FortiGate Firewall - SAML Relying Party Configuration Using Admin Access UI - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate Admin Access UI with RSA Cloud Authentication Service using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate Admin Access UI using Relying Party. 

Perform these steps to configure RSA Cloud Authentication Service using SAML Relying Party.

Procedure  

  1. Log in to RSA Cloud Console > Authentication Clients > Relying Parties > Add a Relying Party > Service Provider.

  1. In the Authentication section, select SecurID managed all authentications.

  1. Go to FortiGate Admin UI > Security Fabric > Fabric Connectors > Single Sign On Settings >Service Provider (SP). And enter the SP Address

    Note: Your SP Address should match one of FortiGate’s Interfaces. This will auto-populate the SP Details, which will be required in the configuration process.

  1. In the RSA Admin Console, go to Service Provider section, and enter the following details: 
    1. ACS URL: https://<FQDN or IP>/saml:port/?acs
    2. Service Provider Entity ID: http://<FQDN or IP>:port/metadata/

Note: This port is required only if HTTPS is not using the default port 443, which is used for accessing the FortiGate Admin UI. This can be fetched from the CLI using the following format. 

show full-configuration system global | grep admin-sport

set admin-sport 443

or from GUI go to System > settings, and enter the following information.

    1. It uses the default HTTPS port. Therefore, you are not required to enter the:443 in the URL. 

  1. In the Message Protection section, select to validate the SAML Request Signature.
  2. Select the certificate used by FortiGate for signing, which can be obtained directly from FortiGate. 

Note: If the certificate & key are uploaded or you want to use an existing certificate & key, access the FortiGate GUI > System Certificates > Local Certificate and then download this certificate to import it into the RSA Cloud Console.

    1. In the SAML Response Protection section, click download the certificate.

    1. In the User Identity section, map the NameID into mail / userPrinicipalName /sAMAccountName. Also, add an Attribute Extension value of username and map it to mail/ userPrinicipalName /sAMAccountName.

    1. In Identity Provider Entity ID section, enter Discriminator.  Then click Save and Publish.

    1. Access the FortiGate via GUI and import the certificate fetched from RSA Cloud Console to validate SAML Response Signature 
      1. Import Certificated fetched from RSA Cloud Console, go to System > Certificates > Create/Import then select Remote Certificate and select OK.

      1. Upload a certificate/key which will be used by FortiGate to sign the SAML Requests, you are required to use the existing self-signed certificates, automatically provision.
      2. Upload (PKCS12 format files or Certificate + Private key) or generate a CSR depending on your setup in the following format: 
        1. Go to System > Certificates > Create/Import > Certificate.

        1. Click Import Certificate, and select  either PKCS12 or Certificate + Key File in following example:

    PKCS12 Example:

        1. Click Create.

    Certificate + Key Files Example:

      1. Import this certificate in the RSA Cloud Console.
    2. Log in to  FortiGate GUI > Security Fabric Fabric Connectors Single Sign-On Settings, and follow the following configuration steps  

    1. Select Service Provider (SP), and enter the FQDN of the FortiGate used for management access in the SP address field.
    2. In the  Default login page field, select Normal according to your implementation. 

    Note: You can still log in to FortiGate GUI via local login/AD/RADIUS while we have SAML as an extra option to login or choose Single Sign-On which completely relies on Single Sign-On which is not recommended during implementation.

    1. In the Default admin profile field, select assigned to administrator once SAML is authenticated.
    2. (Optional) Enable SP certificate to sign the SAML requests from FortiGate.
    3. In the IdP certificate field, select the certificate from the RSA Cloud Console
    4. Enter the IdP entity ID manually according to cloud configuration. 

    Note:  Configuration for IdP entity ID is similar to the IdP single sign-on URL. This can be fetched from the RSA Cloud Console, In the Applications My Applications Your Application Name Connection Profile.

    1. Ensure the IdP Single Logout URL is configured as specified above to avoid issues when logging out after completing your session.

    Configuration is complete.

    Return to the main page

    Related Articles

    Trending Articles

    Don't see what you're looking for?