Technical Tip: FortiSASE SSO Integration with AWS IAM Identity Center as IdP

Overview:

• AWS IAM Identity Center acts as the SAML Identity Provider (IdP).

• FortiSASE acts as the Service Provider (SP).

• Users authenticate through AWS IAM Identity Center.

• Group information is included in the SAML assertion.

• FortiSASE maps users to remote user groups based on AWS group Object IDs.

Prerequisites:

• An active FortiSASE tenant.

• Administrative access to the FortiSASE console.

• AWS IAM Identity Center is enabled.

• Users and groups created in AWS IAM Identity Center.

• FortiClient is installed for connectivity testing.

Step-by-step configuration guide:

• Create the SAML application in AWS IAM Identity Center.
  • Log in to the AWS Console and open IAM Identity Center.
  • Navigate to Applications and select Add application.
  • Select 'I have a new application I want to setup'.
  • In the application type, choose SAML 2.0.

• Get FortiSASE SSO information.
  • The following parameters must be obtained from the FortiSASE console and configured in AWS IAM Identity Center; copy them to use them in AWS configuration:
    • Entity ID.
    • Assertion Consumer Service (ACS) URL.
    • Portal (Sign-on) URL.

• Configure FortiSASE SSO URLs in the AWS application configuration.
  • FortiSASE Assertion Consumer Service (ACS) URL to Application ACS URL in AWS.
  • FortiSASE Entity ID to Application SAML audience.
  • FortiSASE Portal (Sign-on) URL to Application.

• Configure attribute mappings.

Configure attribute mappings in AWS IAM Identity Center to include group information and username in the SAML assertion.

The Object ID of the AWS group is sent as a SAML attribute. This value will later be used by FortiSASE to map users to remote user groups. The assertion attributes names must match FortiSASE configuration; in this case, the username and group that are FortiSASE default values are used. If different attribute names are used, FortiSASE configuration must also be changed.

• Assign Users and Groups in AWS.
  • Open the SAML application in AWS IAM Identity Center.
  • Assign the required users and/or groups.
  • Verify that assigned users belong to the correct AWS groups.
  • Only assigned users and groups are allowed to authenticate to FortiSASE.

• Get application URLs from AWS.

Once the application is created and configured in AWS, get the URLs and the IDP certificate from the AWS console.

Configure FortiSASE SSO.

• Log in to the FortiSASE console.
• Navigate to Access and Authentication -> Single Sign-On.
• Create or edit a SAML SSO configuration.
• Configure the following parameters using values from AWS IAM Identity Center:
  • IdP Entity ID is AWS IAM Identity Center SAML issuer URL.
  • IdP Single Sign-On URL is AWS IAM Identity Center sign-in URL.
  • IdP Single Log-Out URL is AWS IAM Identity Center sign-out URL.
  • Upload and select the AWS IdP certificate.
• Save the configuration and verify the SSO status.
• Once completed, basic SAML authentication should be operational.

• Configure Remote User Groups in FortiSASE.

  • Navigate to Identity -> User Groups.

  • Create a new User Group.

  • Set the group type to Remote Group.

  • As the Remote Group value, specify the Object ID of the AWS IAM Identity Center group.

When a user authenticates, FortiSASE evaluates the SAML assertion. If the group Object ID matches, the user is automatically mapped to the corresponding FortiSASE user group.

• Configure Remote User Groups in FortiSASE.

  • Open FortiClient on a test endpoint.

  • Connect to FortiSASE using SSO.

  • Authenticate with an AWS IAM Identity Center user.

  • Confirm successful authentication.

  • Verify in FortiSASE logs that the user is mapped to the expected remote user group.

  • Confirm that access policies are correctly applied.