Skip to main content
akumar02
Staff & Editor
akumar02
Staff & Editor
October 7, 2024

Technical Tip: Configure SSO admin login to the FortiGate (FIPS Mode) with FortiAuthenticator as IDP

  • October 7, 2024
  • 0 replies
  • 1204 views
Description This article describes the configuration of SSO admin access to FIPS-CC Certified FortiGate using FortiAuthenticator as IDP. 
Scope All FortiOS and FortiAuthenticator versions Including FIPS certified FortiOS versions.
Solution

All the IP addresses used are for demonstration purposes only. 

FortiAuthenticator configuration: 

  • The IP Address 10.9.10.25 is used in this case for SAML IDP.

 

FAC Interfaces.png

 

  • Configure the SAML IDP configuration in FortiAuthenticator. 
  • The local user group is configured instead of LDAP/RADIUS. Remote servers LDAP/RADIUS can be used for authentication as well. 

 

FAC General.png

 

  • The SP config is copied from the FortiGate. 
  • Configure the Assertion attributes. 

 

FAC SP.png

 
'FGTSAML' is the user group that can log in to the FortiGate as SSO Admin. 

FAC User group.png

  

IDP Certificate. 

  • A default certificate is used in this article. Any other Local certificate can also be used.

 

FAC Cert.png

 

FortiGate SSO Configuration:

FortiGate FIPS-CC enabled: 

config system fips-cc

    set status enable

end

 

FIPS-CC will be enabled only from Console access. 


FG101F-1 # get sys status
Version: FortiGate-101F v7.0.12,build9223,240304 (FIPS-CC-70-16)
Security Level: 0
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FG101FTKXXXXXXX
BIOS version: 05000008
System Part-Number: P24605-04
Log hard disk: Available
Hostname: FG101F-1
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable
Current HA mode: standalone
Branch point: 0523
Release Version Information: FIPS-CC-70-16
System time: Sat Oct 5 16:11:57 2024
Last reboot reason: power cycle

FortiGate Interface: WAN1 connecting to the FortiAuthenticator.

 

FGT Interface.png

 

FortiGate SAML Configuration:

 

FGT SAML.png

 

CLI Reference: 

 

config system saml
    set status enable
    set role service-provider
    set default-login-page normal
    set default-profile "super_admin"
    set binding-protocol redirect
    set idp-entity-id "http://10.9.10.25/saml-idp/fgtadmin/metadata/"
    set idp-single-sign-on-url "https://10.9.10.25/saml-idp/fgtadmin/login/"
    set idp-single-logout-url "https://10.9.10.25/saml-idp/fgtadmin/logout/"
    set idp-cert "FAC" 
    set server-address "10.9.0.141"
end

 

Here 'FAC' is the Certificate imported from FortiAuthenticator to FortiGate as a Remote Certificate:

 

FAC Certificate.png

 

Configure the SSO Admin on FortiGate:

 

FGT SSO Admin.png


CLI Reference:


config system sso-admin
    edit "FAC-SSO-admin" 
        set accprofile "super_admin"
        set vdom "root"
    next
end

 

Final Result: 

FGT Login Page.png


SSO admin logged in to FGT.png

 

This configuration can also be used for Non-FIPS Certified FortiOS. 
    Terms & ConditionsAccessibility statement