SAML SSO
SAML SSO enables a single FortiGate device to act as the Identify Provider (IdP), while other FortiGate devices act as Service Providers (SP) and redirect log ins to the IdP.
All administrators must be actively added into each SP. When an administrator first logs in to an SP, a temporary account is created with the no access profile, and the device administrator must enable access for each account on each device.
Configure FGT_A as the IdP:
- Log in to FGT_A with the device administrator account.
- Go to User & Device > SAML SSO.
- Set the Mode to Identity Provider (IdP).
- Configure the IdP address and certificate.
- Add an SP:
- In the Service Providers table, click Create New.
- Enter the SP name, prefix, type, and address. Copy the prefix, as it will be needed when configuring FGT_B.
- Configure other settings as needed.
- Click OK.
- Click Apply.
Configure FGT_B as an SP:
- Log in to FGT_B with the device administrator account.
- Go to User & Device > SAML SSO.
- Set the Mode to Service Provider (SP).
- Configure the SP address.
- Configure the IdP settings:
- Set IdP type to Fortinet Product.
- Enter the IdP address, as configured on FGT_A.
- Enter the prefix copied from FGT_A.
- Select the same certificate as used on FGT_A.
- Click Apply.
Create a new system administrator on the IdP (FGT_A):
- Log in to FGT_A with the device administrator account.
- Go to System > Administrators.
- Create a new administrator
- Set Type set to Local User.
- Configure other settings as needed.
- Click OK.
Log in the FGT_B using Single Sign-On:
- At the FGT_B log in prompt, click or via Single Sign-On.
The SSO log in prompt opens.
- Enter the log in information for the administrator that you just created on FGT_A.
-
Click Login.
A GUI warning opens.
As the account is using a restricted access profile, additional permissions must be granted by the device administrator.
- Click Logout.
Grant permissions to the new SSO administrator account:
- Log in to FGT_B with the device administrator account.
- Go to System > Administrators.
The new Single Sign-On Administrator was automatically created when it logged in the first time.
- Edit the new SSO admin and change their Administrator Profile.
- Click OK.
Log in the FGT_B using Single Sign-On again:
- At the FGT_B log in prompt, click or via Single Sign-On. The SSO log in prompt opens.
- Enter the log in information for the SSO administrator.
- Click Login.
FGT_B is successfully logged into.
CLI commands
To configure the IdP:
config system saml
set status enable
set role IDP
set cert "Fortinet_Factory"
set server-address "172.16.106.74"
config service-providers
edit "csf_172.16.106.74:12443"
set prefix "csf_ngczjwqxujfsbhgr9ivhehwu37fml20"
set sp-entity-id "http://172.16.106.74/metadata/"
set sp-single-sign-on-url "https://172.16.106.74/saml/?acs"
set sp-single-logout-url "https://172.16.106.74/saml/?sls"
set sp-portal-url "https://172.16.106.74/saml/login/"
config assertion-attributes
edit "username"
next
edit "tdoc@fortinet.com"
set type email
next
end
next
end
end
To configure an SP:
config system saml
set status enable
set cert "Fortinet_Factory"
set idp-entity-id "http://172.16.106.74/saml-idp/csf_ngczjwqxujfsbhgr9ivhehwu37fml20/metadata/"
set idp-single-sign-on-url "https://172.16.106.74/csf_ngczjwqxujfsbhgr9ivhehwu37fml20/login/"
set idp-single-logout-url "https://172.16.106.74/saml-idp/csf_ngczjwqxujfsbhgr9ivhehwu37fml20/logout/"
set idp-cert "REMOTE_Cert_1"
set server-address "172.16.106.74:12443"
end
To configure an SSO administrator:
config system sso-admin
edit "SSO-admin-name"
set accprofile <SSO admin user access profile>
set vdom <Virtual domain(s) that the administrator can access>
next
end