Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Configuring user verification with SAML authentication and an Entra ID server user account

    Configuring user verification with SAML authentication and an Entra ID server user account

    The following provides an example of configuring user verification, using a Microsoft Entra ID (formerly known as Azure Active Directory (AD)) server for authentication. This configuration consists of the following steps:

    1. The EMS administrator adds the Entra ID server to EMS.
    2. The EMS administrator creates a SAML configuration in EMS, with EMS as the service provider (SP) and the Entra ID server as the identity provider (IdP).
    3. The EMS administrator configures an invitation code, and send the invitation code to the desired user.
    4. The end user receives the invitation email, and uses it to download FortiClient.
    5. The end user connects to EMS using their Entra ID credentials.
    To configure an Entra ID server in EMS:
    1. Configure the Entra ID server as an authentication server in EMS:
      1. In the Azure management console, collect your tenant ID, client ID, and client secret.
      2. Go to Administration > Authentication Servers.
      3. Click Add > Azure.
      4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
      5. For Authorization Type, select Client Secret.
      6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
      7. Configure other fields as desired.
      8. Click Test.

      9. After the test succeeds, click Save.
    To add endpoints using an Entra ID server:
    1. Go to Endpoints > Manage Domains.
    2. Click Add, then Azure.
    3. From the Azure Server dropdown list, select the desired server.
    4. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
    5. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
    6. Enable Import as Base Group for the desired groups, then click Save.

      Endpoints > Domains lists the Entra ID server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the Entra ID server.

    To register an Entra ID user's endpoint to EMS using SAML:
    1. Create a SAML configuration:
      1. In EMS, go to User Management > SAML Configuration.
      2. Click Add.
      3. For Authorization Type, select LDAP.
      4. From the Domain dropdown list, select the Entra ID server.
      5. In the SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to populate the field.
      6. Under Identity Provider Settings, enter the Entra ID entity ID and single sign on URLs. Click Save.
    2. In the top banner, click Invitations.
    3. Click Add.
    4. For Verification Type, select SAML.
    5. From the SAML Config dropdown list, select the SAML configuration.
    6. Configure other settings as desired, then click Save.
    7. You can authenticate the endpoint using Entra ID by doing one of the following:
      1. To join the device to the Entra ID server, do the following:
        1. On the endpoint, go to Settings > Accounts.
        2. Under Access work or school, click Connect.
        3. Log in as an Entra ID user.
        4. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Entra ID user without additional prompts.
      2. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter the Entra ID user credentials to authenticate and connect FortiClient to EMS.
    Previous
    Next

    Configuring user verification with SAML authentication and an Entra ID server user account

    Configuring user verification with SAML authentication and an Entra ID server user account

    The following provides an example of configuring user verification, using a Microsoft Entra ID (formerly known as Azure Active Directory (AD)) server for authentication. This configuration consists of the following steps:

    1. The EMS administrator adds the Entra ID server to EMS.
    2. The EMS administrator creates a SAML configuration in EMS, with EMS as the service provider (SP) and the Entra ID server as the identity provider (IdP).
    3. The EMS administrator configures an invitation code, and send the invitation code to the desired user.
    4. The end user receives the invitation email, and uses it to download FortiClient.
    5. The end user connects to EMS using their Entra ID credentials.
    To configure an Entra ID server in EMS:
    1. Configure the Entra ID server as an authentication server in EMS:
      1. In the Azure management console, collect your tenant ID, client ID, and client secret.
      2. Go to Administration > Authentication Servers.
      3. Click Add > Azure.
      4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
      5. For Authorization Type, select Client Secret.
      6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
      7. Configure other fields as desired.
      8. Click Test.

      9. After the test succeeds, click Save.
    To add endpoints using an Entra ID server:
    1. Go to Endpoints > Manage Domains.
    2. Click Add, then Azure.
    3. From the Azure Server dropdown list, select the desired server.
    4. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
    5. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
    6. Enable Import as Base Group for the desired groups, then click Save.

      Endpoints > Domains lists the Entra ID server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the Entra ID server.

    To register an Entra ID user's endpoint to EMS using SAML:
    1. Create a SAML configuration:
      1. In EMS, go to User Management > SAML Configuration.
      2. Click Add.
      3. For Authorization Type, select LDAP.
      4. From the Domain dropdown list, select the Entra ID server.
      5. In the SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to populate the field.
      6. Under Identity Provider Settings, enter the Entra ID entity ID and single sign on URLs. Click Save.
    2. In the top banner, click Invitations.
    3. Click Add.
    4. For Verification Type, select SAML.
    5. From the SAML Config dropdown list, select the SAML configuration.
    6. Configure other settings as desired, then click Save.
    7. You can authenticate the endpoint using Entra ID by doing one of the following:
      1. To join the device to the Entra ID server, do the following:
        1. On the endpoint, go to Settings > Accounts.
        2. Under Access work or school, click Connect.
        3. Log in as an Entra ID user.
        4. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Entra ID user without additional prompts.
      2. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter the Entra ID user credentials to authenticate and connect FortiClient to EMS.
    Previous
    Next