FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ckarwei
Staff
Staff

Description


This article describes how to configure SAML SSO for administrator login with Azure AD acting as SAML IdP.

Solution


1) Go to FortiManager -> System Settings -> SAML SSO, select 'Service Provider (SP)' as the single sign-on mode.

2) SP Address will be auto populate. This will be the FortiManager/FortiAnalyzer IP address or Fully Qualified Domain Name (FQDN).

3) Go to Azure single sign-on with SAML setup page.

4) Copy and paste the SP details on FortiManager/FortiAnalyzer GUI to Azure (Step 1. Basic SAML Configuration).

FortiManager / FortiAnalyzer GUI Azure
SP entity ID Identifier (Entity ID)
SP ACS (login) URL Reply URL (Assertion Consumer Service URL)
SP SLS (logout) URL Logout URL


5) Fill in 'Relay State' on Azure (Step 1. Basic SAML Configuration) using URL with the following format.:
https://<IP address or FQDN>:<port number>/p/sso_sp/

  
6) On Azure (Step 2. User Attributes & Claims), add a new claim with the details below.

Name: username.
Namespace: leave blank.
Source: Attribute.
Source attribute: user.userprincipalname.

The IdP (Azure AD) must send the 'username' assertion attribute.
Azure AD does not send an attribute with this name by default.
 

 
 
7) Select the Save button to add this new claim. The other unused claims can be deleted. Select the close button in top right to return.

8) On Azure (Step 3. Set up fortigate-saml-sso), download Azure AD SAML certificate in Base64 format.

9) On FortiManager SAML SSO -> IdP Settings -> IdP Type, select 'Custom'. Import the Azure AD SAML certificate as IdP Certificate. Copy and paste the details from Azure (Step 4. Set up fortigate-saml-sso) accordingly.
 
Azure FortiManager / FortiAnalzyer GUI
Azure AD Identifier IdP Entity ID
Login URL IdP Login URL
Logout URL IdP Logout URL
 
NOTE: Since FortiManager/FortiAnalyzer do not sign the logout request, using the "Logout URL" copied from the Azure application page may cause an error during logout:
iyotov_0-1659610322509.png

Instead, you may use the following IdP Logout URL in the FortiManager/FortiAnalyzer configuration:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

 

10) Select 'Apply' on FortiManager / FortiAnalyzer GUI after complete.
 
 
11) Go to System Settings -> Admin -> Administrators and create a new administrator with the details below.

User Name: username on Azure AD.
admin Type: SSO.
New Password: leave blank.
Confirm Password: leave blank.
Admin Profile: any admin profile.

12) It is now possible to login through SAML authentication by select 'Login via Single Sign-On' button.