This article describes how to configure SAML SSO login in FortiPAM using FortiAuthenticator as SAML IdP with remote LDAP users.
FortiPAM, FortiAuthenticator.
A FortiPAM can act as SAML-SP (Service Provider) requesting authentication from a SAML IdP (identity provider) FortiAuthenticator.
Go to Authentication -> SAML IdP -> General and Enable SAML identity Provider portal.
To configure the Remote LDAP server and import users on FortiAuthenticator, follow these documents:
The SP metadata can be copied from FortiPAM when creating SAML Single Sign-On.
For example:
SP entity ID- http://[PAM_IP]/saml/metadata
SP ACS (login) URL- https://[PAM_IP]/XX/YY/ZZ/saml/login/
SP SLS (logout) URL- https://[PAM_IP]/remote/saml/logout/
On FortiAuthenticator, go to Certificate Management -> End Entities-Local Services select Default Certificate and Export Certificate.
To import the exported certificate from FortiAuthenticator to FortiPAM, go to System Certificates and select 'Create/Import' -> Remote Certificate.
Go to User Management - > SAML Single Sign-On and select 'Create New'.
Create a new remote group in FortiPAM.
Go to User Management -> User Group, set name as Type select Remote, and as remote server select SAML server created before.
Create a Saml user in FortiPAM select Role type as Standard, select 'Next', select 'Remote User', choose the remote group, and enable Force SAML login.
Test performed with username:gimi2.
On the FortiPAM login page, it is necessary to select option SAML instead of General.
From the logs on FortiAuthenticator and also from Radius debug logs, it is possible to see that the user is authenticated successfully.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.