Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Managing External IdP roles in FortiCloud IAM

FortiCloud enables you to access and manage all of Fortinet's Cloud Services, including FortiWeb Cloud, through a single account. When you access FortiWeb Cloud, the login is authenticated through your FortiCloud account.

FortiCloud offers the IAM feature that enables you to create and manage External IdP roles that allow users from your organization to log in to the FortiWeb Cloud portal using the user credentials with your organization's ID provider. External IdP users are authenticated by your organization's ID provider. After the user is authenticated, they can access FortiWeb Cloud based on their role.

note icon

This feature is only available for certain accounts upon request. Contact the FortiCare team to request setup.

note icon

When an IdP user clicks Logout, they are only logging out of the FortiWeb Cloud portal, not your organization's ID provider.

Adding and modifying external IdP roles

Create External IdP roles in FortiCloud IAM to allow users from your organization to log in to the FortiWeb Cloud portal with the user credentials from your organization's ID provider. After the External IdP role is created, you can modify the role settings to delete, disable, or re-enable the role.

To add an external user role:
  1. Log in to FortiCloud IAM.
  2. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.
  3. Click Add IdP Role. The Create External IdP Role pane opens.
  4. In the Role Name field, type the name of the role.
  5. (Optional) In the Description field, enter a description of the role.
  6. From the Status dropdown list, select active or disabled.
  7. From the Asset Permissions dropdown list, select an asset group.
  8. Configure the Effective Portal Permissions.

    Permission

    Description

    Allow Portal Access Toggle Yes to allow access to a portal.
    Access Type
    • Admin

    • Read/Only

    • Read/Write

    The access type may vary depending on the asset.

    Additional Permission

    Additional permissions vary depending on the portal.

    SuportSite:

    • RMA/DOA

    • Customer Service

    • Technical Assistance

    AMPortal:

    • Receive Renewal Notification

  9. Configure the Cloud Management & Service permissions.
    1. Click Add (+), select a service from the list, and then click Add.
    2. Click the Edit button, and configure the portal permissions.

      Permission

      Description

      Allow Portal Access Toggle Yes to grant access to the service.
      Access Type
      • Admin

      • Read/Only

      • Read/Write

      • Custom

      Note: The Custom access type is displayed when the service permission cannot be mapped to the IAM portal. Click Configure in the dialog to be redirected to the product portal, and set the permissions there.

    3. Click Confirm.
  10. Click Update.

After the IAM user is created, the IAM user account holder is required to perform a validation check.

To delete a role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Select a role(s) from the list.

  3. Click Delete. The Delete Third Party IdP Role(s) dialog is displayed.

  4. Click Confirm.

To disable a role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Select a role(s) from the list.

  3. Click Disable. The Disable User Third Party IdP Role(s) dialog is displayed.

  4. Click Confirm.

To re-enable a disabled role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Double-click the disabled role. The Manage External IdP Roles ><name> pane opens.

  3. Click Edit.

  4. From the Status dropdown list, select active.

  5. Click Update.

Selecting IdP roles

An external user can be assigned to more than one IdP role. When a user logs into FortiWeb Cloud through your organization's ID provider, their user account is mapped to their IdP roles in the portal.

After the user logs in with your organization's ID provider, the roles connected to the user's account determines their access to the portal.

  • If no roles are assigned to the account, a blocker message appears.

  • If only one role is assigned to the account, the user proceeds directly to the portal.

  • If multiple roles are assigned to the account, the Your Roles page opens, and the user must select a role before proceeding to the portal.

Managing External IdP roles in FortiCloud IAM

FortiCloud enables you to access and manage all of Fortinet's Cloud Services, including FortiWeb Cloud, through a single account. When you access FortiWeb Cloud, the login is authenticated through your FortiCloud account.

FortiCloud offers the IAM feature that enables you to create and manage External IdP roles that allow users from your organization to log in to the FortiWeb Cloud portal using the user credentials with your organization's ID provider. External IdP users are authenticated by your organization's ID provider. After the user is authenticated, they can access FortiWeb Cloud based on their role.

note icon

This feature is only available for certain accounts upon request. Contact the FortiCare team to request setup.

note icon

When an IdP user clicks Logout, they are only logging out of the FortiWeb Cloud portal, not your organization's ID provider.

Adding and modifying external IdP roles

Create External IdP roles in FortiCloud IAM to allow users from your organization to log in to the FortiWeb Cloud portal with the user credentials from your organization's ID provider. After the External IdP role is created, you can modify the role settings to delete, disable, or re-enable the role.

To add an external user role:
  1. Log in to FortiCloud IAM.
  2. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.
  3. Click Add IdP Role. The Create External IdP Role pane opens.
  4. In the Role Name field, type the name of the role.
  5. (Optional) In the Description field, enter a description of the role.
  6. From the Status dropdown list, select active or disabled.
  7. From the Asset Permissions dropdown list, select an asset group.
  8. Configure the Effective Portal Permissions.

    Permission

    Description

    Allow Portal Access Toggle Yes to allow access to a portal.
    Access Type
    • Admin

    • Read/Only

    • Read/Write

    The access type may vary depending on the asset.

    Additional Permission

    Additional permissions vary depending on the portal.

    SuportSite:

    • RMA/DOA

    • Customer Service

    • Technical Assistance

    AMPortal:

    • Receive Renewal Notification

  9. Configure the Cloud Management & Service permissions.
    1. Click Add (+), select a service from the list, and then click Add.
    2. Click the Edit button, and configure the portal permissions.

      Permission

      Description

      Allow Portal Access Toggle Yes to grant access to the service.
      Access Type
      • Admin

      • Read/Only

      • Read/Write

      • Custom

      Note: The Custom access type is displayed when the service permission cannot be mapped to the IAM portal. Click Configure in the dialog to be redirected to the product portal, and set the permissions there.

    3. Click Confirm.
  10. Click Update.

After the IAM user is created, the IAM user account holder is required to perform a validation check.

To delete a role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Select a role(s) from the list.

  3. Click Delete. The Delete Third Party IdP Role(s) dialog is displayed.

  4. Click Confirm.

To disable a role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Select a role(s) from the list.

  3. Click Disable. The Disable User Third Party IdP Role(s) dialog is displayed.

  4. Click Confirm.

To re-enable a disabled role:
  1. Go to Manage External IdP Roles. The Manage External IdP Roles pane opens.

  2. Double-click the disabled role. The Manage External IdP Roles ><name> pane opens.

  3. Click Edit.

  4. From the Status dropdown list, select active.

  5. Click Update.

Selecting IdP roles

An external user can be assigned to more than one IdP role. When a user logs into FortiWeb Cloud through your organization's ID provider, their user account is mapped to their IdP roles in the portal.

After the user logs in with your organization's ID provider, the roles connected to the user's account determines their access to the portal.

  • If no roles are assigned to the account, a blocker message appears.

  • If only one role is assigned to the account, the user proceeds directly to the portal.

  • If multiple roles are assigned to the account, the Your Roles page opens, and the user must select a role before proceeding to the portal.