authentik/website/integrations/networking/fortimanager/index.md at 150df6343236062582c78b1eef27418cdd43aa77

mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00

Files

T

Dominic R 150df63432 website/integrations: FortiManager: cleanup (#23110 )

Agent-thread: https://sdko.org/internal/thr/ak/019eccfc-d6c2-7df3-ae39-4a4bd262c174

A7k-product: product

A7k-product-repo: 3

Co-authored-by: Agent <gptagent@svc.sdko.net>

2026-06-16 11:47:21 +01:00

6.0 KiB

Raw Blame History

title, sidebar_label, support_level

title	sidebar_label	support_level
Integrate with FortiManager	FortiManager	community

What is FortiManager?

FortiManager is an enterprise solution that enables centralized network management, ensures compliance with best practices, and automates workflows to enhance breach protection.

-- https://www.fortinet.com/products/management/fortimanager

Preparation

The following placeholders are used in this guide:

fortimanager.company is the FQDN of the FortiManager installation.
authentik.company is the FQDN of the authentik installation.

:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::

authentik configuration

To support the integration of FortiManager with authentik, you need to create a SAML property mapping and an application/provider pair in authentik.

Create a property mapping in authentik

FortiManager expects a SAML attribute named username that contains the value used to identify the administrator account. This example uses the authentik username, but you can return any user attribute that matches the FortiManager administrator identifier.

Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Customization > Property Mappings and click Create.
Select SAML Provider Property Mapping as the type and click Next.
Create a property mapping with the following values:
- Name: FortiManager username
- SAML Attribute Name: username
- Expression:
```
return request.user.username
```
Click Finish to save the property mapping.

:::info Optional SAML attributes FortiManager also accepts profilename and adoms attributes. The profilename attribute assigns a matching admin profile that already exists on FortiManager. The adoms attribute grants access to one or more administrative domains (ADOMs). To use either attribute, create additional SAML provider property mappings with the corresponding SAML Attribute Name, return the desired values from the Expression, and add the mappings to Selected User Property Mappings when configuring the provider. :::

Create an application and provider in authentik

Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the Slug value because you will use it when configuring FortiManager.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
  - Set the ACS URL to https://fortimanager.company/saml/?acs.
  - Set the SLS URL to https://fortimanager.company/saml/?sls.
  - Under Advanced protocol settings:
    - Set the Signing Certificate to any available certificate.
    - Add FortiManager username to Selected User Property Mappings.
    - Set the NameID Property Mapping to authentik default SAML Mapping: Username.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
Click Submit to save the new application and provider.

FortiManager configuration

Log in to the FortiManager web interface as an administrator.
Navigate to System Settings > SAML SSO.
Configure the Single Sign-On Settings:
- Server Address: fortimanager.company
- Single Sign-On Mode: Service Provider (SP)
- SP Certificate: select an available certificate.
- Default Login Page: select whether FortiManager should show the normal login page with an SSO option, or redirect directly to authentik.
- Auto Create Admin: enable this setting if FortiManager should create SSO administrators on first login. If you leave it disabled, create matching SSO administrators in FortiManager before testing the integration.
Configure the IdP Settings:
- IdP Type: Custom
- IdP Entity ID: https://authentik.company/application/saml/<application_slug>/metadata/
- IdP Login URL: https://authentik.company/application/saml/<application_slug>/
- IdP Logout URL: https://authentik.company/application/saml/<application_slug>/
- IdP Certificate: import the signing certificate that you selected in the authentik SAML provider. You can download it from the authentik SAML provider page, under Related objects > Download signing certificate.
If you enabled any options under Signing Options in FortiManager, align them with the corresponding options under Advanced protocol settings in the authentik SAML provider.
Click Apply to save the configuration.

:::info Administrator permissions With Auto Create Admin enabled, newly-created SSO administrators receive the configured default admin profile. If users should receive permissions through SAML attributes instead, create matching FortiManager admin profiles and administrative domains, and send the optional profilename and adoms attributes from authentik. :::

Configuration verification

To confirm that authentik is properly configured with FortiManager, open FortiManager and sign in via authentik.

6.0 KiB Raw Blame History