Fortinet black logo

FortiLAN Cloud User Guide

Home FortiLAN Cloud 23.2.0 FortiLAN Cloud User Guide
23.2.0
24.1.0
23.4.0
23.3.0
23.2.0
23.1.0
22.4.0
22.3.0

External IDP Authentication

External IDP Authentication

FortiLAN Cloud supports integration of third-party Identity Provider (IDP) services to log-in and manage networks. This feature is useful for enterprises that need to secure their user credentials and hence provision FortiLAN Cloud access through their own Identity Provider. The external IDP initiated Security Assertion Markup Language (SAML) assertion consisting of specific IDP attributes is used by FortiCloud/FortiLAN Cloud to verify the user account details and grant required access.

External IDP authentication is offered in conjunction with FortiCare and FortiAuthenticator. Contact the Fortinet Customer Support team to enable external IDP support and raise an enrollment request with the appropriate FortiCare accounts. After the enrollment is complete follow these setup procedures.

Note: Support for SAML 2.0 and IDP initiated assertion response is required.

  • Create an IDP with SAML Service Provider Metadata. The following is an example where company is the unique name of your organization.
    SP Entity ID http://customersso1.fortinet.com/saml-idp/proxy/{company}/metadata/
    SP Login URL https://customersso1.fortinet.com/saml-idp/proxy/{company}/saml/?acs
    Relay State https://customersso1.fortinet.com/saml-idp/proxy/{company}/login/
  • Configure the SAML assertions with the username and role attributes for permission control in FortiCloud.
  • Provide specific information to Fortinet, such as, the SAML Metadata file, company name, contact information, and the Fortinet master account that the IDP requires to connect to.
  • Configure external IDP roles in FortiCloud to allow the required access to FortiLAN Cloud. See Adding External IDP Roles.

After successful authentication on your Identity Provider, you are re-directed to the FortiCloud portal from where you access FortiLAN Cloud based on the configured roles.

Adding External IDP Roles

Access the Identity & Access Management (IAM) service from the FortiCloud portal

  1. Navigate to Manage External IdP Roles and click Add IDP Role.
  2. Enter a unique Role Name and Description (optional).
    Note: The role name must exactly match the role attribute in the SAML assertion.
  3. Select an asset group from the Asset Permissions list.
  4. Configure the Effective Portal Permissions for the required portals. Click on the edit icon against the portal and update the following.

    Permission

    Description

    Allow Portal AccessToggle Yes to allow access to a portal.
    Access TypeSelect the Access Type that is defined by the selected portal. The allowed access types can vary for different portals.
    Additional Permisssion

    Allow Additional Permission based on the selected access type. The additional permission also varies for different portals.

  5. Configure the Cloud Management & Services permissions to enable access to FortiLAN Cloud. Click add (+) and select FortiLAN Cloud from the list.
  6. Click the edit icon and configure the required permissions for FortiLAN Cloud.
    • Toggle Yes to allow access to FortiLAN Cloud.
    • Select the required Access Type, Admin, Read-Only, or Guest Manager.

  7. Click Add Role.

After the role is created, it is listed on the on the Manage External IdP Roles page. You can enable/disable or delete a created role. Select the role and click on the required option.

Managing External IDP Roles

You can add and manage the external IDP roles from the FortiLAN Cloud GUI.

  • All existing IDP roles are listed in the Manage Account Access page.


    You can edit, create, and delete IDP roles from this page.
Previous
Next

External IDP Authentication

FortiLAN Cloud supports integration of third-party Identity Provider (IDP) services to log-in and manage networks. This feature is useful for enterprises that need to secure their user credentials and hence provision FortiLAN Cloud access through their own Identity Provider. The external IDP initiated Security Assertion Markup Language (SAML) assertion consisting of specific IDP attributes is used by FortiCloud/FortiLAN Cloud to verify the user account details and grant required access.

External IDP authentication is offered in conjunction with FortiCare and FortiAuthenticator. Contact the Fortinet Customer Support team to enable external IDP support and raise an enrollment request with the appropriate FortiCare accounts. After the enrollment is complete follow these setup procedures.

Note: Support for SAML 2.0 and IDP initiated assertion response is required.

  • Create an IDP with SAML Service Provider Metadata. The following is an example where company is the unique name of your organization.
    SP Entity ID http://customersso1.fortinet.com/saml-idp/proxy/{company}/metadata/
    SP Login URL https://customersso1.fortinet.com/saml-idp/proxy/{company}/saml/?acs
    Relay State https://customersso1.fortinet.com/saml-idp/proxy/{company}/login/
  • Configure the SAML assertions with the username and role attributes for permission control in FortiCloud.
  • Provide specific information to Fortinet, such as, the SAML Metadata file, company name, contact information, and the Fortinet master account that the IDP requires to connect to.
  • Configure external IDP roles in FortiCloud to allow the required access to FortiLAN Cloud. See Adding External IDP Roles.

After successful authentication on your Identity Provider, you are re-directed to the FortiCloud portal from where you access FortiLAN Cloud based on the configured roles.

Adding External IDP Roles

Access the Identity & Access Management (IAM) service from the FortiCloud portal

  1. Navigate to Manage External IdP Roles and click Add IDP Role.
  2. Enter a unique Role Name and Description (optional).
    Note: The role name must exactly match the role attribute in the SAML assertion.
  3. Select an asset group from the Asset Permissions list.
  4. Configure the Effective Portal Permissions for the required portals. Click on the edit icon against the portal and update the following.

    Permission

    Description

    Allow Portal AccessToggle Yes to allow access to a portal.
    Access TypeSelect the Access Type that is defined by the selected portal. The allowed access types can vary for different portals.
    Additional Permisssion

    Allow Additional Permission based on the selected access type. The additional permission also varies for different portals.

  5. Configure the Cloud Management & Services permissions to enable access to FortiLAN Cloud. Click add (+) and select FortiLAN Cloud from the list.
  6. Click the edit icon and configure the required permissions for FortiLAN Cloud.
    • Toggle Yes to allow access to FortiLAN Cloud.
    • Select the required Access Type, Admin, Read-Only, or Guest Manager.

  7. Click Add Role.

After the role is created, it is listed on the on the Manage External IdP Roles page. You can enable/disable or delete a created role. Select the role and click on the required option.

Managing External IDP Roles

You can add and manage the external IDP roles from the FortiLAN Cloud GUI.

  • All existing IDP roles are listed in the Manage Account Access page.


    You can edit, create, and delete IDP roles from this page.
Previous
Next