Fortinet black logo

Administration Guide

SAML admin authentication

SAML admin authentication

SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

When FortiGate is acting as the IdP in a Security Fabric, FortiAnalyzer can be configured to automatically connect as a Fabric SP, allowing for easy setup of SAML authentication. See Enabling SAML authentication in a Security Fabric.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

Note

The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

Caution

When accessing FortiGate from the Quick Access menu, if FGT is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.
  7. In the Edit Service Provider window:
    NameEnter a name for the service provider.
    IdP PrefixCopy the IdP prefix. This will be required when configuring your service providers.

    SP Type

    Select Fortinet as the SP Type.

    If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

    SP Address

    Enter the IP address of the service provider.

  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).
  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.
    If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.
  6. Confirm that the information is correct and select Apply.
  7. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

For information on configuring FortiAnalyzer as an SP in a Security Fabric, see: Enabling SAML authentication in a Security Fabric.

SAML admin authentication

SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

When FortiGate is acting as the IdP in a Security Fabric, FortiAnalyzer can be configured to automatically connect as a Fabric SP, allowing for easy setup of SAML authentication. See Enabling SAML authentication in a Security Fabric.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

Note

The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

Caution

When accessing FortiGate from the Quick Access menu, if FGT is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.
  7. In the Edit Service Provider window:
    NameEnter a name for the service provider.
    IdP PrefixCopy the IdP prefix. This will be required when configuring your service providers.

    SP Type

    Select Fortinet as the SP Type.

    If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

    SP Address

    Enter the IP address of the service provider.

  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).
  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.
    If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.
  6. Confirm that the information is correct and select Apply.
  7. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

For information on configuring FortiAnalyzer as an SP in a Security Fabric, see: Enabling SAML authentication in a Security Fabric.