Fortinet white logo
Fortinet white logo

Administration Guide

SAML admin authentication

SAML admin authentication

SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

When FortiGate is acting as the IdP in a Security Fabric, FortiAnalyzer can be configured to automatically connect as a Fabric SP, allowing for easy setup of SAML authentication. See Enabling SAML authentication in a Security Fabric.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

When FortiAnalyzer is registered to FortiCloud, you can enable Allow admins to login with FortiCloud. This feature allows administrators to log in to FortiAnalyzer using their FortiCloud SSO account credentials. See FortiCloud SSO admin authentication .

Note

The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

Alternatively, you can configure the ADOM and profile names in the SP to match the IdP. When this is done, you can create one SAML SSO wildcard admin user on the SP to match all users on the IdP server.

Caution

When accessing FortiGate from the Quick Access menu, if FGT is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. (Optional) A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.
  6. In the SP Settings table, select Create New to add a service provider.
  7. In the Edit Service Provider window, configure the following information:
    NameEnter a name for the service provider.
    IdP PrefixCopy the IdP prefix. This will be required when configuring your service providers.

    SP Type

    Select Fortinet as the SP Type.

    If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

    SP Address

    Enter the IP address of the service provider.

    SAML Attributes

    SAML attributes can be added to a service provider to specify ADOM and/or profile names.

    FortiAnalyzer acting as IdP supports the following SAML attributes:

    • Type: Username, Attribute: username
    • Type: Profile Name, Attribute: profilename
    • Type: ADOM, Attribute: adoms
    Note
    SAML SSO Wildcard users

    As long as the SP has the same user profile, ADOM names, and user group as the IdP, you do not need to re-create each user from the IdP on the SP. Instead, you can create one SAML SSO wildcard admin user on the SP with the Match all users on remote server setting enabled to match all users on the IdP server.

    When logging in as an SSO user on the SP, the user is assigned the same profile and ADOMs as are configured on the IdP. See Creating administrators.

  8. Select OK to save changes to the service provider.
  9. Click Apply to save the IdP configuration.
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).
  3. Enter the Server Address which is the browser accessible address for this device.
  4. Optionally, configure the signing options:
    • Authentication Request Signed: Enable this setting to require that all authentication requests sent by the FortiAnalyzer service provider are signed. A valid SP certificate is required to enable this option.
    • Require Assertions Signed from IdP: Enable this setting to require that all assertions received from the IdP are signed.
  5. Configure the IdP Settings:
    1. Select the IdP type as Fortinet or Custom.
    2. Enter the IdP Address and the Prefix that you obtained while configuring the IdP device.
    3. Select the IdP certificate. If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.
  6. Confirm that the information is correct and select Apply.
  7. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

For information on configuring FortiAnalyzer as an SP in a Security Fabric, see: Enabling SAML authentication in a Security Fabric.

Supported SAML attribute overrides

The following SAML attributes are accepted by FortiAnalyzer SAML service provider.

SAML Attribute

Description

username

The username of the local/SSO user. This attribute is mandatory.

Example:

<Attribute Name="username">

<AttributeValue>user1</AttributeValue>

</Attribute>

profilename

The Profile assigned to the user. If a matching profile exists on the FortiAnalyzer, it will be assigned to the user. This attribute is optional.

Example:

<Attribute Name="profilename">

<AttributeValue>SSOPROFILE</AttributeValue>

</Attribute>

adoms

The ADOM(s) to which the user will have access. Multiple ADOMs can be specified in the SAML assertion if supported by the IdP. This attribute is optional.

Example:

<Attribute Name="adoms">

<AttributeValue>ADOM1</AttributeValue>

<AttributeValue>ADOM2</AttributeValue>

</Attribute>

groupmatch

The remote user groups to which the user belongs. You can specify the remote user group for a user by configuring the ext-auth-group-match value under Advanced Options when creating or editing an SSO user or wildcard user. See Creating administrators.

When the IdP user and matching SP SSO user have the same group specified, the user will be able to log in. If the values differ, login will fail.

Example:

<Attribute Name="groupmatch">

<AttributeValue>grp1</AttributeValue>

</Attribute>

You can use the following command in the CLI to verify the correct adoption of the SAML attributes by FortiAnalyzer.

diagnose system admin-session list

For example:

diagnose system admin-session list

*** entry 0 ***

session_id: 57410 (seq: 0)

username: user1

admin template: SSO

from: SSO(192.168.50.188) (type 7)

profile: SSOPROFILE

adom: adom1

session length: 3 (seconds)

SAML admin authentication

SAML admin authentication

SAML can be enabled across devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

When FortiGate is acting as the IdP in a Security Fabric, FortiAnalyzer can be configured to automatically connect as a Fabric SP, allowing for easy setup of SAML authentication. See Enabling SAML authentication in a Security Fabric.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (currently only supported between FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

When FortiAnalyzer is registered to FortiCloud, you can enable Allow admins to login with FortiCloud. This feature allows administrators to log in to FortiAnalyzer using their FortiCloud SSO account credentials. See FortiCloud SSO admin authentication .

Note

The admin user must be created on both the IdP and SP, otherwise you will see an error message stating that the admin doesn't exist.

Alternatively, you can configure the ADOM and profile names in the SP to match the IdP. When this is done, you can create one SAML SSO wildcard admin user on the SP to match all users on the IdP server.

Caution

When accessing FortiGate from the Quick Access menu, if FGT is set up to use the default login page with SSO options, you must select the via Single Sign-On button to be automatically authenticated.

To configure FortiAnalyzer as the identity provider:
  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider (IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. (Optional) A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.
  6. In the SP Settings table, select Create New to add a service provider.
  7. In the Edit Service Provider window, configure the following information:
    NameEnter a name for the service provider.
    IdP PrefixCopy the IdP prefix. This will be required when configuring your service providers.

    SP Type

    Select Fortinet as the SP Type.

    If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.

    SP Address

    Enter the IP address of the service provider.

    SAML Attributes

    SAML attributes can be added to a service provider to specify ADOM and/or profile names.

    FortiAnalyzer acting as IdP supports the following SAML attributes:

    • Type: Username, Attribute: username
    • Type: Profile Name, Attribute: profilename
    • Type: ADOM, Attribute: adoms
    Note
    SAML SSO Wildcard users

    As long as the SP has the same user profile, ADOM names, and user group as the IdP, you do not need to re-create each user from the IdP on the SP. Instead, you can create one SAML SSO wildcard admin user on the SP with the Match all users on remote server setting enabled to match all users on the IdP server.

    When logging in as an SSO user on the SP, the user is assigned the same profile and ADOMs as are configured on the IdP. See Creating administrators.

  8. Select OK to save changes to the service provider.
  9. Click Apply to save the IdP configuration.
To configure FortiAnalyzer as a service provider:
  1. Go to System Settings > SAML SSO.
  2. Select Service Provider (SP).
  3. Enter the Server Address which is the browser accessible address for this device.
  4. Optionally, configure the signing options:
    • Authentication Request Signed: Enable this setting to require that all authentication requests sent by the FortiAnalyzer service provider are signed. A valid SP certificate is required to enable this option.
    • Require Assertions Signed from IdP: Enable this setting to require that all assertions received from the IdP are signed.
  5. Configure the IdP Settings:
    1. Select the IdP type as Fortinet or Custom.
    2. Enter the IdP Address and the Prefix that you obtained while configuring the IdP device.
    3. Select the IdP certificate. If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.
  6. Confirm that the information is correct and select Apply.
  7. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

For information on configuring FortiAnalyzer as an SP in a Security Fabric, see: Enabling SAML authentication in a Security Fabric.

Supported SAML attribute overrides

The following SAML attributes are accepted by FortiAnalyzer SAML service provider.

SAML Attribute

Description

username

The username of the local/SSO user. This attribute is mandatory.

Example:

<Attribute Name="username">

<AttributeValue>user1</AttributeValue>

</Attribute>

profilename

The Profile assigned to the user. If a matching profile exists on the FortiAnalyzer, it will be assigned to the user. This attribute is optional.

Example:

<Attribute Name="profilename">

<AttributeValue>SSOPROFILE</AttributeValue>

</Attribute>

adoms

The ADOM(s) to which the user will have access. Multiple ADOMs can be specified in the SAML assertion if supported by the IdP. This attribute is optional.

Example:

<Attribute Name="adoms">

<AttributeValue>ADOM1</AttributeValue>

<AttributeValue>ADOM2</AttributeValue>

</Attribute>

groupmatch

The remote user groups to which the user belongs. You can specify the remote user group for a user by configuring the ext-auth-group-match value under Advanced Options when creating or editing an SSO user or wildcard user. See Creating administrators.

When the IdP user and matching SP SSO user have the same group specified, the user will be able to log in. If the values differ, login will fail.

Example:

<Attribute Name="groupmatch">

<AttributeValue>grp1</AttributeValue>

</Attribute>

You can use the following command in the CLI to verify the correct adoption of the SAML attributes by FortiAnalyzer.

diagnose system admin-session list

For example:

diagnose system admin-session list

*** entry 0 ***

session_id: 57410 (seq: 0)

username: user1

admin template: SSO

from: SSO(192.168.50.188) (type 7)

profile: SSOPROFILE

adom: adom1

session length: 3 (seconds)