, the profile has super_admin access. After the FortiGate Cloud user logs in, an administrator with super_admin access changes the permission of the FortiGate Cloud user to have prof_admin (read-only) access.

Note

FortiGate Cloud must be accessed from a FortiGate Cloud 2.0 portal (also called FortiGate Cloud Premium) in order to have remote access using the FortiGate Cloud proxy. See Getting started with FortiGate Cloud 2.0 for more details.

To access a FortiGate remotely from FortiGate Cloud:
  1. Log in to the FortiGate Cloud 2.0 portal.

  2. Go to Inventory > Asset List. Select the desired FortiGate, then click Remote Access.

    FortiGate Cloud accesses the FortiGate using the FortiGate Cloud proxy and creates a super_admin user. The FortiOS interface is displayed in the current browser window.

  3. Log out of FortiGate Cloud.

  4. Update the FortiGate Cloud user permission to have prof_admin access:

    1. Log in to the FortiGate with a super_admin administrator account.

    2. Go to System > Administrators and edit the user in the FortiGate Cloud SSO Administrator section (********@gmail.com).

    3. Set Administrator profile to Specify and select prof_admin.

    4. Click OK.

  5. Log in to the FortiGate Cloud 2.0 portal and access the FortiGate remotely again. Since the profile changed to prof_admin, they can only view items (such as interfaces).