Technical Tip: Configuring SAML SSO login for FortiWeb Administrators with FortiAuthenticator

This article describes how to integrate FortiWeb with FortiAuthenticator for FortiWeb administration with SAML authentication.

Step 1: FA-related configurations:

- Configure SAML Identity Provider Settings on FA:

1) Navigate to Authentication -> SAML IdP -> General.

2) Enable the SAML Identity Provider portal.

3) Fill in the server address [it is possible to use the FA IP where FortiWeb will connect to].

4) At Default IdP certificate: choose the default IDP certificate.

5) At Realms: select add Realm.

6) Select OK to save the config.

- Download the IDP certificate to the local machine:   

1) Navigate to Certificate Management -> End Entities -> Local Services.

2) Download the default IDP certificate used in the previous step to be uploaded later on FortiWeb.

- Configure SAML Service Provider options:

1) Navigate to Authentication -> SAML IdP -> Service Providers.

2) Fill in the SP name.

3) At IdP prefix: select create new IdP prefix then generate prefix.

4) Copy all of [IdP entity id, IdP single sign-on URL, IdP single logout URL] to an external notepad.

5) Select save then choose the IdP prefix that was generated in step 3 again.

6) Fill in SP options manually according to the following:

     6.1) SP entity ID: http://x.x.x.x/metadata/                   [x.x.x.x is the FortiWeb IP].

     6.2) SP ACS (login) URL: https://x.x.x.x/saml/?acs.

     6.3) SP SLS (logout) URL: https://x.x.x.x/saml/?sls.

- Configure FortiAuthenticator local users:

1) Navigate to Authentication -> User Management -> Local User.

2) Configure the required users.

Step 2: FortiWeb-related Configurations:

- Configure FortiWeb Fabric Connector:

1) Navigate to Security Fabric -> Fabric Connectors.

2) Leave the status 'disabled'.

3) Ignore the options related to FortiGate Fabric [Upsteam IP, Management IP].

4) Enable Single Sing-On Mode.

5) Configure the SP Address as the FortiWeb Address.

6) Fill in the [IDP Entity ID, IDP Single Sign-On URL,  IDP Single Logout URL] according to the URLs copied in Step 1 Section 3.

7) Upload the certificate downloaded in Step 1 Section (2) at IDP Certificate.

- Perform the SSO login:

1) Navigate to the FortiWeb login page.

2) Select Via Single Sign-On.

- Assign the user a full access privilege if required or a custom privilege:

1) Log in to FortiWeb with the regular admin account.

2) Navigate to System -> Admin -> Administrator.

3) The SSO new account can be found under the SSO Admin tab.

4) Assign to the user the required profile.

Troubleshooting:

- After selecting 'Via Single Sign-On' at the FortiWeb login page, it will not be redirected to the FA login page:

- Review the SAML URLs at Security Fabric -> Fabric Connectors. Make sure it exactly matches the URLs extracted from FA at Authentication -> SAML IdP -> Service Providers.

- Check the SP address on FortiWeb at Security Fabric -> Fabric Connectors. Make sure it matches the FortiWeb address.

- Check the Server Address on FortiAuth Authentication -> SAML IdP -> General. Make sure it matches the FA address.

- Check the SP URLs on FortiAuth Authentication -> SAML IdP -> Service Providers. Make sure it matches what is mentioned in Step 1 Section 2.

For more assistance, open a support ticket along with the issue description, backup the config file, and SAML debugging:

# diagnose debug application samld 7
# diagnose debug enable

Reproduce the issue, collect the outputs then disable the debugging:

# diagnose debug disable