Technical Tip: How to automatically assign permissions to new users in FortiMonitor when using SSO integration

MR_B · ‎10-04-2022

Description

This article describes how to leverage the SAML role mapping within SSO Integration to automatically assign new users permissions.

Scope

FortiMonitor, SSO Integration, SAML

Solution

Overview

When leveraging SSO Integration, FortiMonitor has the option to assign users permissions automatically based on data passed by SAML.

In order to take advantage of this, the SSO Integration will need to provide an additional SAML field with a payload that is defined within the SSO Integration setup of FortiMonitor.

Use Cases

For example, if user has an attribute named 'Department' that is shared via the SSO integration, one can define the values that FortiMonitor should expect to see such as 'IT' or 'Sales' and based on the value received a user can be assigned a FortiMonitor role such as 'Account Admin' or 'Dashboard Viewer'.

Example

Example of attribute values being passed by an OKTA integration including the 'Department' attribute.

Example of the SAML XML data that will be passed to FortiMonitor including the Attribute Name of 'Department' and AttributeValue of 'IT'.

Example of the FortiMonitor SSO Configuration showing the settings for Auto Create Users and Assign Roles Based on SAML mapping.

When the value received for the 'Department' attribute is 'Sales' the user will automatically created and assigned the 'Dashboard Viewer' role.

When the attribute value is 'IT' the user will be automatically created and assigned the 'Account Admin' role.