Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    SAML SSO with Entra ID as IdP

    SAML SSO with Entra ID as IdP

    You can configure a single sign on (SSO) connection with Microsoft Entra ID (formerly known as Azure Active Directory (AD)) via SAML, where Entra ID is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows users to log in to EMS by logging in with their Entra ID credentials.

    To configure FortiClient EMS with Entra ID SSO:
    1. In FortiClient EMS, go to Administration > SAML SSO. Service Provider Settings displays the SP Address, SP Entity ID, and SP ACS (login) URL fields. You use these values to configure FortiClient EMS as an SP in Azure. Copy these values.
    2. Create and configure your FortiClient EMS environment in Azure:
      1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
      2. Click Create your own application and provide a name, for instance, FortiClient EMS.
      3. Click Create.
      4. Assign Entra ID users and groups to FortiClient EMS.
      5. Go to Set up single sign on.
      6. For the SSO method, select SAML.
      7. In Basic Configuration, enter the values that you copied in step 1. The following summarizes the mapping between EMS fields and Azure fields:

        EMS Service Provider Settings field

        Entra ID Basic SAML configuration field

        SP Entity ID

        Identifier (Entity ID)

        SP ACS (login) URL

        Reply URL (Assertion Consumer Service URL)

        SP Address

        Sign on URL

    3. Obtain the IdP information from Azure:
      1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
      2. The Set up <FortiClient EMS instance name> box lists the IdP information that you must provide to FortiClient EMS. Copy the values in the Login URL and Entra ID Identifier fields.
    4. Configure the IdP information in FortiClient EMS:
      1. In EMS, under Identity Provider Settings, In the IdP Entity ID and IdP single sign-on URL fields, paste the values that you copied from the Entra ID Identifier and Login URL fields, respectively.
      2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.

    5. In Access Control, click Add to assign the roles for the group members:

      1. Create a member with the Super Administrator role and the highest Priority.

      2. Assign the access of other group members.

      3. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:

        1. Configure domain access. This enables finer control over the specific authorization levels assigned to administrators.

        2. Click Finish.

      4. Configure other settings as needed.

      5. Click Save.

    6. Review the SAML configuration, then click Save.
    Previous
    Next

    SAML SSO with Entra ID as IdP

    SAML SSO with Entra ID as IdP

    You can configure a single sign on (SSO) connection with Microsoft Entra ID (formerly known as Azure Active Directory (AD)) via SAML, where Entra ID is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows users to log in to EMS by logging in with their Entra ID credentials.

    To configure FortiClient EMS with Entra ID SSO:
    1. In FortiClient EMS, go to Administration > SAML SSO. Service Provider Settings displays the SP Address, SP Entity ID, and SP ACS (login) URL fields. You use these values to configure FortiClient EMS as an SP in Azure. Copy these values.
    2. Create and configure your FortiClient EMS environment in Azure:
      1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
      2. Click Create your own application and provide a name, for instance, FortiClient EMS.
      3. Click Create.
      4. Assign Entra ID users and groups to FortiClient EMS.
      5. Go to Set up single sign on.
      6. For the SSO method, select SAML.
      7. In Basic Configuration, enter the values that you copied in step 1. The following summarizes the mapping between EMS fields and Azure fields:

        EMS Service Provider Settings field

        Entra ID Basic SAML configuration field

        SP Entity ID

        Identifier (Entity ID)

        SP ACS (login) URL

        Reply URL (Assertion Consumer Service URL)

        SP Address

        Sign on URL

    3. Obtain the IdP information from Azure:
      1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
      2. The Set up <FortiClient EMS instance name> box lists the IdP information that you must provide to FortiClient EMS. Copy the values in the Login URL and Entra ID Identifier fields.
    4. Configure the IdP information in FortiClient EMS:
      1. In EMS, under Identity Provider Settings, In the IdP Entity ID and IdP single sign-on URL fields, paste the values that you copied from the Entra ID Identifier and Login URL fields, respectively.
      2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.

    5. In Access Control, click Add to assign the roles for the group members:

      1. Create a member with the Super Administrator role and the highest Priority.

      2. Assign the access of other group members.

      3. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:

        1. Configure domain access. This enables finer control over the specific authorization levels assigned to administrators.

        2. Click Finish.

      4. Configure other settings as needed.

      5. Click Save.

    6. Review the SAML configuration, then click Save.
    Previous
    Next