FortiGate Firewall - SAML IDR SSO Configuration Using Admin Access UI - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate Admin Access UI with RSA Cloud Authentication Service using SAML IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate Admin Access UI using SAML IDR SSO.

Perform these steps to configure RSA Cloud Authentication Service using SAML IDR SSO.

Procedure  

  1. Sign in to RSA Cloud Console > Applications > Application Catalog > Create From Template > SAML Direct. And go to Identity Router.

  1. Go to FortiGate Admin UI > Security Fabric > Fabric Connectors > Single Sign On Settings > Choose Service Provider (SP). And enter the SP Address.

Note: Your SP Address should match one of FortiGate’s Interfaces. This will auto-populate the SP Details, which will be required in the configuration process.

  1. In the Connection Profile section, select SP-initiated, and enter the Connection URL in the following format.
    1. Connection URL: https://<FQDN or IP>:port/saml/login/

Note: This port is required only if HTTPS is not using the default port 443, which is used for accessing the FortiGate Admin UI. This can be fetched from the CLI using the following format. 

show full-configuration system global | grep admin-sport

set admin-sport 443

or from GUI go to System > settings, and enter the following information. 

    1. It uses the default HTTPS port. Therefore, you are not required to enter the:443 in the URL. 
  1. In the Binding section, select Redirect.
    1. Connection URL: https://<FQDN or IP>:port/saml/login/

 

  1. In the Identity Provider section, enter the following details. 

Note: You must select override into the full URL as FortiGate won’t accept the identity string only.

  1. In the SAML Response Signature section, you can either select the Generate Cert Bundle feature or your own certificates & key.

  1. In the Service Provider section, enter the following details. 
    1. ACS URL: https://<FQDN or IP>:port/saml/?acs
    2. Service Provider Entity ID: http://<FQDN or IP>:port/metadata/

  1. Go to Advanced Configuration, in the User Identity section, ensure sending the NameID mapped to mail / userPrincipalName / sAMAccountName. Also, send this attribute name: username mapped to mail / userPrincipalName / sAMAccountName.

  1. In the Sign Outgoing Assertion, You can either select the Entire SAML Response or the SAML Assertion within response.

Note: Do not select Encrypt Assertion, as this is not supported by FortiGate.

  1.  In the Relay State Encoding section, select the proper fields. 

  1. In the User Access section, select your  policy, click Next Step, and Save & Finish.

  1. In the Portal Display section, check Display in Portal if required as FortiGate support IdP initiated SAML SSO for Admin UI Login.
  2. Click Publish. 

  1. Access the FortiGate via GUI and import the certificate fetched from RSA Cloud Console to validate SAML Response Signature 
    1. Import Certificated fetched from RSA Cloud Console, go to System > Certificates > Create/Import then select Remote Certificate and select OK.

  1. Go to Security Fabric > Fabric Connectors > Single Sign On Settings, and set to the following configuration steps: 

  1. Select Service Provider (SP), and enter the FQDN of the FortiGate used for management access in the SP address field.
  2. In the  Default login page field, select Normal according to your implementation. 

Note: You can still log in to FortiGate GUI via local login/AD/RADIUS while we have SAML as an extra option to login or choose Single Sign-On which completely relies on Single Sign-On which is not recommended during implementation.

  1. In the Default admin profile field, select assigned to administrator once SAML is authenticated.
  2. (Optional) Enable SP certificate to sign the SAML requests from FortiGate.
  3. In the IdP certificate field, select the certificate from the RSA Cloud Console
  4. Enter the IdP entity ID manually according to cloud configuration. 

Note:  Configuration for IdP entity ID is similar to the IdP single sign-on URL. This can be fetched from the RSA Cloud Console, In the Applications > My Applications > Your Application Name > Connection Profile.

  1. Ensure the IdP Single Logout URL is configured as specified above to avoid issues when logging out after completing your session.

Configuration is complete.

Return to the main page.

Related Articles

Trending Articles

Don't see what you're looking for?