Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
rbraha
Staff
Staff

Created on ‎12-18-2023 05:19 AM

Article Id 289642

Technical Tip: Login with SAML SSO on FortiPAM using FortiAuthenticator as SAML IdP with remote LDAP users

Description

 

This article describes how to configure SAML SSO login in FortiPAM using FortiAuthenticator as SAML IdP with remote LDAP users.

 

Scope

 

FortiPAM, FortiAuthenticator.

 

Solution

 

A FortiPAM can act as SAML-SP (Service Provider) requesting authentication from a SAML IdP (identity provider) FortiAuthenticator.

 

  1. FortiAuthenticator will be configured as IDP.

Go to Authentication -> SAML IdP -> General and Enable SAML identity Provider portal.

 

saml1.png

 

  • Specify the Server address, this should be FortiAuthenticator FQDN.
  • Add realm for remote LDAP server and specify user group that needs to match.
  • On the Default IdP certificate l have selected the Default server certificate on FortiAuthenticator.

 

To configure the Remote LDAP server and import users on FortiAuthenticator, follow these documents:

LDAP

Remote users

 

  1. SAML IdP- Service Providers select Create new, enable Participate in single logout:

 

saml2.png

 

The SP metadata can be copied from FortiPAM when creating SAML Single Sign-On.

 

For example:

SP entity ID- http://[PAM_IP]/saml/metadata
SP ACS (login) URL- https://[PAM_IP]/XX/YY/ZZ/saml/login/
SP SLS (logout) URL- https://[PAM_IP]/remote/saml/logout/

 

  1. It is necessary to export Default-Server-Certificate from FortiAuthenticator and to import it on FortiPAM as Remote CA.

On FortiAuthenticator, go to Certificate Management -> End Entities-Local Services select Default Certificate and Export Certificate.

 

saml3.png

 

  1. Configuration that needs to be done on FortiPAM as SP.

To import the exported certificate from FortiAuthenticator to FortiPAM, go to System Certificates and select 'Create/Import' -> Remote Certificate.

 

saml4.png

 

Go to User Management - > SAML Single Sign-On and select 'Create New'.

 

saml5.png

 

Create a new remote group in FortiPAM.

Go to User Management -> User Group, set name as Type select Remote, and as remote server select SAML server created before.

 

saml6.png

 

Create a Saml user in FortiPAM select Role type as Standard, select 'Next', select 'Remote User', choose the remote group, and enable Force SAML login.

 

saml7.png

 

Test performed with username:gimi2.

 

saml8.png

 

On the FortiPAM login page, it is necessary to select option SAML instead of General.

From the logs on FortiAuthenticator and also from Radius debug logs, it is possible to see that the user is authenticated successfully.

 

saml9.png

148
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.