Integrating FortiAnalyzer management using SAML SSO
When a FortiGate acting as a Security Fabric root is configured as a SAML SSO identity provider (IdP), the FortiAnalyzer of the Security Fabric can register itself as a service provider (SP). This simplifies the configuration by enabling the setting in FortiAnalyzer to facilitate Fabric SSO access to the FortiAnalyzer once authenticated to the root FortiGate. When signed in using SSO, the FortiAnalyzer includes a Security Fabric navigation dropdown, which allows easy navigation to FortiGates in the Fabric.
To enable FortiAnalyzer as a Fabric SP in the GUI:
-
On the root FortiGate, go to Security Fabric > Physical Topology or Logical Topology.
-
In the topology, click the FortiAnalyzer icon and select Login to FortiAnalyzer.
-
Enter the credentials to log in. A Security Fabric must be configured with the Fabric devices listed under the Fabric name.
-
Go to Device Manager to verify the Fabric setup. There is an asterisk beside the root FortiGate.
-
-
Edit the FortiAnalyzer SAML SSO settings:
-
Go to System Settings > SAML SSO.
-
For Single Sign-On Mode, select Fabric SP and enter the address to access the FortiAnalyzer in Server Address.
-
Click Apply and log out of the FortiAnalyzer. The FortiAnalyzer will automatically register itself on the FortiGate and is a visible appliance in the list of SPs.
-
-
Verify that the FortiAnalyzer registration was successful:
-
In FortiOS, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
In the SAML Single Sign-On section click Advanced Options. There should be an entry for the FortiAnalyzer in the Service Providers table.
-
-
Log in to the FortiAnalyzer. There is a new option to Login with Fabric Single Sign-On.
-
Click Login with Fabric Single Sign-On. A dialog appears to select a Fabric IdP.
-
Select a FortiGate. The ADOM containing that FortiGate opens.
To enable FortiAnalyzer as a Fabric SP in the CLI:
-
In FortiAnalyzer, enable the device as a Fabric SP:
config system saml set status enable set role FAB-SP set server-address "192.168.1.99" end
FortiAnalyzer will register itself on the FortiGate as an appliance.
-
Verify the configuration in FortiOS:
show system saml config system saml set status enable set role identity-provider set cert "fortigate.domain.tld" set server-address "192.168.1.99" config service-providers edit "appliance_192.168.1.103" set prefix "csf_76sh0bm4e7hf1ty54w42yrrv88tk8uj" set sp-entity-id "http://192.168.1.103/metadata/" set sp-single-sign-on-url "https://192.168.1.103/saml/?acs" set sp-single-logout-url "https://192.168.1.103/saml/?sls" set sp-portal-url "https://192.168.1.103/saml/login/" config assertion-attributes edit "username" next edit "profilename" set type profile-name next end next end end
To navigate between devices using SAML SSO in FortiOS:
-
Log in to the root FortiGate.
-
Go to Security Fabric > Physical Topology or Logical Topology.
-
In the topology, click the FortiAnalyzer icon and select Login to FortiAnalyzer.
To navigate between devices using SAML SSO in FortiAnalyzer:
-
Log in to the FortiAnalyzer using SSO.
-
Navigate to the ADOM that contains the root FortiGate of the Security Fabric.
-
In the toolbar, click the Security Fabric name to display a dropdown a list of the Fabric FortiGates.