Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

SAML Fabric SSO

FortiAnalyzer supports SAML SSO as part of one or more Security Fabrics.

To enable SAML Fabric SSO on FortiAnalyzer:
  1. On the root FortiGate of the Security Fabric, enable SAML Single Sign-On, and configure FortiAnalyzer logging by inputting the IP address of FortiAnalyzer.
  2. On FortiAnalyzer, authorize FortiGate to an ADOM (or the root ADOM).
  3. On FortiAnalyzer, go to System Setting >SAML SSO >Fabric SP. Input the FortiAnalyzer SP IP address, choose an existing admin profile as default profile for SSO admin users, and click Apply.
    After a short wait (approximately 5 minutes), check the Fabric IdPs table on the Fabric SP page. Information about Fabric IdPs is displayed.
  4. Log in using Fabric SSO from the FortiAnalyzer login page.
    When logging in with Fabric SSO, each Fabric IdP registered on FortiAnalyzer is displayed. Choose an IdP to log in to using the SSO admin user account.
    Each SAML Fabric SSO is bound to the ADOM to which it was authorized, and the SSO admin only has access this specific ADOM on FortiAnalyzer.
    From the top-right corner menu on FortiAnalyzer, a Fabric tree including all FortiGates in the Fabric is displayed. Click a Fabric device to access that device through the SSO admin user.
    From the root FortiGate of the Security Fabric, administrators can view the Fabric tree in the top-left corner of the screen. Click a Fabric device to access that device through the SSO admin user.
  5. Additional Security Fabric IdPs can be registered by authorizing the root Fabric device onto a different FortiAnalyzer ADOM and repeating the steps above.
To configure Fabric SAML SSO in the FortiAnalyzer CLI:
FAZVM64 # config sys saml

(saml)# show
config system saml
    set status enable
    set role FAB-SP
    set server-address "10.2.90.216"
    set default-profile "SSO_RW"
        config fabric-idp
            edit "FGVM02TM20000893"
                set idp-cert "csf-FGVM02TM20000893"
                set idp-entity-id "http://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/metadata/"
                set idp-single-logout-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/logout/"
                set idp-single-sign-on-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/login/"
                set idp-status enable
            next
            edit "FGVM02TM20000899"
                set idp-cert "csf-FGVM02TM20000899"
                set idp-entity-id "http://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/metadata/"
                set idp-single-logout-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/logout/"
                set idp-single-sign-on-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/login/"
                set idp-status enable
            next
        end
end

SAML Fabric SSO

FortiAnalyzer supports SAML SSO as part of one or more Security Fabrics.

To enable SAML Fabric SSO on FortiAnalyzer:
  1. On the root FortiGate of the Security Fabric, enable SAML Single Sign-On, and configure FortiAnalyzer logging by inputting the IP address of FortiAnalyzer.
  2. On FortiAnalyzer, authorize FortiGate to an ADOM (or the root ADOM).
  3. On FortiAnalyzer, go to System Setting >SAML SSO >Fabric SP. Input the FortiAnalyzer SP IP address, choose an existing admin profile as default profile for SSO admin users, and click Apply.
    After a short wait (approximately 5 minutes), check the Fabric IdPs table on the Fabric SP page. Information about Fabric IdPs is displayed.
  4. Log in using Fabric SSO from the FortiAnalyzer login page.
    When logging in with Fabric SSO, each Fabric IdP registered on FortiAnalyzer is displayed. Choose an IdP to log in to using the SSO admin user account.
    Each SAML Fabric SSO is bound to the ADOM to which it was authorized, and the SSO admin only has access this specific ADOM on FortiAnalyzer.
    From the top-right corner menu on FortiAnalyzer, a Fabric tree including all FortiGates in the Fabric is displayed. Click a Fabric device to access that device through the SSO admin user.
    From the root FortiGate of the Security Fabric, administrators can view the Fabric tree in the top-left corner of the screen. Click a Fabric device to access that device through the SSO admin user.
  5. Additional Security Fabric IdPs can be registered by authorizing the root Fabric device onto a different FortiAnalyzer ADOM and repeating the steps above.
To configure Fabric SAML SSO in the FortiAnalyzer CLI:
FAZVM64 # config sys saml

(saml)# show
config system saml
    set status enable
    set role FAB-SP
    set server-address "10.2.90.216"
    set default-profile "SSO_RW"
        config fabric-idp
            edit "FGVM02TM20000893"
                set idp-cert "csf-FGVM02TM20000893"
                set idp-entity-id "http://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/metadata/"
                set idp-single-logout-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/logout/"
                set idp-single-sign-on-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/login/"
                set idp-status enable
            next
            edit "FGVM02TM20000899"
                set idp-cert "csf-FGVM02TM20000899"
                set idp-entity-id "http://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/metadata/"
                set idp-single-logout-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/logout/"
                set idp-single-sign-on-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/login/"
                set idp-status enable
            next
        end
end