| Description |
This article describes how to integrate FortiWeb with FortiAuthenticator for FortiWeb administration with SAML authentication. |
| Scope | FortiWeb firmware version 7.0.2 or higher. |
| Solution |
Step 1: FA-related configurations:
- Configure SAML Identity Provider Settings on FA:
1) Navigate to Authentication -> SAML IdP -> General. 2) Enable the SAML Identity Provider portal. 3) Fill in the server address [it is possible to use the FA IP where FortiWeb will connect to]. 4) At Default IdP certificate: choose the default IDP certificate. 5) At Realms: select add Realm. 6) Select OK to save the config.
- Download the IDP certificate to the local machine:
1) Navigate to Certificate Management -> End Entities -> Local Services. 2) Download the default IDP certificate used in the previous step to be uploaded later on FortiWeb.
- Configure SAML Service Provider options:
1) Navigate to Authentication -> SAML IdP -> Service Providers. 2) Fill in the SP name. 3) At IdP prefix: select create new IdP prefix then generate prefix. 4) Copy all of [IdP entity id, IdP single sign-on URL, IdP single logout URL] to an external notepad. 5) Select save then choose the IdP prefix that was generated in step 3 again. 6) Fill in SP options manually according to the following: 6.1) SP entity ID: http://x.x.x.x/metadata/ [x.x.x.x is the FortiWeb IP]. 6.2) SP ACS (login) URL: https://x.x.x.x/saml/?acs. 6.3) SP SLS (logout) URL: https://x.x.x.x/saml/?sls.
- Configure FortiAuthenticator local users:
1) Navigate to Authentication -> User Management -> Local User. 2) Configure the required users.
Step 2: FortiWeb-related Configurations:
- Configure FortiWeb Fabric Connector:
1) Navigate to Security Fabric -> Fabric Connectors. 2) Leave the status 'disabled'. 3) Ignore the options related to FortiGate Fabric [Upsteam IP, Management IP]. 4) Enable Single Sing-On Mode. 5) Configure the SP Address as the FortiWeb Address. 6) Fill in the [IDP Entity ID, IDP Single Sign-On URL, IDP Single Logout URL] according to the URLs copied in Step 1 Section 3. 7) Upload the certificate downloaded in Step 1 Section (2) at IDP Certificate.
- Perform the SSO login:
1) Navigate to the FortiWeb login page. 2) Select Via Single Sign-On.
- Assign the user a full access privilege if required or a custom privilege:
1) Log in to FortiWeb with the regular admin account. 2) Navigate to System -> Admin -> Administrator. 3) The SSO new account can be found under the SSO Admin tab. 4) Assign to the user the required profile.
Troubleshooting:
- After selecting 'Via Single Sign-On' at the FortiWeb login page, it will not be redirected to the FA login page: - Review the SAML URLs at Security Fabric -> Fabric Connectors. Make sure it exactly matches the URLs extracted from FA at Authentication -> SAML IdP -> Service Providers. - Check the SP address on FortiWeb at Security Fabric -> Fabric Connectors. Make sure it matches the FortiWeb address. - Check the Server Address on FortiAuth Authentication -> SAML IdP -> General. Make sure it matches the FA address. - Check the SP URLs on FortiAuth Authentication -> SAML IdP -> Service Providers. Make sure it matches what is mentioned in Step 1 Section 2.
For more assistance, open a support ticket along with the issue description, backup the config file, and SAML debugging:
# diagnose debug application samld 7
Reproduce the issue, collect the outputs then disable the debugging:
# diagnose debug disable |
