Fortinet black logo

EMS Administration Guide

Home FortiClient 7.2.1 EMS Administration Guide
7.2.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.9
6.4.8
6.4.7
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.9
6.2.8
6.2.7
6.2.6
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.8
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0

SAML SSO with FortiGate as IdP

SAML SSO with FortiGate as IdP

You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

To configure SAML SSO:
  1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

  2. In EMS, go to Administration > SAML SSO.
  3. Click Enable SAML SSO.
  4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
  5. Configure Service Provider Settings:

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

    SP Entity ID

    This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

    SP ACS (login URL)

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

  6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

    Setting

    Description

    IdP Entity ID

    Enter the IdP entity ID value that you copied from FortiOS.

    IdP single sign-on URL

    Enter the IdP single sign-on URL value that you copied from FortiOS.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

  7. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
    Note

    Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.

  8. Click Save.
  9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
Note

For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
Note

When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
Previous
Next

SAML SSO with FortiGate as IdP

You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).

To configure SAML SSO:
  1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL values to use when configuring SAML SSO on EMS.

  2. In EMS, go to Administration > SAML SSO.
  3. Click Enable SAML SSO.
  4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options. Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion Attributes > Username Claim.
  5. Configure Service Provider Settings:

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.

    SP Entity ID

    This field is prepopulated. You do not need to provide this value to FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.

    SP ACS (login URL)

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.

  6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:

    Setting

    Description

    IdP Entity ID

    Enter the IdP entity ID value that you copied from FortiOS.

    IdP single sign-on URL

    Enter the IdP single sign-on URL value that you copied from FortiOS.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.

  7. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
    Note

    Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.

  8. Click Save.
  9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
Note

For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings.
To log in to EMS using SSO:
  1. Double-click the FortiClient Endpoint Management Server icon.
  2. Click Sign in with SSO.
  3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
Note

When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
Previous
Next