You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).
You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.
To configure SAML SSO:
- Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the service provider (SP) prefix to use when configuring SAML SSO on EMS.
- In EMS, go to System Settings > SAML SSO.
- Click Enable SAML SSO.
- Configure Service Provider Settings. In this configuration, EMS is the SP:
- Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:
Enter the FortiGate IP address. Your browser must be able to access this IP address.
Enter the prefix generated in FortiOS for the SP.
Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.
- Click Save.
- In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
To log in to EMS using SSO:
- Double-click the FortiClient Endpoint Management Server icon.
- Click Sign in with SSO.
- EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.