Fortinet black logo

User Guide

Set up SSO with Google Workplace

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:775748
Download PDF

Set up SSO with Google Workplace

To use Google Workplace as an identity provider with the FortiMonitor Control Panel, you will need to make changes within the Control Panel and within Google Workplace. You will need administrative access for both.

To get started, you need the following:

  • Determine what the URL Fragment will be. This will be required in both the Control Panel and Google Workplace setup. Typically it will be the name of your company or group. For this example we’ll use “mycompany”

  • You will need to go back and forth between the Google Admin Panel and the Control Panel so it is recommended to open a tab for each and log as appropriate.

To set up SSO with Google Workplace, perform the following steps:

  1. From the FortiMonitor navigation menu, select Teams & Activity > Integrations > SAML > Configure to begin the process.
    You can enter the URL fragment and the Login Binding.
    Note: All fields marked with an asterisk are required. Some of these you will copy over from the Google Admin panel.

  2. In the Google Workplace admin interface, go to Apps > Web and Mobile Apps > Add App > Add Custom SAML App as shown below:

  3. Give the App a Name and an Icon (optional) and click Continue.

  4. On the next screen, you will be presented with an SSO URL, an Entity ID, and a Certificate. You will need to copy each of these into the FortiMonitor Create SSO Configuration pane as shown below. The Entity ID URL goes in the Entity ID field and the SSO URL (Google) goes in the Login URL box (FortiMonitor):

  5. Next scroll down in the Control Panel and copy the Certificate from the Google Admin Console to the Control Panel:

  6. You can now hit Save on the Control Panel Create SSO Configuration screen. You may want to revisit that configuration to force all users to use SSO by enabling Prevent non-SSO Logins, but you should test this configuration first before checking that option.

  7. Back to the Google Admin Panel, and you can hit Continue to go the next screen. Here you will enter the following URLs, again using the example “mycompany”. Replace that string with your own choice for URL Fragment as discussed above.
    ACS URL: https://my.panopta.com/sso/mycompany/acs
    Entity ID: https://my.panopta.com/sso/mycompany/metadata
    Then set the Name ID format = EMAIL
    You screen should now look like this:

  8. Press continue and on the next screen where you can add an attribute mapping as follows:

  9. Click Finish.

  10. As you now view the SSO Setup, ensure that this integration is turned On for Everyone under User Access, or you can also allow for only a group within your organization. Visit the Google Learn More link for details. While testing, it is probably best to enable On for Everyone. Click the View Details link on the User Access pane to change this setting.

    You have now completed the configuration.

Test the SSO configuration

You can test the integration using the Test SAML Login link shown below:

You can also test on the FortiMonitor login page:

Troubleshooting:

If you run into errors when testing:

  • Double check all of the URLs and URL Fragments

  • Ensure you are logged into the correct Google Account

  • Make sure you have enabled this for all users in Google, or if you limit by groups that your test user is in the correct groups

  • If you had previous SAML integrations you may have an expired Certificate show up in the Google configuration. You can view and manage the Google certificates under Apps → Web and Mobile Apps → Settings

Set up SSO with Google Workplace

To use Google Workplace as an identity provider with the FortiMonitor Control Panel, you will need to make changes within the Control Panel and within Google Workplace. You will need administrative access for both.

To get started, you need the following:

  • Determine what the URL Fragment will be. This will be required in both the Control Panel and Google Workplace setup. Typically it will be the name of your company or group. For this example we’ll use “mycompany”

  • You will need to go back and forth between the Google Admin Panel and the Control Panel so it is recommended to open a tab for each and log as appropriate.

To set up SSO with Google Workplace, perform the following steps:

  1. From the FortiMonitor navigation menu, select Teams & Activity > Integrations > SAML > Configure to begin the process.
    You can enter the URL fragment and the Login Binding.
    Note: All fields marked with an asterisk are required. Some of these you will copy over from the Google Admin panel.

  2. In the Google Workplace admin interface, go to Apps > Web and Mobile Apps > Add App > Add Custom SAML App as shown below:

  3. Give the App a Name and an Icon (optional) and click Continue.

  4. On the next screen, you will be presented with an SSO URL, an Entity ID, and a Certificate. You will need to copy each of these into the FortiMonitor Create SSO Configuration pane as shown below. The Entity ID URL goes in the Entity ID field and the SSO URL (Google) goes in the Login URL box (FortiMonitor):

  5. Next scroll down in the Control Panel and copy the Certificate from the Google Admin Console to the Control Panel:

  6. You can now hit Save on the Control Panel Create SSO Configuration screen. You may want to revisit that configuration to force all users to use SSO by enabling Prevent non-SSO Logins, but you should test this configuration first before checking that option.

  7. Back to the Google Admin Panel, and you can hit Continue to go the next screen. Here you will enter the following URLs, again using the example “mycompany”. Replace that string with your own choice for URL Fragment as discussed above.
    ACS URL: https://my.panopta.com/sso/mycompany/acs
    Entity ID: https://my.panopta.com/sso/mycompany/metadata
    Then set the Name ID format = EMAIL
    You screen should now look like this:

  8. Press continue and on the next screen where you can add an attribute mapping as follows:

  9. Click Finish.

  10. As you now view the SSO Setup, ensure that this integration is turned On for Everyone under User Access, or you can also allow for only a group within your organization. Visit the Google Learn More link for details. While testing, it is probably best to enable On for Everyone. Click the View Details link on the User Access pane to change this setting.

    You have now completed the configuration.

Test the SSO configuration

You can test the integration using the Test SAML Login link shown below:

You can also test on the FortiMonitor login page:

Troubleshooting:

If you run into errors when testing:

  • Double check all of the URLs and URL Fragments

  • Ensure you are logged into the correct Google Account

  • Make sure you have enabled this for all users in Google, or if you limit by groups that your test user is in the correct groups

  • If you had previous SAML integrations you may have an expired Certificate show up in the Google configuration. You can view and manage the Google certificates under Apps → Web and Mobile Apps → Settings