Fortinet black logo

EMS Administration Guide

SAML SSO

SAML SSO

You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

Caution

You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.

To configure SAML SSO:
  1. Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the service provider (SP) prefix to use when configuring SAML SSO on EMS.

  2. In EMS, go to System Settings > SAML SSO.
  3. Click Enable SAML SSO.
  4. Configure Service Provider Settings. In this configuration, EMS is the SP:

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

  5. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

    Setting

    Description

    IdP Address

    Enter the FortiGate IP address. Your browser must be able to access this IP address.

    Prefix

    Enter the prefix generated in FortiOS for the SP.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

  6. Click Save.
  7. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
Note

For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.

To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
Note

When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.

SAML SSO

You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

Caution

You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.

To configure SAML SSO:
  1. Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the service provider (SP) prefix to use when configuring SAML SSO on EMS.

  2. In EMS, go to System Settings > SAML SSO.
  3. Click Enable SAML SSO.
  4. Configure Service Provider Settings. In this configuration, EMS is the SP:

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

  5. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

    Setting

    Description

    IdP Address

    Enter the FortiGate IP address. Your browser must be able to access this IP address.

    Prefix

    Enter the prefix generated in FortiOS for the SP.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

  6. Click Save.
  7. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
Note

For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.

To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
Note

When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.