This article describes how to get an Identity Provider (IdP) user group as a FortiManager Workflow Approver.
Scope
FortiManager.
Solution
Prerequisites:
- FortiAuthenticator will be used as an Identity Provider (IdP).
- SAML SSO configuration has been set beforehand.
Step 1: At the IdP server, create a User Group, add all the users that are part of the FortiManager approver list
Sample FortiAuthenticator (IdP) user group:
User Group | ApproverFMG
Users | approver1 approver2
Step 2: At the IdP server, make sure the SAML attribute name ‘groupmatch‘ is also being parsed to FortiManager with the correct user attribute value Sample FortiAuthenticator SAML attribute settings:
Step 3: At FortiManager (SP) go under System Settings > SAML SSO > Service Provider (SP), and make sure ‘Auto Create Admin‘ is disabled.
Step 4: At FortiManager (SP), create a wildcard SSO administrator with an IdP user group name: under System Settings > Administrator select ‘Create new’ and configure the settings.
- Username: Any user name Eg: approver
- Admin Type: SSO
- Match all users on remote server: Enable
- Admin Profile: Assign correct admin-profile with Lock/Unlock ADOM permission Eg: Standard_User
- ext-auth-group-match (Advanced Options): IdP user group name Eg: ApproverFMG
Step 5: At FortiManager (SP), add the newly created wildcard SSO user to the Workflow approver list under System Settings > Workspace > Workflow > Workflow Approvals.
Step 6: Proceed to login to FortiManager with SSO user and verify if logged in with the correct user profile:
Results: Below shows the SSO user logged in as a Wildcard SSO user and as a Workflow approver:
