SAML SSO Login issues
On 7.0.1, you can configure Security Fabric > Fabric Connectors to use Single Sign-On (SSO) to log in to FortiWeb with FortiGate's administrator accounts.
Please refer to "Fabric Connector: Single Sign On with FortiGate" in FortiWeb Administration Guide for detailed configuration steps.
Configuration Tips:
-
On FortiGate, “Security Fabric role” should be selected as “Serve as Fabric Root”;
-
On FortiWeb, “Configuration Sync” should be set as “Default”, which means when fabric connection with FortiGate is established, the Single Sign-On mode would be enabled automatically and FortiGate would enable synchronizing SAML Single-Sign-On related settings with the FortiWeb device.
Please note if multiple FortiWeb appliances are deployed in HA modes, SAML SSO configuration will be synchronized but not the IdP certificate. As a result, if HA failover happens, the new primary FortiWeb needs to be authorized on FortiGate again.
On 7.0.2, FortiWeb enhances this feature and supports Azure AD SSO and FortiAuthenticator as SAML IdP directly.
Configuration Tips:
-
FortiWeb only supports one IdP server;
-
To configure Azure AD or FortiAuthenticator as SAML IdP, “Status” should be disabled, and “Configuration Sync” needs to be “Local”.
-
Upload IdP certificate via the corresponding button.
-
2FA with FortiToken is supported when FortiAuthenticator is configured as IdP.
Common troubleshooting steps:
- Check if IdP (on FortiGate, FortiAuthenticator or Azure AD) and SP configuration (on FortiWeb) are correct and accurate;
- Check if the “Connection Status” is Authorized when IdP is FortiGate;
When IdP is not FortiGate, the “Connection Status” is always N/A because “Status” is disabled. - Check if the IdP certificate is uploaded successfully;
You can check if /var/log/debug/nstd/cert.pem is available or updated.
When IdP is FortiGate, IdP certificate will be downloaded automatically;
When IdP is Azure AD or FortiAuthenticator, IdP certificate needs to be downloaded from the IsP and uploaded to FortiWeb.
- Check diagnose debug logs:
diagnose debug application samld 7
diagnose debug enable
- Check logs on IdPs such as FortiAuthenticator.