| Description | This article describes how to configure SAML SSO login for administrators using the FortiGate as SAML-Idp. |
| Scope | FortiWeb and FortiGate. |
| Solution |
In this example, FortiGate must be configured as Fabric Root and FortiWeb should be in Fabric. FortiGate's SAML Single-Sign-On must be enabled and configured. - Go in FortiWeb to Security Fabric -> Fabric Connectors.
Upstream IP: Fabric Root FortiGate IP.
Default means when Fabric connection with FortiGate is established, the Single Sign-On mode would be enabled automatically and FortiGate would enable synchronizing SAML Single-Sign-On related settings to the FortiWeb.
Local means when Fabric connection with the FortiGate is established, it is necessary to manually enable Single Sign-On mode and manually configure the SAML Single-Sign-On settings.
Management IP: FortiWeb’s Management IP. his must be the same as the setting of the HTTPS in System -> Admin -> Settings in FortiWeb.
- After setting up FortiWeb Fabric Connector, check FortiGate to authorize the FortiWeb. Confirm the FortiWeb is authorized and go to Security Fabric -> Fabric Connectors -> Security Fabric Setup. Single-Sign-On must be enabled and configured properly.
- Few minutes later, FortiWeb’s status should be Authorized. Single-Sign-On settings are synced by FortiGate.
- With Single Sign-On Mode enabled, users, will be redirected to FortiGate's Single Sign-On Provider page when Single Sign-On is selected on FortiWeb's login page. It will be required to login with FortiGate's administrator account.
- After the first time logging in, this account will be automatically created on FortiWeb. Go to System -> Admin -> Administrators, the account has been created in the SSO Admin table, and get the profile for it.
Troubleshooting commands:
# diagnose debug application samld 7
Disable the debug after trying to login with Signle-Sign-On:
# diagnose debug disable
Related documents: |
