A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 242645

This article describes how to integrate FortiWeb with FortiAuthenticator for FortiWeb administration with SAML authentication.

Scope FortiWeb firmware version 7.0.2 or higher.

Step 1: FA-related configurations:


- Configure SAML Identity Provider Settings on FA:


1) Navigate to Authentication -> SAML IdP -> General.

2) Enable the SAML Identity Provider portal.

3) Fill in the server address [it is possible to use the FA IP where FortiWeb will connect to].

4) At Default IdP certificate: choose the default IDP certificate.

5) At Realms: select add Realm.

6) Select OK to save the config.




- Download the IDP certificate to the local machine:   


1) Navigate to Certificate Management -> End Entities -> Local Services.

2) Download the default IDP certificate used in the previous step to be uploaded later on FortiWeb.




- Configure SAML Service Provider options:


1) Navigate to Authentication -> SAML IdP -> Service Providers.

2) Fill in the SP name.

3) At IdP prefix: select create new IdP prefix then generate prefix.

4) Copy all of [IdP entity id, IdP single sign-on URL, IdP single logout URL] to an external notepad.

5) Select save then choose the IdP prefix that was generated in step 3 again.

6) Fill in SP options manually according to the following:

     6.1) SP entity ID: http://x.x.x.x/metadata/                   [x.x.x.x is the FortiWeb IP].

     6.2) SP ACS (login) URL: https://x.x.x.x/saml/?acs.

     6.3) SP SLS (logout) URL: https://x.x.x.x/saml/?sls.




- Configure FortiAuthenticator local users:


1) Navigate to Authentication -> User Management -> Local User.

2) Configure the required users.






Step 2: FortiWeb-related Configurations:


- Configure FortiWeb Fabric Connector:


1) Navigate to Security Fabric -> Fabric Connectors.

2) Leave the status 'disabled'.

3) Ignore the options related to FortiGate Fabric [Upsteam IP, Management IP].

4) Enable Single Sing-On Mode.

5) Configure the SP Address as the FortiWeb Address.

6) Fill in the [IDP Entity ID, IDP Single Sign-On URL,  IDP Single Logout URL] according to the URLs copied in Step 1 Section 3.

7) Upload the certificate downloaded in Step 1 Section (2) at IDP Certificate.




- Perform the SSO login:


1) Navigate to the FortiWeb login page.

2) Select Via Single Sign-On.










- Assign the user a full access privilege if required or a custom privilege:


1) Log in to FortiWeb with the regular admin account.

2) Navigate to System -> Admin -> Administrator.

3) The SSO new account can be found under the SSO Admin tab.

4) Assign to the user the required profile.






- After selecting 'Via Single Sign-On' at the FortiWeb login page, it will not be redirected to the FA login page:

- Review the SAML URLs at Security Fabric -> Fabric Connectors. Make sure it exactly matches the URLs extracted from FA at Authentication -> SAML IdP -> Service Providers.

- Check the SP address on FortiWeb at Security Fabric -> Fabric Connectors. Make sure it matches the FortiWeb address.

- Check the Server Address on FortiAuth Authentication -> SAML IdP -> General. Make sure it matches the FA address.

- Check the SP URLs on FortiAuth Authentication -> SAML IdP -> Service Providers. Make sure it matches what is mentioned in Step 1 Section 2.


For more assistance, open a support ticket along with the issue description, backup the config file, and SAML debugging:


# diagnose debug application samld 7
# diagnose debug enable


Reproduce the issue, collect the outputs then disable the debugging:


# diagnose debug disable