1 Solution
Ok, now, as promised, here is the step-by-step guide:
On FortiAuthenticator
- Do the general setup of FAC, which includes defining IP addresses, access ports, etc.
- Create user(s) that match exactly the users you like to use on FortiSIEM. You can connect these two by using LDAP, but to focus on just SAML connection, we will not talk about that one.
- Make sure you know the realm the users are in (if not default), you will need that one later
- Under Authentication -> SAML IdP -> General, define:
- The server address (note that this can differ from the FQDN which you have to set in System settings). You may use a port by adding :(portnumber), like iam.my-siem.com:10443 (if you only have limited public IP addresses, you will like to do so)
- The IdP-initiated login URL is the one you will need to share with your users, as FortiSIEM cannot (at time of writing) initiate the SAML login on its side. Btw, FortiSIEM is called the "Service Provider" in this setup.
- Either check "Use default realm when user-provided realm is different from all configured realms" or tell the users to use the realm along with their name to log on
- Configure the realms accordingly; in the simplest case, you may leave everything at it is
- Choose the default IdP certificate, which can be just anything. The only thing you need to make sure is that it is not expired (which you might need to consider in a couple of years again!). Feel free to use the built-in one.
- You can leave all the other options unchecked
- Click Save
- Switch to "Service Providers" (also under Authentication -> SAML IdP)
- Create a new entry
- Set a name you like to use; that one is only used in the list of apps for the user then
- Add a custom IdP prefix (choose whatever you like, will be part of the internal redirection URLs)
- You will need the IdP entity id later, copy that url
- Use the default configured certificate and signing algorithm (as this is configured in "General" for all logons then)
- Enable "Support IdP-initiated assertion response", as this is the only way you can log on to FortiSIEM. You don't have to configure any Relay state, but you may want to pick a good icon for your system; especially if you need to configure multiple logons sometime in future
- Save this entry, because some options will become visible only after saving
- Edit the entry again
- You now have "SP Metadata". This is the most critical part.
- For SP entity ID, you will like to choose the organization, which is "Super" (case-sensitive!)
- For SP ACS (login) URL, you set https://(yourdomain)/phoenix/sso/saml/(name of external authentication profile in the FortiSIEM)
- Make sure, Assertion Attribute Configuration -> Subject NameID is set to Username
- I've also set the following Asserting Attributes:
- Attribute "username" maps to Username
- Attribute "organization" maps to Realm. Note that this does not work on the "Super" organization as a realm will always be lowercase ("super") but the FortiSIEM expects an uppercase "S". But what you can do with this, is mapping every tenant by letting the users sign in with their correct realm on the IdP and only have one "customer" and one "supervisor" link on the page (addressing sioannou's issue mentioned above)
- Save
- Then go back to the very same editing page and press the "IdP metadata"-download-button next to the save button. You will need some of these information later
Now, you can switch to FortiSIEM
On FortiSIEM
- Go to Admin -> Settings -> General -> External Authentication and create a new one
- Create a name which matches exactly the one you configured on the FortiAuthenticator under "SP ACS (login) URL", the last part after the last forward slash
- You will probably want to use this system-wide, so choose "System" as Organization
- Protocol is obviously "SAML"
- For "Issuer", insert the URL you copied from "IdP entity id" above. You find it also in the downloaded "idpssodescriptor.xml" as entityID parameter
- The certificate is in the very same file. Copy the content between the "ds:X509Certificate" tags and paste it here.
- As user, I used the custom Attribute "username", but it will also work with the default setup
- As Organization, if you have the "Super" organization, you must use the default (Audience element) and make sure you have entered "Super" in the "SP entity ID" on FortiAuthenticator. Otherwise, you may use the realms of FortiAuthenticator which are in this setup present in the custom attribute "organization"
- Leave the Role on None. If you like to use roles, you also need to set this up as a custom attribute on the FortiAuthenticator (I'd recommend user groups here, if you only have one per user) and use the very same names on the FortiSIEM under Admin -> Settings -> Role -> SAML Role. As far as I understand, this also enables creating new users in the CMDB just by them authenticating via IdP
- Save
- Suppose you want you existing user being authenticated this way, go to the CMDB, edit the according user and click on the edit Button next to "System Admin"
- Choose Mode: External
- Select your SAML-Authentication profile
- Select a default role for all or the desired organizations
- Note, that the user must be in the correct organization provided by the SAML-IdP-exchange (like "Super", as mentioned multiple times now)
- The defined user(s) can now log on via the url we had right at the beginning, which reads something like https://iam.my-siem.com/saml-idp/portal/
I hope this helps everyone how is facing the same question like I did.
Best,
Christian
Ok, now, as promised, here is the step-by-step guide:
On FortiAuthenticator
- Do the general setup of FAC, which includes defining IP addresses, access ports, etc.
- Create user(s) that match exactly the users you like to use on FortiSIEM. You can connect these two by using LDAP, but to focus on just SAML connection, we will not talk about that one.
- Make sure you know the realm the users are in (if not default), you will need that one later
- Under Authentication -> SAML IdP -> General, define:
- The server address (note that this can differ from the FQDN which you have to set in System settings). You may use a port by adding :(portnumber), like iam.my-siem.com:10443 (if you only have limited public IP addresses, you will like to do so)
- The IdP-initiated login URL is the one you will need to share with your users, as FortiSIEM cannot (at time of writing) initiate the SAML login on its side. Btw, FortiSIEM is called the "Service Provider" in this setup.
- Either check "Use default realm when user-provided realm is different from all configured realms" or tell the users to use the realm along with their name to log on
- Configure the realms accordingly; in the simplest case, you may leave everything at it is
- Choose the default IdP certificate, which can be just anything. The only thing you need to make sure is that it is not expired (which you might need to consider in a couple of years again!). Feel free to use the built-in one.
- You can leave all the other options unchecked
- Click Save
- Switch to "Service Providers" (also under Authentication -> SAML IdP)
- Create a new entry
- Set a name you like to use; that one is only used in the list of apps for the user then
- Add a custom IdP prefix (choose whatever you like, will be part of the internal redirection URLs)
- You will need the IdP entity id later, copy that url
- Use the default configured certificate and signing algorithm (as this is configured in "General" for all logons then)
- Enable "Support IdP-initiated assertion response", as this is the only way you can log on to FortiSIEM. You don't have to configure any Relay state, but you may want to pick a good icon for your system; especially if you need to configure multiple logons sometime in future
- Save this entry, because some options will become visible only after saving
- Edit the entry again
- You now have "SP Metadata". This is the most critical part.
- For SP entity ID, you will like to choose the organization, which is "Super" (case-sensitive!)
- For SP ACS (login) URL, you set https://(yourdomain)/phoenix/sso/saml/(name of external authentication profile in the FortiSIEM)
- Make sure, Assertion Attribute Configuration -> Subject NameID is set to Username
- I've also set the following Asserting Attributes:
- Attribute "username" maps to Username
- Attribute "organization" maps to Realm. Note that this does not work on the "Super" organization as a realm will always be lowercase ("super") but the FortiSIEM expects an uppercase "S". But what you can do with this, is mapping every tenant by letting the users sign in with their correct realm on the IdP and only have one "customer" and one "supervisor" link on the page (addressing sioannou's issue mentioned above)
- Save
- Then go back to the very same editing page and press the "IdP metadata"-download-button next to the save button. You will need some of these information later
Now, you can switch to FortiSIEM
On FortiSIEM
- Go to Admin -> Settings -> General -> External Authentication and create a new one
- Create a name which matches exactly the one you configured on the FortiAuthenticator under "SP ACS (login) URL", the last part after the last forward slash
- You will probably want to use this system-wide, so choose "System" as Organization
- Protocol is obviously "SAML"
- For "Issuer", insert the URL you copied from "IdP entity id" above. You find it also in the downloaded "idpssodescriptor.xml" as entityID parameter
- The certificate is in the very same file. Copy the content between the "ds:X509Certificate" tags and paste it here.
- As user, I used the custom Attribute "username", but it will also work with the default setup
- As Organization, if you have the "Super" organization, you must use the default (Audience element) and make sure you have entered "Super" in the "SP entity ID" on FortiAuthenticator. Otherwise, you may use the realms of FortiAuthenticator which are in this setup present in the custom attribute "organization"
- Leave the Role on None. If you like to use roles, you also need to set this up as a custom attribute on the FortiAuthenticator (I'd recommend user groups here, if you only have one per user) and use the very same names on the FortiSIEM under Admin -> Settings -> Role -> SAML Role. As far as I understand, this also enables creating new users in the CMDB just by them authenticating via IdP
- Save
- Suppose you want you existing user being authenticated this way, go to the CMDB, edit the according user and click on the edit Button next to "System Admin"
- Choose Mode: External
- Select your SAML-Authentication profile
- Select a default role for all or the desired organizations
- Note, that the user must be in the correct organization provided by the SAML-IdP-exchange (like "Super", as mentioned multiple times now)
- The defined user(s) can now log on via the url we had right at the beginning, which reads something like https://iam.my-siem.com/saml-idp/portal/
I hope this helps everyone how is facing the same question like I did.
Best,
Christian
