A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 241636
Description This article describes how to configure SAML SSO login for administrators using the FortiGate as SAML-Idp.
Scope FortiWeb and FortiGate.

In this example, FortiGate must be configured as Fabric Root and FortiWeb should be in Fabric. FortiGate's SAML Single-Sign-On must be enabled and configured.

- Go in FortiWeb to Security Fabric -> Fabric Connectors.
Fabric Device Status must be enabled, and settings must be configured.




Upstream IP: Fabric Root FortiGate IP.
Upstream Port: Default 8013.
Configuration Sync: Set it to Default.


Default means when Fabric connection with FortiGate is established, the Single Sign-On mode would be enabled automatically and FortiGate would enable synchronizing SAML Single-Sign-On related settings to the FortiWeb.


Local means when Fabric connection with the FortiGate is established, it is necessary to manually enable Single Sign-On mode and manually configure the SAML Single-Sign-On settings.


Management IP: FortiWeb’s Management IP.
Management Port: FortiWeb’s Management Port. T

his must be the same as the setting of the HTTPS in System -> Admin -> Settings in FortiWeb.


- After setting up FortiWeb Fabric Connector, check FortiGate to authorize the FortiWeb.

Confirm the FortiWeb is authorized and go to Security Fabric -> Fabric Connectors -> Security Fabric Setup. Single-Sign-On must be enabled and configured properly.




- Few minutes later, FortiWeb’s status should be Authorized. Single-Sign-On settings are synced by FortiGate.


- With Single Sign-On Mode enabled, users, will be redirected to FortiGate's Single Sign-On Provider page when Single Sign-On is selected on FortiWeb's login page. It will be required to login with FortiGate's administrator account.


- After the first time logging in, this account will be automatically created on FortiWeb.

Go to System -> Admin -> Administrators, the account has been created in the SSO Admin table, and get the profile for it.


Troubleshooting commands:


# diagnose debug application samld 7
# diagnose debug enable


Disable the debug after trying to login with Signle-Sign-On:


# diagnose debug disable


Related documents: