Fortinet white logo
Fortinet white logo

EMS Administration Guide

SAML Configuration

SAML Configuration

In SAML Configuration, you can configure connections to SAML identity providers (IdP), such as Microsoft Entra ID. This allows end users to connect to FortiClient EMS and authenticate using their relevant credentials, such as to Entra ID. The following provides an example for configuring SAML connection to Entra ID.

To add a SAML configuration:
  1. In EMS, go to User Management > SAML Configuration.
  2. In the Name field, enter the desired name for this configuration.
  3. For Authorization Type, do one of the following:
    1. Select LDAP to associate a domain with this SAML configuration. From the Domain dropdown list, select the desired domain.
    2. Select None to not associate a domain with this SAML configuration. This is only recommended for non-domain endpoints.
  4. In the Domain Identification field, enter userPrincipalName for EMS to use to verify the user's domain. You must add the userPrincipalName in Azure as well for verification to succeed. The following shows userPrincipalName configured in the Domain Identification field in EMS and added to Attributes & Claims in the Azure portal.

  5. Configure Service Provider Settings. EMS is the service provider (SP):

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current URL button to autopopulate the field. Your browser must be able to access this IP address.

    Prefix

    Enter the prefix generated in EMS for the IdP. You can generate a new prefix by clicking the Generate button.

    SP ACS (login) URL

    Enter the SP login URL.

    SP Entity ID

    Enter the SP entity ID.

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in the IdP server.

  6. Configure Identity Provider Settings:

    Setting

    Description

    IdP single sign-on URL

    Enter the IdP single sign-on URL, including the http or https prefix as applicable.

    IdP entity ID

    Enter the IdP entity ID, including the http or https prefix as applicable.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured in the IdP.

  7. Click Save.
Note

To use SAML to verify user identity when users connect FortiClient to EMS using an invitation code, you must select SAML for the Verification Type when configuring an invitation. See Invitations.

SAML Configuration

SAML Configuration

In SAML Configuration, you can configure connections to SAML identity providers (IdP), such as Microsoft Entra ID. This allows end users to connect to FortiClient EMS and authenticate using their relevant credentials, such as to Entra ID. The following provides an example for configuring SAML connection to Entra ID.

To add a SAML configuration:
  1. In EMS, go to User Management > SAML Configuration.
  2. In the Name field, enter the desired name for this configuration.
  3. For Authorization Type, do one of the following:
    1. Select LDAP to associate a domain with this SAML configuration. From the Domain dropdown list, select the desired domain.
    2. Select None to not associate a domain with this SAML configuration. This is only recommended for non-domain endpoints.
  4. In the Domain Identification field, enter userPrincipalName for EMS to use to verify the user's domain. You must add the userPrincipalName in Azure as well for verification to succeed. The following shows userPrincipalName configured in the Domain Identification field in EMS and added to Attributes & Claims in the Azure portal.

  5. Configure Service Provider Settings. EMS is the service provider (SP):

    Setting

    Description

    SP Address

    Enter the EMS IP address. You can also click the Use Current URL button to autopopulate the field. Your browser must be able to access this IP address.

    Prefix

    Enter the prefix generated in EMS for the IdP. You can generate a new prefix by clicking the Generate button.

    SP ACS (login) URL

    Enter the SP login URL.

    SP Entity ID

    Enter the SP entity ID.

    SP Certificate

    Click Upload new certificate to upload the SP certificate.

    Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in the IdP server.

  6. Configure Identity Provider Settings:

    Setting

    Description

    IdP single sign-on URL

    Enter the IdP single sign-on URL, including the http or https prefix as applicable.

    IdP entity ID

    Enter the IdP entity ID, including the http or https prefix as applicable.

    IdP Certificate

    Click Upload new certificate to upload the IdP certificate.

    Upload the same certificate that you configured in the IdP.

  7. Click Save.
Note

To use SAML to verify user identity when users connect FortiClient to EMS using an invitation code, you must select SAML for the Verification Type when configuring an invitation. See Invitations.