FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
axel_gonzalez_FTNT

Description

 

This article describes configuring SAML SSO (Security Assertion Markup Language Single sign-on) as a method of authentication using FortiManager as IdP and FortiAnalyzer as SP.

 

- Identity Provider IdP - System entity that provides authentication services.

- Service Provider SP - Web site that hosts apps.

 

Scope

 

In this method we are using SP Type as 'Fortinet'.

Units firmware version FortiManager 6.4.7 and FortiAnalyzer 6.4.7.

 

Solution

 

Let's take a look into the authentication flow.

 

axel_gonzalez_FTNT_0-1637956612881.png

 

Steps to configure via GUI.

 

1) Download certificate from IdP and import it into SP

 

axel_gonzalez_FTNT_1-1637876463502.png

 

2) In IdP create a new SP (In this method we are using SP Type as 'Fortinet'), add 'IdP Prefix' and 'SP Address'.

 

axel_gonzalez_FTNT_2-1637876463660.png

 

- It is possible to find 'IdP Prefix' from SP's configuration.

 

axel_gonzalez_FTNT_3-1637876463887.png

 

- It is possible to find 'SP Address' from SP's URL.

 

axel_gonzalez_FTNT_4-1637876463885.png

 

How it looks via CLI? 

 

FMG-VM64 # sh sys saml
# config system sam
    set status enable
    set role IDP
    set cert "Fortinet_Local"
    set server-address "172.31.200.123"
    config service-provider
        edit "Fortianalyzer"
        set prefix "7z2mr5flbzm"
        set sp-entity-id "http://172.31.200.103/metadata/"
        set sp-single-sign-on-url "https://172.31.200.103/saml/?acs"
        set sp-single-logout-url "https://172.31.200.103/saml/?sls"
        next
    end
end

 

FortiAnalyzerz (SP)

 

FAZ-03 # sh sys saml
# config system sam
    set status enable
    set server-address "172.31.200.103"
    set idp-entity-id "http://172.31.200.123/saml-idp/7z2mr5flbzm/metadata/"
    set idp-single-sign-on-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/login/"
    set idp-single-logout-url "https://172.31.200.123/saml-idp/7z2mr5flbzm/logout/"
    set idp-cert "Remote_Cert_1"
end

 

Troubleshooting 

 

- It is possible to get SAML tracer logs to check what is happening on the authentication.


Firefox: https://addons.mozilla.org/en-CA/firefox/addon/saml-tracer/
Chrome: https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en