Fortinet black logo

Administration Guide

Fabric Connector: Single Sign On with FortiGate

Fabric Connector: Single Sign On with FortiGate

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator accounts.

Configuring SSO on FortiGate

FortiWeb Fabric Single Sign-On only works with Fabric Root. Even FortiWeb could establish Fabric connection with a Fabric sub-node FortiGate, the SAML Single-Sign-On is redirected to the Fabric Root. Only administrator accounts of Fabric Root FortiGate could be used to Single-Sign-On to FortiWeb.

If you have multiple FortiGate appliances and they are deployed as Fabric net, go to the root FortiGate. If you have only one FortiGate, set it as Fabric Root.

  1. Go to Security Fabric > Fabric Connectors.
  2. Enable Security Fabric Setup.
  3. Configure the following settings.
    Security Fabric role

    Select Serve as Fabric Root.

    Fabric Root requires a FortiAnalyzer (or FortiAnalyzer Cloud) and enabling FortiAnalyzer Logging (or Cloud Logging) in FortiGate Fabric Connectors. If you are first time having a Fabric Root, go to set the FortiAnalyzer first.

    Fabric name Enter a name for the fabric connector.
    Allow other Security Fabric devices to join Enable it and select an interface. Security Fabric Connection would be set to allowed access of this interface.
    SAML Single Sign-On Enable it.
    Mode It's automatically set to Identity Provider (IdP) after enabling SAML Single Sign-On.
    IdP certificate Select a certificate from the list, such as Fortinet_CA_SSL.
    Management IP/FQDN

    It is automatically set as Specify with the IP of the port selected in Allow other Security Fabric devices to join after enabling SAML Single Sign-On.

    Management port

    Select Use Admin Port.

Configuring SSO on FortiWeb

  1. Go to Security Fabric > Fabric Connectors.
  2. Click FortiGate, then click Edit.
  3. Configure the following settings.
    Status Enable it.
    Upstream IP

    The FortiGate IP. If you have multiple FortiGate appliances and they are deployed as Fabric net, enter the IP address of the Fabric root.

    This IP would be the IP of the interface that is selected in the Allow other Security Fabric devices to join field on the FortiGate.

    Upstream Port Use the default 8013.
    Configuration Sync

    Set it to default.

    Default means when Fabric connection with FortiGate is established, the Single Sign-On mode would be enabled automatically and FortiGate would enable synchronizing SAML Single-Sign-On related settings to the FortiWeb device.

    Local means when Fabric connection with the FortiGate is established, you need to manually enable Single Sign-On mode and manually configure the SAML Single-Sign-On settings.

    It's recommended to set it as Default.

    Management IP Enter FortiWeb GUI management IP.
    Management Port Enter FortiWeb GUI management HTTPS port. This must be the same as the setting of the HTTPS in System > Admin > Settings in FortiWeb.
  4. Click OK to save.
  5. Log in to FortiGate's GUI. Go to Security Fabric to manually authorize this FortiWeb device. In the meantime, the Connection Status in the Fabric Connector editor in FortiWeb would be Auth Pending.
  6. After manually authorizing the FortiWeb device on FortiGate, you would see your FortiWeb get connected on FortiGate in a few minutes.
  7. Log in to FortiWeb. Go to Security Fabric > Fabric Connectors.
  8. Click FortiGate, then click Edit. You should see the Connection Status is changed to Authorized, and the SP Address, IdP Entity ID, IdP Single Sign-On URL, and IdP Single Logout URL are synced by FortiGate.
  9. Configure the following settings.
    Single Sign-On Mode

    Enable it.

    When this is enabled, the Single Sign-On option will be available on the login page of FortiWeb.

    Default Login Page
    • Normal: When accessing to FortiWeb GUI, the login page has both Single Sign-On and Non Single Sign-On login options.

    • Single Sign-On: When accessing to FortiWeb GUI, it would redirect to the SAML Single Sign-On login page. Non Single Sign-On login is not available. User can only log in with FortiGate administrator accounts

    Default SSO Admin Profile

    Logging in to FortiWeb via FortiGate Fabric Single Sign-On does not share the same admin profile between FortiWeb and FortiGate. It requires specifying profiles to those FortiGate administrator accounts on FortiWeb.

    The profiles created in System > Admin > Profiles are populated in the drop-down list. The selected profiles will be assigned to the FortiGate administrator accounts that are used to log in to FortiWeb via the SAML Single Sign-On.

    The following two default profiles are listed together with the customized profiles if any:

    • admin_no_access: users will be assigned with none access privilege.

    • prof_admin: this is FortiWeb's default profile for root admin.
    SP Certificate Select the Local Admin Certificate used for the Single Sign-On. This is optional. Single Sign-On could work with or without the certificate.
    Certificates imported in Admin Cert Local tab in System > Admin > Certificates are listed here.

Single Sign-On accounts on FortiWeb

With Single Sign-On Mode enabled, users will be redirected to FortiGate's Single Sign-On Provider page when they click Single Sign-On on FortiWeb's login page. They will be required to log in with FortiGate's administrator account.

After first time logging in, this account will be automatically created on FortiWeb. Go to System > Admin > Administrators, you will see that this account has been created in SSO Admin table, and is assigned with the profile defined by Default SSO Admin Profile in step 9 when Configuring SSO on FortiWeb.

Fabric Connector: Single Sign On with FortiGate

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator accounts.

Configuring SSO on FortiGate

FortiWeb Fabric Single Sign-On only works with Fabric Root. Even FortiWeb could establish Fabric connection with a Fabric sub-node FortiGate, the SAML Single-Sign-On is redirected to the Fabric Root. Only administrator accounts of Fabric Root FortiGate could be used to Single-Sign-On to FortiWeb.

If you have multiple FortiGate appliances and they are deployed as Fabric net, go to the root FortiGate. If you have only one FortiGate, set it as Fabric Root.

  1. Go to Security Fabric > Fabric Connectors.
  2. Enable Security Fabric Setup.
  3. Configure the following settings.
    Security Fabric role

    Select Serve as Fabric Root.

    Fabric Root requires a FortiAnalyzer (or FortiAnalyzer Cloud) and enabling FortiAnalyzer Logging (or Cloud Logging) in FortiGate Fabric Connectors. If you are first time having a Fabric Root, go to set the FortiAnalyzer first.

    Fabric name Enter a name for the fabric connector.
    Allow other Security Fabric devices to join Enable it and select an interface. Security Fabric Connection would be set to allowed access of this interface.
    SAML Single Sign-On Enable it.
    Mode It's automatically set to Identity Provider (IdP) after enabling SAML Single Sign-On.
    IdP certificate Select a certificate from the list, such as Fortinet_CA_SSL.
    Management IP/FQDN

    It is automatically set as Specify with the IP of the port selected in Allow other Security Fabric devices to join after enabling SAML Single Sign-On.

    Management port

    Select Use Admin Port.

Configuring SSO on FortiWeb

  1. Go to Security Fabric > Fabric Connectors.
  2. Click FortiGate, then click Edit.
  3. Configure the following settings.
    Status Enable it.
    Upstream IP

    The FortiGate IP. If you have multiple FortiGate appliances and they are deployed as Fabric net, enter the IP address of the Fabric root.

    This IP would be the IP of the interface that is selected in the Allow other Security Fabric devices to join field on the FortiGate.

    Upstream Port Use the default 8013.
    Configuration Sync

    Set it to default.

    Default means when Fabric connection with FortiGate is established, the Single Sign-On mode would be enabled automatically and FortiGate would enable synchronizing SAML Single-Sign-On related settings to the FortiWeb device.

    Local means when Fabric connection with the FortiGate is established, you need to manually enable Single Sign-On mode and manually configure the SAML Single-Sign-On settings.

    It's recommended to set it as Default.

    Management IP Enter FortiWeb GUI management IP.
    Management Port Enter FortiWeb GUI management HTTPS port. This must be the same as the setting of the HTTPS in System > Admin > Settings in FortiWeb.
  4. Click OK to save.
  5. Log in to FortiGate's GUI. Go to Security Fabric to manually authorize this FortiWeb device. In the meantime, the Connection Status in the Fabric Connector editor in FortiWeb would be Auth Pending.
  6. After manually authorizing the FortiWeb device on FortiGate, you would see your FortiWeb get connected on FortiGate in a few minutes.
  7. Log in to FortiWeb. Go to Security Fabric > Fabric Connectors.
  8. Click FortiGate, then click Edit. You should see the Connection Status is changed to Authorized, and the SP Address, IdP Entity ID, IdP Single Sign-On URL, and IdP Single Logout URL are synced by FortiGate.
  9. Configure the following settings.
    Single Sign-On Mode

    Enable it.

    When this is enabled, the Single Sign-On option will be available on the login page of FortiWeb.

    Default Login Page
    • Normal: When accessing to FortiWeb GUI, the login page has both Single Sign-On and Non Single Sign-On login options.

    • Single Sign-On: When accessing to FortiWeb GUI, it would redirect to the SAML Single Sign-On login page. Non Single Sign-On login is not available. User can only log in with FortiGate administrator accounts

    Default SSO Admin Profile

    Logging in to FortiWeb via FortiGate Fabric Single Sign-On does not share the same admin profile between FortiWeb and FortiGate. It requires specifying profiles to those FortiGate administrator accounts on FortiWeb.

    The profiles created in System > Admin > Profiles are populated in the drop-down list. The selected profiles will be assigned to the FortiGate administrator accounts that are used to log in to FortiWeb via the SAML Single Sign-On.

    The following two default profiles are listed together with the customized profiles if any:

    • admin_no_access: users will be assigned with none access privilege.

    • prof_admin: this is FortiWeb's default profile for root admin.
    SP Certificate Select the Local Admin Certificate used for the Single Sign-On. This is optional. Single Sign-On could work with or without the certificate.
    Certificates imported in Admin Cert Local tab in System > Admin > Certificates are listed here.

Single Sign-On accounts on FortiWeb

With Single Sign-On Mode enabled, users will be redirected to FortiGate's Single Sign-On Provider page when they click Single Sign-On on FortiWeb's login page. They will be required to log in with FortiGate's administrator account.

After first time logging in, this account will be automatically created on FortiWeb. Go to System > Admin > Administrators, you will see that this account has been created in SSO Admin table, and is assigned with the profile defined by Default SSO Admin Profile in step 9 when Configuring SSO on FortiWeb.