Skip to main content
kcheng
Staff & Editor
kcheng
Staff & Editor
March 17, 2022

Technical Tip: Login to FortiGate GUI using FortiCloud SSO

  • March 17, 2022
  • 0 replies
  • 4586 views
Description This article describes how to create IAM users in FortiCloud and allow login into the FortiGate administrator UI with read/write access.
Scope FortiGate v7.0.x, FortiCloud SSO.
Solution

In FortiOS v7.0.0 and above, a new feature that allows FortiCloud SSO login has been introduced. 

 

To enable FortiCloud SSO login, go to System -> Settings and toggle FortiCloud Single Sign-On to On:

 

FG.png

 

To configure IAM users in FortiCloud, log in to the FortiCloud portal (FortiCloud) with administrator access.

 

Follow the steps below:

  1. Select Services -> IAM.

 

IAM.png

 

  1. Select 'ADD IAM USER'.

 

IAM_U.png

 

  1. Enter the details of the user:

 

IAM_U2.png

 

  1. In the User Permissions section, select the pencil icon beside FortiOS SSO, and assign the proper access type:

 

Permission.png

 

  1. Review the configured details and select 'Confirm' to create the user:

 

Confirm.png

 

  1. Once the user has been created, a CSV will be generated. Download the file, as it contains the password for the user to log in as an IAM user:

 

Created.png

 

  1. Send the downloaded CSV file to the corresponding user.

 

Once the above has been configured, proceed to log in to the FortiGate GUI using the usual URL (https://<fortigate-IP/domain>:<port>).

 

  • Notice an additional 'Sign in with FortiCloud' button. Select it.

signin.png

  • Select 'Sign in as IAM user':

 

signiniam.png

 

  • In the login form, fill in the details recorded in the CSV file downloaded previously:

 

login.png

 

  • The user is now logged in with FortiCloud SSO with the assigned rights:

 

succ.png

 

 

  • Once a user logs in successfully, an administrator user is created in System -> Administrators -> FortiCloud SSO Administrator:

 

Captura de pantalla 2026-01-19 192343.jpg

 

Additional notes:

Note that FortiCloud SSO could fail in the following cases:

  • If the FortiGate is not registered to the FortiCare account used for login, it will reject the login and give the user the option to switch accounts or log in locally.
  • If the master account has '2FA auth enforcement' enabled, IAM users without 2FA configured will be rejected.
  • If the FortiGate is a VM appliance with a PAYG (Pay-As-You-Go) license. Note that FortiCloud SSO is not yet supported on VMs with PAYG licenses.
  • If the FortiOS is on a vulnerable version, according tothe  PSIRT announcement: Administrative FortiCloud SSO authentication bypass.
  • Access from FortiGate running a vulnerable version has been blocked based on an update from the PSIRT blog: Analysis of Single Sign-On Abuse on FortiOS. The end user must upgrade to the recommended firmware version.
    Terms & ConditionsAccessibility statement