FortiAnalyzer supports SAML SSO as part of one or more Security Fabrics.
- On the root FortiGate of the Security Fabric, enable SAML Single Sign-On, and configure FortiAnalyzer logging by inputting the IP address of FortiAnalyzer.
- On FortiAnalyzer, authorize FortiGate to an ADOM (or the root ADOM).
- On FortiAnalyzer, go to System Setting >SAML SSO >Fabric SP. Input the FortiAnalyzer SP IP address, choose an existing admin profile as default profile for SSO admin users, and click Apply.
After a short wait (approximately 5 minutes), check the Fabric IdPs table on the Fabric SP page. Information about Fabric IdPs is displayed.
- Log in using Fabric SSO from the FortiAnalyzer login page.
When logging in with Fabric SSO, each Fabric IdP registered on FortiAnalyzer is displayed. Choose an IdP to log in to using the SSO admin user account.
Each SAML Fabric SSO is bound to the ADOM to which it was authorized, and the SSO admin only has access this specific ADOM on FortiAnalyzer.
From the top-right corner menu on FortiAnalyzer, a Fabric tree including all FortiGates in the Fabric is displayed. Click a Fabric device to access that device through the SSO admin user.
From the root FortiGate of the Security Fabric, administrators can view the Fabric tree in the top-left corner of the screen. Click a Fabric device to access that device through the SSO admin user.
- Additional Security Fabric IdPs can be registered by authorizing the root Fabric device onto a different FortiAnalyzer ADOM and repeating the steps above.
FAZVM64 # config sys saml (saml)# show config system saml set status enable set role FAB-SP set server-address "10.2.90.216" set default-profile "SSO_RW" config fabric-idp edit "FGVM02TM20000893" set idp-cert "csf-FGVM02TM20000893" set idp-entity-id "http://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/metadata/" set idp-single-logout-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/logout/" set idp-single-sign-on-url "https://10.2.90.212/saml-idp/csf_j7mi9ojacy1g0wuzpe5pox8l7zgq3cs/login/" set idp-status enable next edit "FGVM02TM20000899" set idp-cert "csf-FGVM02TM20000899" set idp-entity-id "http://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/metadata/" set idp-single-logout-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/logout/" set idp-single-sign-on-url "https://10.2.90.215/saml-idp/csf_wl5j3jgxvq70wtvhn503vbu7fetths5/login/" set idp-status enable next end end