Description

This article describes configuring SAML SSO (Security Assertion Markup Language Single sign-on) as a method of authentication using FortiManager as IdP and FortiAnalyzer as SP.

- Identity Provider IdP - System entity that provides authentication services.

- Service Provider SP - Web site that hosts apps.

Scope

In this method we are using SP Type as 'Fortinet'.

Units firmware version FortiManager 6.4.7 and FortiAnalyzer 6.4.7.

Solution

Let's take a look into the authentication flow.

Steps to configure via GUI.

1) Download certificate from IdP and import it into SP

2) In IdP create a new SP (In this method we are using SP Type as 'Fortinet'), add 'IdP Prefix' and 'SP Address'.

- It is possible to find 'IdP Prefix' from SP's configuration.

- It is possible to find 'SP Address' from SP's URL.

How it looks via CLI? 

FMG-VM64 # sh sys saml
# config system sam
    set status enable
    set role IDP
    set cert "Fortinet_Local"
    set server-address "172.31.200.123"
    config service-provider
        edit "Fortianalyzer"
        set prefix "7z2mr5flbzm"
        set sp-entity-id "http://172.31.200.103/metadata/"
        set sp-single-sign-on-url "https://172.31.200.103/saml/?acs"
        set sp-single-logout-url "https://172.31.200.103/saml/?sls"
        next
    end
end

FortiAnalyzerz (SP)

FAZ-03 # sh sys saml
# config system sam
    set status enable
    set server-address "172.31.200.103"
    set idp-entity-id "http://172.31.200.123/saml-idp/7z2mr5flbzm/metadata/"
    set idp-single-sign-on-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/login/"
    set idp-single-logout-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/logout/"
    set idp-cert "Remote_Cert_1"
end

Troubleshooting 

- It is possible to get SAML tracer logs to check what is happening on the authentication.

Firefox: https://addons.mozilla.org/en-CA/firefox/addon/saml-tracer/
Chrome: https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en