Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
tnesh
Staff & Editor
Staff & Editor

Created on ‎06-24-2024 12:29 AM Edited on ‎08-29-2024 02:31 PM By Moderator

Article Id 322030

Technical Tip: SAML SSO Identity Provider (IdP) user group as FortiManager Approver

Description This article describes how to get an Identity Provider (IdP) user group as a FortiManager Workflow Approver.
Scope FortiManager.
Solution

Prerequisites:

  • FortiAuthenticator will be used as an Identity Provider (IdP).
  • SAML SSO configuration has been set beforehand.

 

  1. At the IdP server, create a User Group, add all the users that are part of the FortiManager approver list
    Sample FortiAuthenticator (IdP) user group:

 

User Group

ApproverFMG

Users

approver1 approver2

 

idp-user-group.png

 

  1. At the IdP server, make sure the SAML attribute name 'groupmatch' is also being parsed to FortiManager with the correct user attribute value Sample FortiAuthenticator SAML attribute settings:

     

    idp-saml-attribute.png

     

  2. At FortiManager (SP) go under System Settings -> SAML SSO -> Service Provider (SP), and make sure 'Auto Create Admin' is disabled.

     

    fmg-disable-auto-create.png

     

  3. At FortiManager (SP), create a wildcard SSO administrator with an IdP user group name: under System Settings -> Administrator select 'Create new' and configure the settings.

 

Username

Any user name
Eg: approver

Admin Type

SSO

Match all users on remote server

Enable

Admin Profile

Assign correct admin-profile with Lock/Unlock ADOM permission
Eg: Standard_User

ext-auth-group-match
(Advanced Options)

IdP user group name
Eg: ApproverFMG

 

fmg-wildcard-sso2.gif

 

  1. At FortiManager (SP), add the newly created wildcard SSO user to the Workflow approver list under System Settings -> Workspace -> Workflow -> Workflow Approvals.

     

    fmg-workflow-approver.png

     

  2. Proceed to login to FortiManager with SSO user and verify if logged in with the correct user profile:

login-with-sso.png

 

Note: for SAML session timeout, it can be configured only via CLI:

 

config  system  admin  setting
    set idle_timeout_sso <put time on seconds>          <-- The default is 900 Seconds.
end 


Results:

Below shows the SSO user logged in as a Wildcard SSO user and as a Workflow approver:

 

approver1.gif

 

Related article:

Technical Tip: SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options
1096
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.