| Description | This article describes how to configure OneLogin IDP Single Sign On with FortiEDR manager using SAML and basic configuration using roles and groups. Feel free to adapt this configuration to the organization's needs | ||||||||||||
| Scope | Customers using OneLogin IDP for SSO. | ||||||||||||
| Solution |
Download FortiEDR Manager metadata:
Login to the FortiEDR Management console with the local admin account. Go to Administration -> Users -> Expand SAML Authentication section. Download Service Provider Metadata. 
Open the downloaded XML file in the text editor of preference like Notepad ++ or a web browser. 1) In OneLogin Administration Console, go to Applications tab -> Applications and select 'Add App':
2) In the search bar type 'SAML Custom Connector (Advanced)':
3) Name the custom connector FortiEDR or any other distinguished name for the FortiEDR SAML connection and select 'Save'.
4) In the OneLogin application configuration page, copy and paste extracted values from FortiEDR Manager metadata XML as shown below:
5) Change SAML nameID format to 'Unspecified'. 6) SAML issuer type 'Specific' 7) Select the SAML signature element 'Assertion'. 8) Uncheck Encrypt Assertion. 9) Select 'Save' at the top of the page. 10) On the Parameters page, select nameID value and select 'Username' from the list. Select 'Save'. 11) Select '+' to Add new parameter with name 'Roles'. 12) Check the box for the 'Include in SAML assertion' flag, and select 'Save'. On the next page, choose the value 'User Roles' and select 'Save'. 13) Save the application (top right) and download SAML Metadata from the 'More Actions' menu. Save the XML file locally. This will be uploaded to FortiEDR Manager later.
Assign Roles:
1) Create a new role: Go to Users -> Roles, and select 'New Role' to create a new role. To have users and admin roles, create an individual role of each type:
2) Type in the role name (i.e., FortiEDR Admin) and select the green checkmark (top left). 3) Choose the FortiEDR Application under the Applications Tab. 
1) It is necessary to map specific users or user groups to the FortiEDR roles.
2) Select 'Save' and 'Reapply All Mappings'.
Note: Groups can be either local user groups in OneLogin or user groups synchronized from your Active Directory domain.
3) In the FortiEDR SAML Application settings, go to the Rules tab. 4) Select 'Add Rule', give it a name and select '+' under conditions and add the following condition:
For User Role:
Go back to User -> Mappings window and select 'Reapply All Mappings'. In OneLogin -> Applications tab -> Applications, go to the newly created SAML FortiEDR Application settings -> Users and make sure users are mapped correctly. Select the user: each user must have a corresponding role assigned.
Once required users are mapped to corresponding roles, go to FortiEDR Manager Administration Tab -> USERS and expand the SAML Authentication section.
1) Select SAML enabled. 2) Under IDP Metadata, choose file and select file. Select OneLogin XML metadata saved earlier. 3) Set attribute name 'Roles'. 4) Assign corresponding Roles/Group mappings as set in previous steps. I.E. FortiEDR User role will be mapped to User and the FortiEDR Admin role will be mapped to Admin/Local Admin role. 5) Select 'Save'.
Go to the OneLogin Applications portal and verify if the login is successful. Related document: https://onelogin.service-now.com/support?id=kb_article&sys_id=912bb23edbde7810fe39dde7489619de |
