Fortigate SAML Single Sign-On(SSO) for Admin Accounts

This page explains how to log in to FortiGate admin accounts using SAML-based Single Sign-On (SSO).

Follow the steps below to log in to the FortiGate admin panel using Single Sign-On (SSO):

  • First, log in to the FortiGate Firewall.

  • Then, from the menu on the left, go to Security Fabric > Fabric Connectors.

  • Hover over the Security Fabric Setup section and click on the Edit option.

  • Next, go to the SAML Single Sign-On > Advanced Options.

  • Select Service Provider (SP) option in the Mode field. By default, this feature is disabled. Here, you need to select the Service Provider (SP) option, as the Identity Provider (IdP) will be provided by Mirket.

  • There are two options available under the Default login page field: Normal: When this option is selected, users will see the standard FortiGate login screen. They can log in using their credentials or clicking to "Sign in with Single Sign-On" button. Single Sign-On: When this option is selected, users are redirected directly to the SSO login process without first seeing the standard login screen. Note: It is recommended to select the Normal option for greater flexibility and user control.

  • Select your admin profile in the Default admin profile field.

  • Then, go to Configuration > Applications page in the Mirket Portal.

  • To create a new application Add Application button on the top right corner. The application creation process consists of seven steps. In the first step, fill in the fields according to the following instructions:

  • Application Name: Enter a name for the application.

  • Application Logo: Upload your company's logo.

  • Protocol: Select your protocol from the dropdown list. For fortigate integration SAML V2 protocol is need be select.

  • IDP initiated: When this option is enabled, the system supports IdP-initiated Single Sign-On (SSO).

  • After filling in the required fields, click the Next button to proceed to the next step. In the second step, select the users, groups or external sources to which the application will apply. Transfer your selections to the Selected Users/Groups/External Sources table by clicking the arrow icon next to the Available Users/Groups/External Sources table.

  • Once the addition process is completed, click the Next button to proceed to the next step. In the third step, copy the URL values from the Mirket Portal and paste them into the corresponding fields under the IdP Settings section on the SAML Single Sign-On > Advanced Options page in Fortigate, as specified below: IdP Entity ID: Enter the Identifier (Entity ID) value from the Mirket Portal. IdP single sign-on URL: Enter the Single Sign-On URL value from the Mirket Portal. IdP single logout URL: Enter the Single Log-Out URL value from the Mirket Portal. Note: If the URL value from Mirket is entered in the IdP Single Logout URL field, the user will be logged out from both Fortigate and the Mirket Portal when logging out. If not, the logout will apply only to Fortigate. Note: You can also download the Meta Data XML file from the Mirket Portal.

  • After entering the values, return to the Mirket Portal, click the Next button to proceed to the next step. In the fourth step, Click the Show Certificate button.

  • On the page that opens, click Download Certificate to download the certificate file. Then, in Fortigate, go to SAML Single Sign-On > Advanced Options. Under the IdP Settings section, open the dropdown list in the IdP Certificate field and click the Import button

  • Click the Upload button to import the certificate file you downloaded from the Mirket Portal.

  • Note: You can view the imported certificate file under System > Certificates. Note: You can rename the certificate file using the following CLI commands.

config vpn certificate remote
    rename <old-cert_name> to <new-cert_name>

  • After uploading the certificate, return to the Mirket Portal, click the Next button to proceed to the next step. In the fifth step, go to the SP Details section on the SAML Single Sign-On > Advanced Options page in Fortigate. Copy the URL values from this section and paste them into the corresponding fields in the Mirket Portal, as specified below: Identifier (Entity ID): Enter the SP entity ID value from the SP Details in the Fortigate. Reply URL (Assertion Consumer Service URL): Enter the SP ACS (login) URL value from the SP Details in the Fortigate. Sign-On URL: Enter the SP portal URL value from the SP Details in the Fortigate. Log-Out URL (Optional): Enter the SP SLS (logout) URL value from the SP Details in the Fortigate.

  • After entering the values, click the Next button to proceed to the next step. In the sixth step, select the attribute to be mapped and enter its corresponding value. Note: For instance, we are using the "Username" attribute for Fortigate.

  • After filling in the required field, click the Next button to proceed to the final step. In the seventh step, select the service provider role, and then choose the groups or external sources you want to assign to this role. Note: For Fortigate Admin Account, you don't need to fill this field.

  • After filling in the required field, click the Save button. Then, the application will be successfully created.

  • Go to the Fortigate login page. Click the "Sign in with Single Sign-On" button.

  • You will be redirected to the Mirket User Portal page.

  • Enter the user credentials associated with the application.

  • Complete the second authentication.

  • Once verified, you will be logged into the Fortigate interface. Note: If the admin user you entered does not already exist, Fortigate will automatically create that admin account.

PreviousFortigate SSL VPN via Radius IntegrationNextFortigate SSL VPN via SAML Single Sign-On(SSO)

Last updated