Fortinet black logo

CLI Reference

system saml

system saml

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator accounts.

Use this command to configure the single sign on options on FortiWeb. Before using this command, you need to first use config system csf to configure the Fabric Connector. For a complete guide, see Fabric Connector: Single Sign On with FortiGate.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system saml

set status {enable | disable}

set default-login-page

set default-profile

set idp-entity-id

set idp-single-sign-on-url

set idp-single-logout-url

set server-address

end

Variable

Description

Default

status {enable | disable}

Enable or disable single sign on mode.

When this is enabled, the Single Sign-On option will be available on the login page of FortiWeb.

disable
default-login-page
  • normal: When accessing to FortiWeb GUI, the login page has both Single Sign-On and Non Single Sign-On login options.

  • sso: When accessing to FortiWeb GUI, it would redirect to the SAML Single Sign-On login page. Non Single Sign-On login is not available. User can only log in with FortiGate administrator accounts

normal
default-profile

Logging in to FortiWeb via FortiGate Fabric Single Sign-On does not share the same admin profile between FortiWeb and FortiGate. It requires specifying profiles to those FortiGate administrator accounts on FortiWeb.

Choose the profiles you have created in config system accprofile. The selected profiles will be assigned to the FortiGate administrator accounts that are used to log in to FortiWeb via the SAML Single Sign-On.

The following two default profiles are available as well as the customized profiles if any:

  • admin_no_access: users will be assigned with none access privilege.

  • prof_admin: this is FortiWeb's default profile for root admin.
No default

idp-entity-id

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

idp-single-sign-on-url

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

idp-single-logout-url

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

server-address

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

Related topics

system saml

You can configure Fabric Connector to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator accounts.

Use this command to configure the single sign on options on FortiWeb. Before using this command, you need to first use config system csf to configure the Fabric Connector. For a complete guide, see Fabric Connector: Single Sign On with FortiGate.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system saml

set status {enable | disable}

set default-login-page

set default-profile

set idp-entity-id

set idp-single-sign-on-url

set idp-single-logout-url

set server-address

end

Variable

Description

Default

status {enable | disable}

Enable or disable single sign on mode.

When this is enabled, the Single Sign-On option will be available on the login page of FortiWeb.

disable
default-login-page
  • normal: When accessing to FortiWeb GUI, the login page has both Single Sign-On and Non Single Sign-On login options.

  • sso: When accessing to FortiWeb GUI, it would redirect to the SAML Single Sign-On login page. Non Single Sign-On login is not available. User can only log in with FortiGate administrator accounts

normal
default-profile

Logging in to FortiWeb via FortiGate Fabric Single Sign-On does not share the same admin profile between FortiWeb and FortiGate. It requires specifying profiles to those FortiGate administrator accounts on FortiWeb.

Choose the profiles you have created in config system accprofile. The selected profiles will be assigned to the FortiGate administrator accounts that are used to log in to FortiWeb via the SAML Single Sign-On.

The following two default profiles are available as well as the customized profiles if any:

  • admin_no_access: users will be assigned with none access privilege.

  • prof_admin: this is FortiWeb's default profile for root admin.
No default

idp-entity-id

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

idp-single-sign-on-url

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

idp-single-logout-url

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

server-address

It's automatically synchronized from FortiGate if you have configured set configuration-sync enable in config system csf.

No default

Related topics