FortiGate Firewall - SAML My Page SSO Configuration Using Admin Access UI - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate Admin access UI with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate Admin access UI using My Page SSO

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure  

  1. Sign in to the RSA Cloud Admin Console  > Access > My Page >My Applications.
  2. Navigate to Access > MY Page > My Application and ensure My Application is enabled.

  1. Go to Applications > Application Catalog > Create from Template > SAML Direct. And Select Cloud.

  1. Go to FortiGate Admin UI > Security Fabric > Fabric Connectors > Single Sign On Settings > Choose Service Provider (SP).
  2. Enter the SP Address. 

Note: SP Address  should match one of FortiGate’s Interfaces. It will auto-populate the SP Details required in the configuration process. This step is used only to compare configurations between RSA Cloud Console and FortiGate.

  1. In the Connection Profile section, select SP-initiated.
  2. Enter the Connection URL in the following format.
    1. Connection URL: https://<FQDN or IP>:port/saml/login/

Note: This port is required only if HTTPS is not using the default port 443, which is used for accessing the FortiGate Admin UI. It will be referenced throughout this section accordingly and can be fetched from the CLI using the following format. 

show full-configuration system global | grep admin-sport

    set admin-sport 443

or from GUI go to System > Settings 

    1. It uses the default HTTPS port. Therefore, it's not required to enter the :443 in the URL.

  1. In the Service Provider section, enter the following format: 
    1. ACS URL: https://<FQDN or IP>:port/saml/?acs
    2. Service Provider Entity ID: http://<FQDN or IP>:port/metadata/

  1. In the Message Protection section, select to validate the SAML Request Signature.
  2. Select the certificate used by FortiGate for signing, which can be obtained directly from FortiGate. 

Note: If the certificate & key are uploaded or you want to use an existing certificate & key, access the FortiGate GUI > System > Certificates > Local Certificate and then download this certificate to import it into the RSA Cloud Console.

  1. In the SAML Response Protection section, you can select either to sign the SAML Assertion only or the entire SAML Response.
  2. Use the Generate Cert Bundle feature or your own certificates & key.

  1. In the User Identity section, ensure sending  the NameID mapped to mail / userPrincipalName / sAMAccountName. Also, send this attribute name: username mapped to mail / userPrincipalName / sAMAccountName.

  1. In the User Access section, select policy, click Next Step, then click Save & Finish.

  1. In the Portal Display section, select the checkbox of Display in Portal if required as FortiGate support IdP initiated SAML SSO for Admin UI Login.
  2. Click Publish changes.

  1. Access the FortiGate via GUI and import the certificate retrieved from RSA Cloud Console to validate SAML Response Signature 
    1. Import Certificated fetched from RSA Cloud Console, go to System > Certificates > Create/Import then select Remote Certificate and click OK.

    1. Upload a certificate/key which will be used by FortiGate to sign the SAML Requests, you are required to use the existing self-signed certificates or automatically provision.
    2. Upload (PKCS12 format files or Certificate + Private key) or generate a CSR depending on your setup in the following format: 
      1. Go to System > Certificates > Create/Import > Certificate.

      1. Click Import Certificate, and select  either PKCS12 or Certificate + Key File in following example:

PKCS12 Example:

      1. Click Create.

Certificate + Key Files Example:-

    1. Import this certificate in the RSA Cloud Console.
  1. Log in to  FortiGate GUI > Security Fabric > Fabric Connectors > Single Sign-On Settings, and follow the following configuration steps:

  1. Select Service Provider (SP), and enter the FQDN of the FortiGate used for management access in the SP address field.
  2. In the  Default login page field, select Normal according to your implementation. 

Note: You can still log in to FortiGate GUI via local login/AD/RADIUS while we have SAML as an extra option to login or choose Single Sign-On which completely relies on Single Sign-On which is not recommended during implementation.

 

  1. In the Default admin profile field, select assigned to administrator once SAML is authenticated.
  2. (Optional) Enable SP certificate to sign the SAML requests from FortiGate.
  3. In the IdP certificate field, select the certificate from the RSA Cloud Console
  4. Enter the IdP entity ID manually according to cloud configuration. 

Note:  Configuration for IdP entity ID is similar to the IdP single sign-on URL. This can be fetched from the RSA Cloud Console, In the Applications > My Applications > Your Application Name > Connection Profile.

  1. Ensure the IdP Single Logout URL is configured as specified above to avoid issues when logging out after completing your session.

Configuration is complete.

Return to the main page.

Related Articles

Trending Articles

Don't see what you're looking for?