FortiSIEM Discussions
Secusaurus
Contributor II

FortiAuthenticator SAML for FortiSIEM

Dear community,

 

We are using FortiAuthenticator as External Authentication source for our FortiSIEM-users, providing us MFA. At the moment, we followed the guide for External Authentication Settings and set up this integration via RADIUS.

It works fine, but of course entering the 6 digits of FortiToken is not very appealing to users ;)

 

So, we'd like to move to SAML. I am not deep into the information that needs to be exchanged between both tools. The FSM docs focus on Okta and Azure AD which work a little different to FAC. Has anyone here experience in connecting these two components and likes to share the general config steps?

 

If not, we will figure out and I will share our experience in a few weeks...

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
1 Solution
Secusaurus
Contributor II

Ok, now, as promised, here is the step-by-step guide:

 

On FortiAuthenticator

  1. Do the general setup of FAC, which includes defining IP addresses, access ports, etc.
  2. Create user(s) that match exactly the users you like to use on FortiSIEM. You can connect these two by using LDAP, but to focus on just SAML connection, we will not talk about that one.
  3. Make sure you know the realm the users are in (if not default), you will need that one later
  4. Under Authentication -> SAML IdP -> General, define:
    1. The server address (note that this can differ from the FQDN which you have to set in System settings). You may use a port by adding :(portnumber), like iam.my-siem.com:10443 (if you only have limited public IP addresses, you will like to do so)
    2. The IdP-initiated login URL is the one you will need to share with your users, as FortiSIEM cannot (at time of writing) initiate the SAML login on its side. Btw, FortiSIEM is called the "Service Provider" in this setup.
    3. Either check "Use default realm when user-provided realm is different from all configured realms" or tell the users to use the realm along with their name to log on
    4. Configure the realms accordingly; in the simplest case, you may leave everything at it is
    5. Choose the default IdP certificate, which can be just anything. The only thing you need to make sure is that it is not expired (which you might need to consider in a couple of years again!). Feel free to use the built-in one.
    6. You can leave all the other options unchecked
    7. Click Save
  5. Switch to "Service Providers" (also under Authentication -> SAML IdP)
    1. Create a new entry
    2. Set a name you like to use; that one is only used in the list of apps for the user then
    3. Add a custom IdP prefix (choose whatever you like, will be part of the internal redirection URLs)
    4. You will need the IdP entity id later, copy that url
    5. Use the default configured certificate and signing algorithm (as this is configured in "General" for all logons then)
    6. Enable "Support IdP-initiated assertion response", as this is the only way you can log on to FortiSIEM. You don't have to configure any Relay state, but you may want to pick a good icon for your system; especially if you need to configure multiple logons sometime in future
    7. Save this entry, because some options will become visible only after saving
    8. Edit the entry again
    9. You now have "SP Metadata". This is the most critical part.
      1. For SP entity ID, you will like to choose the organization, which is "Super" (case-sensitive!)
      2. For SP ACS (login) URL, you set https://(yourdomain)/phoenix/sso/saml/(name of external authentication profile in the FortiSIEM)
    10. Make sure, Assertion Attribute Configuration -> Subject NameID is set to Username
    11. I've also set the following Asserting Attributes:
      1. Attribute "username" maps to Username
      2. Attribute "organization" maps to Realm. Note that this does not work on the "Super" organization as a realm will always be lowercase ("super") but the FortiSIEM expects an uppercase "S". But what you can do with this, is mapping every tenant by letting the users sign in with their correct realm on the IdP and only have one "customer" and one "supervisor" link on the page (addressing sioannou's issue mentioned above)
    12. Save
    13. Then go back to the very same editing page and press the "IdP metadata"-download-button next to the save button. You will need some of these information later

Now, you can switch to FortiSIEM

 

On FortiSIEM

  1. Go to Admin -> Settings -> General -> External Authentication and create a new one
    1. Create a name which matches exactly the one you configured on the FortiAuthenticator under "SP ACS (login) URL", the last part after the last forward slash
    2. You will probably want to use this system-wide, so choose "System" as Organization
    3. Protocol is obviously "SAML"
    4. For "Issuer", insert the URL you copied from "IdP entity id" above. You find it also in the downloaded "idpssodescriptor.xml" as entityID parameter
    5. The certificate is in the very same file. Copy the content between the "ds:X509Certificate" tags and paste it here.
    6. As user, I used the custom Attribute "username", but it will also work with the default setup
    7. As Organization, if you have the "Super" organization, you must use the default (Audience element) and make sure you have entered "Super" in the "SP entity ID" on FortiAuthenticator. Otherwise, you may use the realms of FortiAuthenticator which are in this setup present in the custom attribute "organization"
    8. Leave the Role on None. If you like to use roles, you also need to set this up as a custom attribute on the FortiAuthenticator (I'd recommend user groups here, if you only have one per user) and use the very same names on the FortiSIEM under Admin -> Settings -> Role -> SAML Role. As far as I understand, this also enables creating new users in the CMDB just by them authenticating via IdP
    9. Save
  2. Suppose you want you existing user being authenticated this way, go to the CMDB, edit the according user and click on the edit Button next to "System Admin"
    1. Choose Mode: External
    2. Select your SAML-Authentication profile
    3. Select a default role for all or the desired organizations
    4. Note, that the user must be in the correct organization provided by the SAML-IdP-exchange (like "Super", as mentioned multiple times now)
  3. The defined user(s) can now log on via the url we had right at the beginning, which reads something like https://iam.my-siem.com/saml-idp/portal/

 

I hope this helps everyone how is facing the same question like I did.

 

Best,

Christian

FortiAuthenticator: GeneralFortiAuthenticator: General

 

FortiAuthenticator: Service ProviderFortiAuthenticator: Service Provider

 

FortiSIEMFortiSIEM

 

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

FCP & FCSS Security Operations | Fortinet Advanced Partner
4 REPLIES 4
sioannou
Contributor

Hi Christian, 

 

Yes we have successfully integrated the systems together. Have a look here https://docs.fortinet.com/document/fortiauthenticator/6.5.3/administration-guide/817031/saml-idp for the IDP initiated request. 

When we are talking about a single tenant FortiAuthenticator does the job. Unfortunately because FortiSIEM does not support SP initiated assertions, if you have a multi-tenanted environment FortiAuthenticator cannot perform RBAC of the Idp links. So if you login to FortiAuthenticator then all links for all tenants are shown which might be considered a data leak. 

 

In multi-tenanted environments you have either the option to setup a FortiAuth per tenant or review some of the options out-there for SAML. 

 

Please let me know if you need more info, maybe I can put a document together and have it submitted to KB section. 

 

Regards,

 

S

 

Secusaurus

Hi @sioannou,

 

Thanks for your detailed answer!

In fact, I would love to have some kind of step by step guide for setting up both sides, just like the Okta or AAD setup is in the docs. But I have to admit, I have not done any SAML integration anywhere yet and I suppose as soon as I did that, it will become much clearer which parameters stand for what.

 

In my case, we do have a multi tenant environment but are talking about granting access to the SOC team only for the moment, so there won't be the need for tenant support at least at that point. However, I will take that into consideration and do a bit of research on how to tackle this for future accounts.

 

Thanks for the moment!

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Secusaurus

Hi @sioannou,

 

I've now started configuring the main options. I will list them in a full setup here, once it works.

I am currently stuck on FortiSIEM explaining me

Invalid username or password or organization. ErrorCode : 3001 

 I've created custom attribute statements with "organization" and "username" which send "super" and the according username. On FSM, I set "User" and "Org" to these custom attributes. The user I try to use (which is a super admin) has only the SAML-profile as external authentication source configured.

Am I missing something obvious here?

 

Thanks already!

Christian

 

EDIT: I know these information get through using the SAML-trace browser plugin. The attributes appear under "SAML 2.0 AttributeStatement".

 

You may ignore this post. I found the solution. The organization is case-sensitive and "super" does not equal "Super".

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Secusaurus
Contributor II

Ok, now, as promised, here is the step-by-step guide:

 

On FortiAuthenticator

  1. Do the general setup of FAC, which includes defining IP addresses, access ports, etc.
  2. Create user(s) that match exactly the users you like to use on FortiSIEM. You can connect these two by using LDAP, but to focus on just SAML connection, we will not talk about that one.
  3. Make sure you know the realm the users are in (if not default), you will need that one later
  4. Under Authentication -> SAML IdP -> General, define:
    1. The server address (note that this can differ from the FQDN which you have to set in System settings). You may use a port by adding :(portnumber), like iam.my-siem.com:10443 (if you only have limited public IP addresses, you will like to do so)
    2. The IdP-initiated login URL is the one you will need to share with your users, as FortiSIEM cannot (at time of writing) initiate the SAML login on its side. Btw, FortiSIEM is called the "Service Provider" in this setup.
    3. Either check "Use default realm when user-provided realm is different from all configured realms" or tell the users to use the realm along with their name to log on
    4. Configure the realms accordingly; in the simplest case, you may leave everything at it is
    5. Choose the default IdP certificate, which can be just anything. The only thing you need to make sure is that it is not expired (which you might need to consider in a couple of years again!). Feel free to use the built-in one.
    6. You can leave all the other options unchecked
    7. Click Save
  5. Switch to "Service Providers" (also under Authentication -> SAML IdP)
    1. Create a new entry
    2. Set a name you like to use; that one is only used in the list of apps for the user then
    3. Add a custom IdP prefix (choose whatever you like, will be part of the internal redirection URLs)
    4. You will need the IdP entity id later, copy that url
    5. Use the default configured certificate and signing algorithm (as this is configured in "General" for all logons then)
    6. Enable "Support IdP-initiated assertion response", as this is the only way you can log on to FortiSIEM. You don't have to configure any Relay state, but you may want to pick a good icon for your system; especially if you need to configure multiple logons sometime in future
    7. Save this entry, because some options will become visible only after saving
    8. Edit the entry again
    9. You now have "SP Metadata". This is the most critical part.
      1. For SP entity ID, you will like to choose the organization, which is "Super" (case-sensitive!)
      2. For SP ACS (login) URL, you set https://(yourdomain)/phoenix/sso/saml/(name of external authentication profile in the FortiSIEM)
    10. Make sure, Assertion Attribute Configuration -> Subject NameID is set to Username
    11. I've also set the following Asserting Attributes:
      1. Attribute "username" maps to Username
      2. Attribute "organization" maps to Realm. Note that this does not work on the "Super" organization as a realm will always be lowercase ("super") but the FortiSIEM expects an uppercase "S". But what you can do with this, is mapping every tenant by letting the users sign in with their correct realm on the IdP and only have one "customer" and one "supervisor" link on the page (addressing sioannou's issue mentioned above)
    12. Save
    13. Then go back to the very same editing page and press the "IdP metadata"-download-button next to the save button. You will need some of these information later

Now, you can switch to FortiSIEM

 

On FortiSIEM

  1. Go to Admin -> Settings -> General -> External Authentication and create a new one
    1. Create a name which matches exactly the one you configured on the FortiAuthenticator under "SP ACS (login) URL", the last part after the last forward slash
    2. You will probably want to use this system-wide, so choose "System" as Organization
    3. Protocol is obviously "SAML"
    4. For "Issuer", insert the URL you copied from "IdP entity id" above. You find it also in the downloaded "idpssodescriptor.xml" as entityID parameter
    5. The certificate is in the very same file. Copy the content between the "ds:X509Certificate" tags and paste it here.
    6. As user, I used the custom Attribute "username", but it will also work with the default setup
    7. As Organization, if you have the "Super" organization, you must use the default (Audience element) and make sure you have entered "Super" in the "SP entity ID" on FortiAuthenticator. Otherwise, you may use the realms of FortiAuthenticator which are in this setup present in the custom attribute "organization"
    8. Leave the Role on None. If you like to use roles, you also need to set this up as a custom attribute on the FortiAuthenticator (I'd recommend user groups here, if you only have one per user) and use the very same names on the FortiSIEM under Admin -> Settings -> Role -> SAML Role. As far as I understand, this also enables creating new users in the CMDB just by them authenticating via IdP
    9. Save
  2. Suppose you want you existing user being authenticated this way, go to the CMDB, edit the according user and click on the edit Button next to "System Admin"
    1. Choose Mode: External
    2. Select your SAML-Authentication profile
    3. Select a default role for all or the desired organizations
    4. Note, that the user must be in the correct organization provided by the SAML-IdP-exchange (like "Super", as mentioned multiple times now)
  3. The defined user(s) can now log on via the url we had right at the beginning, which reads something like https://iam.my-siem.com/saml-idp/portal/

 

I hope this helps everyone how is facing the same question like I did.

 

Best,

Christian

FortiAuthenticator: GeneralFortiAuthenticator: General

 

FortiAuthenticator: Service ProviderFortiAuthenticator: Service Provider

 

FortiSIEMFortiSIEM

 

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"