Created on 11-25-2021 08:33 PM Edited on 03-25-2022 07:51 AM By Anthony_E
Description
This article describes configuring SAML SSO (Security Assertion Markup Language Single sign-on) as a method of authentication using FortiManager as IdP and FortiAnalyzer as SP.
- Identity Provider IdP - System entity that provides authentication services.
- Service Provider SP - Web site that hosts apps.
Scope
In this method we are using SP Type as 'Fortinet'.
Units firmware version FortiManager 6.4.7 and FortiAnalyzer 6.4.7.
Solution
Let's take a look into the authentication flow.
Steps to configure via GUI.
1) Download certificate from IdP and import it into SP
2) In IdP create a new SP (In this method we are using SP Type as 'Fortinet'), add 'IdP Prefix' and 'SP Address'.
- It is possible to find 'IdP Prefix' from SP's configuration.
- It is possible to find 'SP Address' from SP's URL.
How it looks via CLI?
FMG-VM64 # sh sys saml
# config system sam
set status enable
set role IDP
set cert "Fortinet_Local"
set server-address "172.31.200.123"
config service-provider
edit "Fortianalyzer"
set prefix "7z2mr5flbzm"
set sp-entity-id "http://172.31.200.103/metadata/"
set sp-single-sign-on-url "https://172.31.200.103/saml/?acs"
set sp-single-logout-url "https://172.31.200.103/saml/?sls"
next
end
end
FortiAnalyzerz (SP)
FAZ-03 # sh sys saml
# config system sam
set status enable
set server-address "172.31.200.103"
set idp-entity-id "http://172.31.200.123/saml-idp/7z2mr5flbzm/metadata/"
set idp-single-sign-on-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/login/"
set idp-single-logout-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/logout/"
set idp-cert "Remote_Cert_1"
end
Troubleshooting
- It is possible to get SAML tracer logs to check what is happening on the authentication.
Firefox: https://addons.mozilla.org/en-CA/firefox/addon/saml-tracer/
Chrome: https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.