Fortinet (Fortigate) Single Sign-On (FSSO)
Fortinet Single Sign-On (FSSO) solution by miniOrange provides you with secure Single Sign-On access to multiple On-Premise and Cloud Applications using a single set of login credentials. With miniorange’s Identity Provider (IDP) service you can use SSO to login to multiple applications using a single Fortinet username and password. Looking at another way, if your users are in any third-party Identity Providers (Azure Active Directory, Okta, Auth0) and you want your users to log into Fortinet (Fortigate) using existing IDP credentials, you can easily allow them to use SSO to login securely.
miniOrange and Fortinet Single Sign-On (FSSO) integration supports the following features:
- SP Initiated Single Sign-On (SSO)
- IdP Initiated Single Sign-On (SSO)
Connect with External Source of Users
miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.
Follow the Step-by-Step Guide given below for Fortigate Single Sign-On (FSSO)
1. Configure Fortinet in miniOrange
- Login into miniOrange Admin Console.
- Go to Apps and click on Add Application button.
- In Choose Application, select SAML/WS-FED from the application type dropdown.
- Search for Fortinet in the list, if you don't find Fortinet in the list then, search for custom and you can set up your application in Custom SAML App.
- For entering the metadata, you need to get the IP address where your Fortigate SSL VPN is listening on.
- Enter the following values in the respective fields.
SP Entity ID or Issuer:
|
https://fortigate-ip:port/saml/metadata |
ACS URL:
|
https://fortigate-ip:port/saml/login |
Name ID:
|
E-mail Address |
NameID format:
|
urn:oasis:names:tc:SAML:2.0:nameid‑format:emailaddress |
- Click Next, now in the Attribute Mapping configure the following attributes as shown in the image below.
- To upload respective app logo for a Custom SAML App, click on Upload Logo tab.
- Click on Save.
- Your application is saved successfully. Now click on the Select button against your newly created application. Go to Metadata.
- On the Metadata page -
1. If you want to use miniOrange as User-Store i.e., your user identities will be stored in miniOrange then download the metadata file under the heading 'INFORMATION REQUIRED TO SET MINIORANGE AS IDP'.
2. If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, Google, Apple ID, etc then download the Metadata file under the heading 'INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS'.
- Then click on Download Metadata.
2. Configure SSO in Fortinet Admin Account
- Login to Fortigate as an admin.
- Go to Security Fabric -> Settings.
GUI in version 6.2.
|
Go to User & Device -> SAML SSO |
GUI in version 6.2.3 and above.
|
Go to Security Fabric -> Settings
Enable FortiGate Telemetry, choose a Fabric name and an IP for FortiAnalyzer (can be an unused address)
Enable SAML Single Sign-On, Click on Advanced Options
|
GUI in version 6.4 and above
|
Go to Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings
|
- Enable SAML Single Sign-On, Click on Advanced Options.
- Choose Mode as Service Provider (SP).
- Fill the details as per the following table.
IDP Entity ID |
Entity ID or Issuer in miniOrange |
IDP Single Sign-On URL |
SAML Login URL in miniOrange metadata |
IDP Single Logout URL |
SAML Logout URL in miniOrange metadata |
- Click on Apply to save changes.
3. Test SSO Configuration
Test SSO login to your Fortinet account with miniOrange IdP:
External References