FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff
Article Id 219655

Description

 

This article describes how to configure SAML SSO for administrator login with Keycloak acting as SAML IdP. It assumes that a realm is already configured in Keycloak.

 

Scope

 

FortiManager/FortiAnalyzer

 

Solution

 

1) In Keycloak, go to the 'Keys' tab of the Realm Settings and download the default RSA certificate used for signing the IdP responses:

 

iyotov_2-1659534883087.png

 

 

iyotov_4-1659535027491.png

 

2) Copy this certificate to a text editor and add:


-----BEGIN CERTIFICATE-----

<certificate copied from the Keycloak Realm>
-----END CERTIFICATE-----

 

Then save it as a .cer file

 

3) In FortiManager/FortiAnalyzer, Import the .cer file under 'Remote Certificates'.

Alternatively the remote certificate can be directly created in CLI.

 

iyotov_5-1659535609161.png

 

4) In FortiManager/FortiAnalyzer, configure SAML SSO in SP mode and verify that the 'SP Address' is configured correctly. It should be either IP address or FQDN (host name only will not work), which the end SSO users can access.

 

iyotov_8-1659536693501.png

 

5) Set IdP Settings to Custom, select the imported certificate, configure the IdP URLs and Apply.
For example:

IdP Entity ID: http://<keycloak_address>/auth/realms/ssolab

IdP Login URL: http://<keycloak_address>/auth/realms/ssolab/protocol/saml

IdP Logout URL: http://<keycloak_address>/auth/realms/ssolab/protocol/saml

 

iyotov_9-1659537406142.png

 

6) After the settings are applied, the View SP Metadata button will become available.

 

iyotov_11-1659538305418.png

 

7) Select the View SP Metadata option to open the metadata XML and copy/download it to file.

 

iyotov_12-1659538561933.png

 

8) In Keycloak, create new client and import the FortiManager/FortiAnalyzer metadata XML file, then Save.

This will automatically populate the URLs in the Keycloak client settings.

 

iyotov_15-1659539014108.png

 

9) Once the client is created, scroll down in 'Settings' and disable 'Client Signature Required'
At present FortiManager/FortiAnalyzer are not signing the requests.

 

iyotov_16-1659542432786.png

 

10) In Keycloak Client configuration, go to the Client Scopes tab and remove the default 'role_list' from Assigned Default Client Scopes.

 

NOTE: If the default 'role_lis' is not removed, Keycloak may include many default 'Role' attributes in the <saml:AttributeStatement>, which can potentially cause FortiManager/FortiAnalyzer to return a 'Web Server Error 500' to the SAML assertion.

 

iyotov_17-1659542661092.png

 

11) Still in the Client configuration, go to the 'Mappers' tab and select Create.

 

iyotov_18-1659542981652.png

 

12) In the next Create Protocol Mapper menu, create username attribute as in the example below.
(Note that 'username' in SAML Attribute Name field must be in lowercase)

 

iyotov_19-1659543254162.png

 

When done the Mappers tab should look like this:

 

iyotov_20-1659543408311.png

 

And this is how the attribute statement should look like in the assertion, after a user is authenticated on Keycloak:

 

<saml:AttributeStatement>

            <saml:Attribute

                FriendlyName="username"

                Name="username"

                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue

                    xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                    xsi:type="xs:string">ssouser1

                </saml:AttributeValue>

            </saml:Attribute>

        </saml:AttributeStatement>

 

13) (OPTIONAL) If IdP initiated SSO is required, configure the FortiManager/FortiAnalyzer 'SP ACS (Login) URL' also as 'IDP Initiated SSO URL Name' in the Keycloak Client Settings.

Keycloak will then generate a target URL that can be used to skip the default FortiManager/FortiAnalyzer login prompt instead of selecting the 'Login with SSO' button every time.

 

iyotov_21-1659543932348.png

 

Related article:

https://community.fortinet.com/t5/FortiAnalyzer/Techinical-Tip-SAML-SSO-FortiManager-FortiAnalyzer/t...

Contributors