SAML Configuration
In SAML Configuration, you can configure connections to SAML identity providers (IdP), such as Microsoft Entra ID. This allows end users to connect to FortiClient EMS and authenticate using their relevant credentials, such as to Entra ID. The following provides an example for configuring SAML connection to Entra ID.
To add a SAML configuration:
- In EMS, go to User Management > SAML Configuration.
- In the Name field, enter the desired name for this configuration.
- For Authorization Type, do one of the following:
- Select LDAP to associate a domain with this SAML configuration. From the Domain dropdown list, select the desired domain.
- Select None to not associate a domain with this SAML configuration. This is only recommended for non-domain endpoints.
- In the Domain Identification field, enter userPrincipalName for EMS to use to verify the user's domain. You must add the userPrincipalName in Azure as well for verification to succeed. The following shows userPrincipalName configured in the Domain Identification field in EMS and added to Attributes & Claims in the Azure portal.
- Configure Service Provider Settings. EMS is the service provider (SP):
- Configure Identity Provider Settings:
Setting
Description
IdP single sign-on URL
Enter the IdP single sign-on URL, including the http or https prefix as applicable.
IdP entity ID
Enter the IdP entity ID, including the http or https prefix as applicable.
IdP Certificate
Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured in the IdP.
- Click Save.
To use SAML to verify user identity when users connect FortiClient to EMS using an invitation code, you must select SAML for the Verification Type when configuring an invitation. See Invitations. |