Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff

Created on ‎10-21-2024 10:03 PM Edited on ‎10-21-2024 10:05 PM By Community Manager

Article Id 350555

Technical Tip: Configure FortiGate as an IDP to FortiManager

Description This article describes how to deploy FortiGate as the SAML IDP for FortiManager on-prem and possible issues. The article assumes that FortiGate is already running a compatible version with FortiManager and both devices are in sync.
Scope FortiGate, FortiManager, SAML.
Solution

 On FortiGate

  1.  Set up the FortiGate as an IDP by accessing Security Fabric -> Security Fabric Settings' and select Single Sign -> On Settings.
  2. Note that the FortiGate can be a stand-alone in this setup as it only requires being connected to the FortiManager and does not require having its own security fabric with other Firewalls.
  3. In the case of Multi-VDOM configuration, this setting should be accessed on the global VDOM.
  4. Once the mode is changed to 'IdP', the option 'IdP address' and 'IdP Certificate' can be configured where.
  5. IdP address: the IP address FortiGate uses to contact FortiManager.
  6. IdP Certificate: can be a 3rd party certificate or one of Fortinet certificate. After selecting a certificate in this section, select 'download' and save the certificate to be imported later on FortiManager.
  7. Under 'Service Provider' select 'Create New'.
  8. Populate the 'Name' and the 'Prefix' section as required. Note That the Prefix value is required to set up the IdP section on FortiManager later.
  9. Enter the IP address of the FortiManager server in the 'SP address' section. Note that if the FortiManager is configured to use a custom port instead of regular HTTPS port 443 the port needs to be added in this section in the format: <x.x.x.x>:portnumber. Special Note: if the port number is invalid in this section a possible failure when accessing the FortiManager using SSO option can be a '400 error page'. If it is port 443 it should NOT be added to this section as that would cause a similar issue when adding the wrong port number.
  10. The 'SAML Attribute' section has the 'username' attribute by default.
  11. Select OK twice to save the config.

 

Using CLI:

 

config system saml
    set status enable
    set role identity-provider
    set cert "Fortinet_Factory"
    set server-address "10.9.11.86:443" <----- FortiGate IP address of the interface connected to FortiManager.
        config service-providers
           edit "FMG01"
               set prefix "i9b2f0qzgunqdqoy"
               set sp-entity-id "http://10.9.10.176:443/metadata/" <----- IP address belongs to FortiManager.
               set sp-single-sign-on-url "https://10.9.10.176:443/saml/?acs"
               set sp-single-logout-url "https://10.9.10.176:443/saml/?sls"
               set sp-portal-url "https://10.9.10.176:443/saml/login/"
                   config assertion-attributes
                       edit "username"
                   next
               end
            next
        end
    end

 

FGT-SSO-IDP.PNG

 

On FortiManager:

  1. Access the section System Settings -> SAML SSO.
  2. Select 'Service Provider (SP)'.
  3. Notice it automatically populates the SP section. Remember in the case of using port 443 it should NOT be added to any entry under the Service Provider section.
  4. In The IdP section select 'Fortinet' next to 'IdP Type'.
  5. IdP address: Enter the IP address of FortiGate including the port number if the custom port is configured for admin access on the FortiGate  SSO page that was previously configured. Note that in the case of using port 443 on the FortiGate side, the port number on this section should NOT be added.
  6. Enter the 'Prefix' value that was configured on FortiGate earlier.
  7. On the 'IdP Certificate' section select import then upload the certificate that was downloaded previously from the FortiGate 'IdP Certificate' option.
  8. Save the settings by selecting 'Apply':

 FMG-SSO.PNG

 

Note:

If an error 'Error: Not match CSRFToken' occurs this is due to 'CSRF' being blocked on the browser privacy settings. The option can be unblocked for the FortiManager page only on the browser settings. for more details approach to troubleshooting SSO login on FortiManager, check this article : SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options

 

Using FortiManager CLI:

 

config system saml
    set status enable
    set server-address "10.9.10.176" <----- FortiManager interface IP address where the FortiGate is connected.
    set idp-entity-id "http://10.9.11.86/saml-idp/i9b2f0qzgunqdqoy/metadata/"
    set idp-single-sign-on-url "https://10.9.11.86/saml-idp/i9b2f0qzgunqdqoy/login/"
    set idp-single-logout-url "https://10.9.11.86/saml-idp/i9b2f0qzgunqdqoy/logout/"
    set idp-cert "Fortinet_Factory"
end

 

Testing the deployment

  • Log out from Fortimanager. Notice the additional 'Log in with Single Sign-On'. Select this option to log in.
  • The page will be redirected to the SSO login page where a local account on the FortiGate can be used to login to FortiManager.
Labels:
111
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.