FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to configure read-only access and admin access separately for specific users using Azure SAML SSO authentication on FortiGate.
Scope
FortiGate.
Solution
To provide read-only access and admin access to specific Microsoft Azure users separately using SAML SSO authentication on FortiGate, follow these steps:
Configure SAML SSO on FortiGate: Set up a SAML SSO object on FortiGate as the Service Provider (SP). Ensure the Identity Provider (IdP) is configured in Azure to authenticate users and send SAML assertions to FortiGate.
Map Azure AD Groups to FortiGate: In the FortiGate SAML configuration, tag the group name to match the Azure AD group claim. Use theconfig user samlcommand to set the group-name attribute to match the Azure AD group claim.
Under the SAML SSO config in the GUI, set the Default admin profile as super_admin_readonly/any custom read-only profile.
Once users log in to the Fortigate Admin page using SAML login, they will show up as SSO admin under System -> Administrators -> Single-Sign-On Administrator with the default admin profile selected in step 3.
Change the profile to super_admin/any custom profile for the specific users who will require admin access.
This config will provide read-only access to all users using SAML, but only network admin users will be granted super_admin access manually once they log in.
Ensure that the SAML assertions from Azure include the necessary attributes for correct user mapping on FortiGate.
