Fortinet Document Library

Version:


Table of Contents

User Guide

21.4.0
Copy Link

Mixing login typesSingle sign-on (SSO)

SSO allows your organization to utilize it's internal authentication tool to authenticate with and log in to FortiMonitor. This guide will walk you through integrating with a generic SSO provider, such as Simple SAML. You can also find docs specifically for ADFS and Okta.

Control Panel Configuration

Navigate to the Integrations page by selecting Settings from the global navigation bar, followed by selecting Integrations. Here, you will find the Single Sign On section. Select Configure on the SAML card.

General

Field

Description

URL Fragment

Customer-provided string that will determine the login URL for your FortiMonitor account, the format of my.panopta.com/sso/{url fragment}

For example, if you were to enter panopta, your login URL would be my.panopta.com/sso/panopta. Alpha characters only.

Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

Username                     

Field in your SAML payload that matches a user's FortiMonitor login email. This is an email for most customers.

Entity ID

URL that provides your IDP metadata.

Login URL

The URL we redirect the user to when the user arrives at your FortiMonitor SSO login.

For instance, if a user visits your FortiMonitor SSO URL which is built in the URL Fragment configured in step 1, the Login URL is the address we would then redirect them to where they authenticate with your SSO tool

Login Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Logout URL (optional)

URL to redirect the user upon logout request.

Logout Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Certificate

A valid x509 certificate. Ensure it is copied with out extra whitespace.

User Configuration

Field

Description

Prevent non-SSO logins

Enabling this option prevents users from logging in to FortiMonitor with their email address and password. This setting can be overwritten at the account level. To override the setting, see Mixing login types.

Note: Leave this box unchecked until you have confirmed that your SSO configuration is working properly. 

New User Notifications

Select the user account to notify when an SSO user signs on for the first time to FortiMonitor.

Auto Create Users

Leave this box unchecked if you want to require admin approval before a user can use FortiMonitor. Once a user logs in for the first time, those selected in the User Emails select list will receive a notification email. They can follow the link in the email to grant the new user access. Until they do this, the user will not be able to access FortiMonitor - they will merely see a splash screen when they log in.

You can view all users who are waiting for approval under the "Pending" users tab on the Users and Groups page.

If you prefer to let users immediately begin using FortiMonitor upon login, check this box.

Default Roles for New Users

There are two options when the Auto Create Users option is enabled:

  • Assign roles manually: If you're automatically creating the user the first time they log in via your SSO integration, they can optionally be assigned any number of roles by default.

  • SSO-based roles (Assign roles based on SAML mapping):

    If you're sending your internal roles in your SAML payload, you can map those to specific roles in FortiMonitor.

    • In the SAML Role Field provide the payload key that corresponds to your internal roles in your SAML payload.

    • In the SAML Role, enter the internal role you'd like to target. Please only enter one role

    • In the FortiMonitor roles to assign dropdown, select the roles you'd like the user to have in FortiMonitor

    You can create as many mappings as needed.

Mixing login types

Sometimes it is valuable to allow non-SSO users to still log in to your company's FortiMonitor account - especially if you leverage outside resources. To allow certain users to still login via email and password, check the "Allow Non-SSO Login" checkbox. This option can be found by editing the user - go to Settings > Users, Groups & On-Call, then edit the desired user. The option is on the first pane.

SSO configuration for Multi-tenant users

If you are a multi-tenant user, you have the option to apply your SSO configuration to all sub-accounts. You can find the following option under the User Configuration module on your master tenant account:

Select the Use for all sub-accounts option to use a single SSO configuration for all your sub-accounts/tenants. Settings configured in the master tenant account such as New User notificationDefault Timezone, and Auto Create Users are also applied to all other tenants. All created users are automatically added to the correct tenant. 

Mixing login typesSingle sign-on (SSO)

SSO allows your organization to utilize it's internal authentication tool to authenticate with and log in to FortiMonitor. This guide will walk you through integrating with a generic SSO provider, such as Simple SAML. You can also find docs specifically for ADFS and Okta.

Control Panel Configuration

Navigate to the Integrations page by selecting Settings from the global navigation bar, followed by selecting Integrations. Here, you will find the Single Sign On section. Select Configure on the SAML card.

General

Field

Description

URL Fragment

Customer-provided string that will determine the login URL for your FortiMonitor account, the format of my.panopta.com/sso/{url fragment}

For example, if you were to enter panopta, your login URL would be my.panopta.com/sso/panopta. Alpha characters only.

Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

Username                     

Field in your SAML payload that matches a user's FortiMonitor login email. This is an email for most customers.

Entity ID

URL that provides your IDP metadata.

Login URL

The URL we redirect the user to when the user arrives at your FortiMonitor SSO login.

For instance, if a user visits your FortiMonitor SSO URL which is built in the URL Fragment configured in step 1, the Login URL is the address we would then redirect them to where they authenticate with your SSO tool

Login Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Logout URL (optional)

URL to redirect the user upon logout request.

Logout Binding

This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Certificate

A valid x509 certificate. Ensure it is copied with out extra whitespace.

User Configuration

Field

Description

Prevent non-SSO logins

Enabling this option prevents users from logging in to FortiMonitor with their email address and password. This setting can be overwritten at the account level. To override the setting, see Mixing login types.

Note: Leave this box unchecked until you have confirmed that your SSO configuration is working properly. 

New User Notifications

Select the user account to notify when an SSO user signs on for the first time to FortiMonitor.

Auto Create Users

Leave this box unchecked if you want to require admin approval before a user can use FortiMonitor. Once a user logs in for the first time, those selected in the User Emails select list will receive a notification email. They can follow the link in the email to grant the new user access. Until they do this, the user will not be able to access FortiMonitor - they will merely see a splash screen when they log in.

You can view all users who are waiting for approval under the "Pending" users tab on the Users and Groups page.

If you prefer to let users immediately begin using FortiMonitor upon login, check this box.

Default Roles for New Users

There are two options when the Auto Create Users option is enabled:

  • Assign roles manually: If you're automatically creating the user the first time they log in via your SSO integration, they can optionally be assigned any number of roles by default.

  • SSO-based roles (Assign roles based on SAML mapping):

    If you're sending your internal roles in your SAML payload, you can map those to specific roles in FortiMonitor.

    • In the SAML Role Field provide the payload key that corresponds to your internal roles in your SAML payload.

    • In the SAML Role, enter the internal role you'd like to target. Please only enter one role

    • In the FortiMonitor roles to assign dropdown, select the roles you'd like the user to have in FortiMonitor

    You can create as many mappings as needed.

Mixing login types

Sometimes it is valuable to allow non-SSO users to still log in to your company's FortiMonitor account - especially if you leverage outside resources. To allow certain users to still login via email and password, check the "Allow Non-SSO Login" checkbox. This option can be found by editing the user - go to Settings > Users, Groups & On-Call, then edit the desired user. The option is on the first pane.

SSO configuration for Multi-tenant users

If you are a multi-tenant user, you have the option to apply your SSO configuration to all sub-accounts. You can find the following option under the User Configuration module on your master tenant account:

Select the Use for all sub-accounts option to use a single SSO configuration for all your sub-accounts/tenants. Settings configured in the master tenant account such as New User notificationDefault Timezone, and Auto Create Users are also applied to all other tenants. All created users are automatically added to the correct tenant.