website/integrations: general cleanup and updates (#12716)
* squash commits for future merge conflict resolution, if any * adventurelog cleanup + lint * lint (again) * Update website/integrations/services/adventurelog/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/actual-budget/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/apache-guacamole/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/gatus/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/bookstack/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/freshrss/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/budibase/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/cloudflare-access/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/dokuwiki/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/frappe/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/espocrm/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/fortimanager/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/fortigate-admin/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * Update website/integrations/services/firezone/index.md Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * fix Signed-off-by: Dominic R <dominic@sdko.org> * wip: migr actual budget integration to new codeblock * Replaced multilinecodeblocks with docusaurus style codeblocks * Fixed linting and removed kbd and em tags from codeblock --------- Signed-off-by: Dominic R <dominic@sdko.org> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
This commit is contained in:
Dominic R
@ -7,15 +7,14 @@ support_level: community
|
||||
## What is FortiGate
|
||||
|
||||
> FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
|
||||
> -- https://www.fortinet.com/products/next-generation-firewall
|
||||
>
|
||||
> This guide explains how to setup a FortiGate to use authentik as SAML provider for Admin Login. It does not cover how to setup SSLVPN logins, that is a different configuration.
|
||||
> -- https://www.fortinet.com/products/next-generation-firewall
|
||||
|
||||
## Preparation
|
||||
|
||||
The following placeholders are used in this guide:
|
||||
|
||||
- `fgt.company` is the FQDN of the FortiGate installation.
|
||||
- `fortigate.company` is the FQDN of the FortiGate installation.
|
||||
- `authentik.company` is the FQDN of the authentik installation.
|
||||
|
||||
:::note
|
||||
@ -55,12 +54,23 @@ To support the integration of FortiGate with authentik, you need to create an ap
|
||||
|
||||
## FortiGate Configuration
|
||||
|
||||
Navigate to `https://fgt.company/ng/system/certificate` and Import the Certificate `ak.cert` to the FortiGate.
|
||||
Then navigate to `https://fgt.company/fabric-connector/edit/security-fabric-connection` and select `Single Sign-On Settings` to configure SAML.
|
||||
To integrate Fortigate with authentik, nagiate to <kbd>https://<em>fortigate.company</em>/ng/system/certificate</kbd> and import the certificate you configured in the previous section.
|
||||
|
||||
- Select `Service Provider (SP)` under Mode to enable SAML authentication.
|
||||
- Set the `SP Address` to the FortiGate FQDN `fgt.company`. (This gives you the URLs to configure in authentik)
|
||||
- Set the `Default Login Page` to either `Normal` or `Single-Sign On`. (Normal allows both local and SAML authentication vs only SAML SSO.)
|
||||
Once that is done, navigate to <kbd>https://<em>fortigate.company</em>/fabric-connector/edit/security-fabric-connection</kbd> and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.
|
||||
|
||||
Then, set the following values in the Fortigate administrative UI:
|
||||
|
||||
- **SP Address**: <kbd><em>fortigate.company</em></kbd>
|
||||
- **Default login page**: `Normal` or `Single Sign-On`, depending on your needs. `Normal` allows local and SAML authentication while the latter only allows SAML authentication.
|
||||
- **Default admin profile**: Set this to an available profile.
|
||||
|
||||
Under **IdP Details**, set the following values:
|
||||
|
||||
- **SP entity ID**: `https`
|
||||
- **IdP Type**: `Custom`
|
||||
- **IdP entity ID**: <kbd>https://<em>authentik.company</em></kbd>
|
||||
- **IdP Login URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/sso/binding/redirect/</kbd>
|
||||
- **IdP Logout URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/slo/binding/redirect/</kbd>
|
||||
|
||||
FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)
|
||||
|
||||
@ -96,7 +106,7 @@ You can use the following commands on the FortiGate to enable debugging:
|
||||
4. If you used SSO Login only instead of Normal and you are not able to log in again, you can try one of the following methods:
|
||||
|
||||
**Method 1**:
|
||||
Open this URL (`https://fgt.company/saml/?acs`) in a browser and choose `Login Locally`.
|
||||
Open this URL (`https://fortigate.company/saml/?acs`) in a browser and choose `Login Locally`.
|
||||
|
||||
**Method 2**:
|
||||
Open the CLI and set the login page back to normal.
|
||||
@ -106,3 +116,9 @@ config system saml
|
||||
set default-login-page normal
|
||||
end
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
||||
- [Offocial Fortigate documentation on SAML authentication](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/ta-p/194656)
|
||||
|
||||
## Configuration verification
|
||||
|
||||
Reference in New Issue
Block a user