Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

Integrate FortiAnalyzer management into the Security Fabric using SAML SSO

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:125487
Download PDF

Integrate FortiAnalyzer management into the Security Fabric using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using SAML SSO.

The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.

To enable FortiAnalyzer as a Fabric SP in the GUI:
  1. In FortiAnalyzer, go to System Settings > Admin > SAML SSO.
  2. For Single Sign-On Mode, click Fabric SP and enter the SP Address.

  3. Click Apply.

    FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view the list of SPs.

To enable FortiAnalyzer as a Fabric SP in the CLI:
  1. In FortiAnalyzer, enable the device as a Fabric SP:
    config system saml
    set status enable
    set role FAB-SP
    set server-address "172.17.48.225:4253"
end

    FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:

    show system saml
    config service-providers
        edit "appliance_172.17.48.225:4253"
            set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz"
            set sp-entity-id "http://172.17.48.225:4253/metadata/"
            set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs"
            set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls"
            set sp-portal-url "https://172.17.48.225:4253/saml/login/"
            config assertion-attributes
                edit "username"
                next
                edit "profilename"
                    set type profile-name
                next
            end
        next
    end
To navigate between devices using SAML SSO:
  1. Log in to the root FortiGate.
  2. In the toolbar, click the device name to display the Security Fabric members dropdown.
  3. Hover over the FortiAnalyzer and click Login.

  4. Log in to the FortiAnalyzer using SAML SSO.
  5. In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.

Previous
Next

Integrate FortiAnalyzer management into the Security Fabric using SAML SSO

When a FortiGate is configured as the SAML SSO IdP, FortiAnalyzer can register itself as the SP (FortiAnalyzer must be running version 6.4.0). Once registered, FortiAnalyzer will be added automatically to the Security Fabric navigation in FortiOS. A similar dropdown navigation is displayed in FortiAnalyzer where users can navigate to the FortiGate using SAML SSO.

The following example assumes the root FortiGate (FGTA-1, server address 172.17.48.225:4431) has been configured as the SAML SSO IdP, and FortiAnalyzer logging has been enabled in the Security Fabric settings.

To enable FortiAnalyzer as a Fabric SP in the GUI:
  1. In FortiAnalyzer, go to System Settings > Admin > SAML SSO.
  2. For Single Sign-On Mode, click Fabric SP and enter the SP Address.

  3. Click Apply.

    FortiAnalyzer will automatically register itself on the FortiGate as an appliance visible in the list of SPs. Go to Security Fabric > Fabric Connectors, edit the Security Fabric Setup connector, then click Advanced Options to view the list of SPs.

To enable FortiAnalyzer as a Fabric SP in the CLI:
  1. In FortiAnalyzer, enable the device as a Fabric SP:
    config system saml
    set status enable
    set role FAB-SP
    set server-address "172.17.48.225:4253"
end

    FortiAnalyzer will register itself on the FortiGate as an appliance. To view the configuration in FortiOS:

    show system saml
    config service-providers
        edit "appliance_172.17.48.225:4253"
            set prefix "csf_p0m9dvltwt28r3gt87runs2nb929mwz"
            set sp-entity-id "http://172.17.48.225:4253/metadata/"
            set sp-single-sign-on-url "https://172.17.48.225:4253/saml/?acs"
            set sp-single-logout-url "https://172.17.48.225:4253/saml/?sls"
            set sp-portal-url "https://172.17.48.225:4253/saml/login/"
            config assertion-attributes
                edit "username"
                next
                edit "profilename"
                    set type profile-name
                next
            end
        next
    end
To navigate between devices using SAML SSO:
  1. Log in to the root FortiGate.
  2. In the toolbar, click the device name to display the Security Fabric members dropdown.
  3. Hover over the FortiAnalyzer and click Login.

  4. Log in to the FortiAnalyzer using SAML SSO.
  5. In the toolbar, click the Security Fabric members dropdown to navigate between other FortiGates.

Previous
Next