SAML admin authentication – FortiAnalyzer – FortiOS 6.2.3

SAML admin authentication

SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (this feature is currently only supported in FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider(IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.
  7. In the Edit Service Provider window: l Enter a name for the SP.
    • Select Fortinet as the SP Type.
    • If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.
    • Enter the SP IP address.
    • Copy down the IdP Prefix. It is required when configuring SPs.
  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.

To configure FortiAnalyzer as a service provider:

  1. Go to System Settings > SAML SSO.
  2. Select Service Provider(SP).
  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.

If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.

  1. Confirm that the information is correct and select Apply.
  2. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.