Technical Tip: Configure SSO admin login to the FortiGate (FIPS Mode) with FortiAuthenticator as IDP

akumar02 · ‎10-07-2024

Description

This article describes the configuration of SSO admin access to FIPS-CC Certified FortiGate using FortiAuthenticator as IDP.

Scope

All FortiOS and FortiAuthenticator versions Including FIPS certified FortiOS versions.

Solution

All the IP addresses used are for demonstration purposes only.

FortiAuthenticator configuration:

The IP Address 10.9.10.25 is used in this case for SAML IDP.

FAC Interfaces.png

Configure the SAML IDP configuration in FortiAuthenticator.
The local user group is configured instead of LDAP/RADIUS. Remote servers LDAP/RADIUS can be used for authentication as well.

FAC General.png

The SP config is copied from the FortiGate.
Configure the Assertion attributes.

FAC SP.png

'FGTSAML' is the user group that can log in to the FortiGate as SSO Admin.

FAC User group.png

IDP Certificate.

A default certificate is used in this article. Any other Local certificate can also be used.

FAC Cert.png

FortiGate SSO Configuration:

FortiGate FIPS-CC enabled:

config system fips-cc

set status enable

end

FIPS-CC will be enabled only from Console access.

FG101F-1 # get sys status
Version: FortiGate-101F v7.0.12,build9223,240304 (FIPS-CC-70-16)
Security Level: 0
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FG101FTKXXXXXXX
BIOS version: 05000008
System Part-Number: P24605-04
Log hard disk: Available
Hostname: FG101F-1
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable
Current HA mode: standalone
Branch point: 0523
Release Version Information: FIPS-CC-70-16
System time: Sat Oct 5 16:11:57 2024
Last reboot reason: power cycle

FortiGate Interface: WAN1 connecting to the FortiAuthenticator.

FGT Interface.png

FortiGate SAML Configuration:

FGT SAML.png

CLI Reference:

config system saml
set status enable
set role service-provider
set default-login-page normal
set default-profile "super_admin"
set binding-protocol redirect
set idp-entity-id "http://10.9.10.25/saml-idp/fgtadmin/metadata/"
set idp-single-sign-on-url "https://10.9.10.25/saml-idp/fgtadmin/login/"
set idp-single-logout-url "https://10.9.10.25/saml-idp/fgtadmin/logout/"
set idp-cert "FAC"
set server-address "10.9.0.141"
end

Here 'FAC' is the Certificate imported from FortiAuthenticator to FortiGate as a Remote Certificate:

FAC Certificate.png

Configure the SSO Admin on FortiGate:

FGT SSO Admin.png

CLI Reference:

config system sso-admin
edit "FAC-SSO-admin"
set accprofile "super_admin"
set vdom "root"
next
end

Final Result:

FGT Login Page.png

SSO admin logged in to FGT.png

This configuration can also be used for Non-FIPS Certified FortiOS.

Technical Tip: Configure SSO admin login to the FortiGate (FIPS Mode) with FortiAuthenticator as IDP

You are leaving our website