FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Article Id 250577
Description This article describes how to configure OneLogin IDP Single Sign On with FortiEDR manager using SAML and basic configuration using roles and groups. Feel free to adapt this configuration to the organization's needs
Scope Customers using OneLogin IDP for SSO.

Download FortiEDR Manager metadata:


Login to the FortiEDR Management console with the local admin account. Go to Administration -> Users -> Expand SAML Authentication section. Download Service Provider Metadata.


The downloaded SP (Service Provider) Metadata will be used to extract the required fields for our Custom Connector configuration.

Open the downloaded XML file in the text editor of preference like Notepad ++ or a web browser.

Create a new application Custom Connector:

1) In OneLogin Administration Console, go to Applications tab -> Applications and select 'Add App':



2) In the search bar type 'SAML Custom Connector (Advanced)':



3) Name the custom connector FortiEDR or any other distinguished name for the FortiEDR SAML connection and select 'Save'.


4) In the OneLogin application configuration page, copy and paste extracted values from FortiEDR Manager metadata XML as shown below:

Audience (EntityID)

Located under md:EntityDescriptor


Located under “md:AssertionConsumerService Location=”

ACS (Consumer) URL Validator

same as md:AssertionConsumerService, will have to be escaped with backslash symbol “\” (see example below). (OneLogin Documentation)

ACS (Consumer) URL

Located under “md:AssertionConsumerService Location=”

Single Logout URL

Located under “md:SingleLogoutService Location =”

Login URL

Located under “md:AssertionConsumerService Location =”







5) Change SAML nameID format to 'Unspecified'.

6) SAML issuer type 'Specific'

7) Select the SAML signature element 'Assertion'.

8) Uncheck Encrypt Assertion.

9) Select 'Save' at the top of the page.

10) On the Parameters page, select nameID value and select 'Username' from the list. Select 'Save'.

11) Select '+' to Add new parameter with name 'Roles'.

12) Check the box for the 'Include in SAML assertion' flag, and select 'Save'. On the next page, choose the value 'User Roles' and select 'Save'.

13) Save the application (top right) and download SAML Metadata from the 'More Actions' menu. Save the XML file locally. This will be uploaded to FortiEDR Manager later.


Assign Roles:


1) Create a new role: Go to Users -> Roles, and select 'New Role' to create a new role. To have users and admin roles, create an individual role of each type:



2) Type in the role name (i.e., FortiEDR Admin) and select the green checkmark (top left).

3) Choose the FortiEDR Application under the Applications Tab.


Mapping Roles to Groups:

1) It is necessary to map specific users or user groups to the FortiEDR roles.
Go to Users -> Mappings -> New Mapping, give it a name, and set conditions as follows:



2) Select 'Save' and 'Reapply All Mappings'.



Groups can be either local user groups in OneLogin or user groups synchronized from your Active Directory domain.

If users have more than one role assigned, it will be necessary to add rules to assign specific roles for this Application:


3) In the FortiEDR SAML Application settings, go to the Rules tab.

4) Select 'Add Rule', give it a name and  select '+' under conditions and add the following condition: 

For Admin User Role:



For User Role:



Go back to User -> Mappings window and select 'Reapply All Mappings'.

In OneLogin -> Applications tab -> Applications, go to the newly created SAML FortiEDR Application settings -> Users and make sure users are mapped correctly. Select the user: each user must have a corresponding role assigned.

Finalizing configuration in FortiEDR Management console.

Once required users are mapped to corresponding roles, go to FortiEDR Manager Administration Tab -> USERS and expand the SAML Authentication section.


1) Select SAML enabled.

2) Under IDP Metadata, choose file and select file. Select OneLogin XML metadata saved earlier.

3) Set attribute name 'Roles'.

4) Assign corresponding Roles/Group mappings as set in previous steps. I.E. FortiEDR User role will be mapped to User and the FortiEDR Admin role will be mapped to Admin/Local Admin role.

5) Select 'Save'.



Go to the OneLogin Applications portal and verify if the login is successful.

Related document: