Home

FortiCloud SSO: Balancing Convenience with Critical Security in Fortinet's Ecosystem

.

In today's complex cybersecurity landscape, network administrators face an ever-growing challenge: managing numerous credentials across multiple security devices. Fortinet's FortiCloud Single Sign-On (SSO) emerged as a solution to this problem, offering a streamlined authentication mechanism across FortiOS, FortiManager, FortiProxy, FortiWeb, and FortiSwitchManager products. This cloud-based identity federation allows administrators to use their FortiCloud credentials to access multiple devices, promising both operational efficiency and a unified security posture.

However, recent security disclosures have revealed critical vulnerabilities in this system, forcing organizations to carefully weigh the convenience benefits against potential security risks. This comprehensive analysis examines FortiCloud SSO from multiple perspectives: its operational capabilities, recent security concerns, configuration best practices, and the ongoing evolution of secure access management in Fortinet's ecosystem.

Understanding FortiCloud SSO: Capabilities and Configurations

Core Functionality and User Management

FortiCloud SSO operates as a SAML-based authentication service that bridges Fortinet devices with the FortiCloud identity platform. The system supports two primary user types:

  1. Standard FortiCloud Users: Typically the account holder who registered the device
  2. IAM (Identity and Access Management) Users: Additional administrators created within FortiCloud with specifically assigned permissions

According to Fortinet documentation, when enabled, FortiCloud SSO provides administrators with a "Sign in with FortiCloud" option on the login screens of supported devices. This eliminates the need for separate local administrator accounts on each device while maintaining centralized access control.

Permission Override Capabilities

A significant advancement introduced in FortiOS 7.2.4 is the ability for local FortiGate administrators to override permissions assigned through FortiCloud. This feature addresses a common concern in distributed environments where global permissions might need adjustment for specific devices or situations.

The permission assignment follows these rules:

User Type Default/Inherited Permission Override Capability
Standard FortiCloud super_admin profile Can be overridden with local profile
FortiCloud IAM Based on IAM profile settings (SuperAdmin or Read Only) Can be overridden with local profile
FortiGate Cloud (Paid) super_admin profile Can be overridden with local profile
FortiGate Cloud (Free) Read-only access Cannot be overridden

This granular permission control enables organizations to implement the principle of least privilege even when using cloud-based authentication. Local administrators can downgrade permissions for specific users on specific devices when necessary, providing important flexibility in complex enterprise environments.

Critical Security Vulnerabilities and Response

The CVE-2025-59718/59719 Disclosure

In December 2025, Fortinet's Product Security Incident Response Team (PSIRT) published FG-IR-25-647, detailing cryptographic signature vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting FortiCloud SSO implementations. These vulnerabilities, categorized as Improper Verification of Cryptographic Signature (CWE-347), potentially allow unauthenticated attackers to bypass FortiCloud SSO authentication via crafted SAML messages.

Johannes Ullrich, dean of research at the SANS Institute, contextualized the risk: "SAML implementations often suffer problems due to the intricacies of XML parsing and ambiguities in interpreting the result." He noted the particular timing coincidence that "the same day Fortinet patched its systems, Ruby released a patch for its SAML library," highlighting the widespread challenges with SAML implementations.

Affected Products and Remediation

The vulnerabilities impact multiple Fortinet products across various versions:

  • FortiOS 7.6.0-7.6.3 (fixed in 7.6.4+)
  • FortiOS 7.4.0-7.4.8 (fixed in 7.4.9+)
  • FortiOS 7.2.0-7.2.11 (fixed in 7.2.12+)
  • FortiOS 7.0.0-7.0.17 (fixed in 7.0.18+)
  • FortiProxy, FortiWeb, and FortiSwitchManager in corresponding versions

Fortinet emphasized that FortiCloud SSO is not enabled by default in factory configurations. However, a critical detail emerged: when registering a device to FortiCare via the GUI, the registration page includes a toggle for "Allow administrative login using FortiCloud SSO" that is enabled by default during the registration process.

Immediate Response Recommendations

Security experts universally recommended immediate action:

  1. Temporarily disable FortiCloud SSO on affected devices until patching is complete
  2. Apply security updates to non-vulnerable versions
  3. Re-enable SSO only after verification of successful patching

Robert Beggs of DigitalDefence noted a silver lining: "If it had been announced by a third party, then it would have been more likely a vulnerability that was being actively exploited in the wild. It appears that this may have been identified in time to get a warning out and minimize potential compromises."

The CLI command to disable FortiCloud SSO is straightforward:

config system global     set admin-forticloud-sso-login disable end

Configuration and Automation Approaches

Manual Configuration Methods

Fortinet provides multiple pathways to configure FortiCloud SSO:

GUI Configuration:

  1. Navigate to System > Settings
  2. In the Administration Settings section, enable "Allow administrative login using FortiCloud SSO"
  3. Click Apply

CLI Configuration:

config system global     set admin-forticloud-sso-login enable end

For FortiManager specifically, configuration occurs under System Settings > SAML SSO by enabling "Allow admins to login with FortiCloud."

Automated Management with Ansible

The fortinet.fortios.fortios_system_sso_forticloud_admin Ansible module enables automated configuration of FortiCloud SSO administrators. This module, part of the fortinet.fortios collection (version 2.4.2+), allows infrastructure-as-code approaches to managing SSO configurations across large deployments.

Key parameters include:

  • accprofile: Links to system access profile
  • name: Username identifier
  • vdom: Virtual domain assignments
  • state: Present or absent configuration state

Example playbook implementation:

- name: Configure FortiCloud SSO admin users   fortinet.fortios.fortios_system_sso_forticloud_admin:     vdom: "{{ vdom }}"     state: "present"     access_token: "<your_own_value>"     system_sso_forticloud_admin:       accprofile: "<your_own_value>"       name: "admin_user"       vdom:         - name: "root"

Practical Implementation Scenarios

Use Case 1: Restricting Cloud Administrator Permissions

A common scenario involves a FortiCloud SSO user who needs restricted access on a specific FortiGate. The local administrator can override the cloud-assigned permissions:

  1. Enable FortiCloud SSO in System > Settings
  2. Set Administrator profile to "Specify" rather than "Inherit from FortiCloud"
  3. Select a restricted local profile (e.g., prof_admin with read-only access)
  4. When the SSO user first logs in, they'll be created with these restricted permissions

Use Case 2: FortiCloud IAM User with Elevated Privileges

For IAM users needing elevated privileges beyond their cloud profile:

  1. In FortiCloud, configure the IAM permission profile with FortiOS SSO portal access enabled and Access Type set to "Read Only"
  2. After the IAM user logs into the FortiGate (creating a super_admin_readonly account)
  3. A local super_admin can then edit the IAM user's permissions to grant super_admin access

Use Case 3: Remote Access via FortiGate Cloud

FortiGate Cloud users with paid subscriptions can remotely access FortiGates through the FortiGate Cloud 2.0 portal. By default, these connections use super_admin privileges, but local administrators can override this to implement least-privilege access even for remote cloud-based connections.

Strategic Implications and Future Considerations

The Shared Codebase Dilemma

Robert Beggs highlighted an architectural consideration: "The fact that a pair of vulnerabilities affects a number of a manufacturer's offerings shows the downside of having a shared code base for their products." While shared code enables rapid feature development and integration consistency, it also creates a single point of failure that can affect multiple products simultaneously.

Balancing Convenience with Security

Johannes Ullrich summarized the ongoing tension: "Users of Fortinet appliances should, for now, disable SSO until they are able to patch the devices. However, in the long run, this is not a reason to abandon SSO, and it should be re-enabled after the patch is applied."

This perspective reinforces that security features themselves can become attack vectors, requiring continuous vigilance even in mature enterprise systems. The convenience of single sign-on must be balanced against the expanded attack surface it creates.

Evolution of Fortinet's Cloud Security Model

The permission override capability introduced in FortiOS 7.2.4 represents an important evolution in Fortinet's cloud security model, acknowledging that centralized cloud management must coexist with local administrative autonomy. This hybrid approach recognizes the reality of complex enterprise environments where security policies must adapt to local requirements while maintaining overall governance.

Conclusion: Navigating the SSO Security Landscape

FortiCloud SSO exemplifies both the promise and challenges of modern cloud-based security management. When properly configured and maintained with current security patches, it offers significant operational benefits through centralized authentication management. However, as demonstrated by recent vulnerabilities, these conveniences come with inherent risks that require diligent management.

Organizations implementing FortiCloud SSO should:

  1. Maintain rigorous patch management processes for all Fortinet devices
  2. Implement the principle of least privilege using permission override capabilities
  3. Develop contingency plans for rapidly disabling cloud authentication when vulnerabilities emerge
  4. Consider automation tools like Ansible for consistent configuration management
  5. Regularly audit SSO configurations and user permissions

As Fortinet continues to evolve its cloud security offerings, the balance between convenience and security will remain a central concern. By understanding both the capabilities and risks of FortiCloud SSO, organizations can make informed decisions about implementing cloud-based authentication in their security infrastructures.

Frequently Asked Questions (FAQ)

Q: Is FortiCloud SSO enabled by default on new Fortinet devices? A: No, FortiCloud SSO is not enabled in default factory configurations. However, when registering a device to FortiCare through the GUI, the registration page has the "Allow administrative login using FortiCloud SSO" option enabled by default, so administrators should consciously disable it during registration if they don't intend to use SSO immediately.

Q: What should I do if I'm running an affected version of FortiOS? A: Immediately disable FortiCloud SSO using either the GUI (System > Settings) or CLI (set admin-forticloud-sso-login disable), then upgrade to a patched version. Fortinet provides a detailed upgrade path tool at https://docs.fortinet.com/upgrade-tool.

Q: Can I override permissions for all types of FortiCloud SSO users? A: Most user types can have their permissions overridden locally, except for FortiGate Cloud free tier users who always have read-only access that cannot be changed. Standard FortiCloud users, IAM users, and paid FortiGate Cloud users can all have their cloud-assigned permissions overridden with local profiles.

Q: How does FortiCloud SSO work with FortiManager? A: FortiManager has its own FortiCloud SSO configuration under System Settings > SAML SSO. When enabled, it allows authentication with both the primary FortiCloud account and configured IAM users, provided those IAM users have the FortiOS SSO portal enabled in their permission profile with Access Type set to Admin.

Q: Are there automation options for managing FortiCloud SSO configurations? A: Yes, Fortinet provides Ansible modules for automating FortiCloud SSO administration. The fortinet.fortios.fortios_system_sso_forticloud_admin module allows configuration of SSO admin users through infrastructure-as-code approaches, supporting consistent deployment across large environments.

Q: What's the difference between standard FortiCloud users and IAM users for SSO? A: Standard FortiCloud users are typically the primary account holder who registered the device, while IAM users are additional administrators created within FortiCloud with specifically configured permission profiles. IAM users provide more granular access control and are essential for enterprise environments with multiple administrators requiring different privilege levels.