Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Autoconnect on logging in as an Entra ID user

    Autoconnect on logging in as an Entra ID user

    You can configure FortiClient to automatically connect to a specified VPN tunnel using Microsoft Entra ID credentials.

    FortiClient supports two autoconnect methods with Entra ID SAML VPN:

    The following describes configuration for both methods.

    The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.

    The following configuration requires FortiOS 7.2.1 or a later version.

    The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL VPN.

    Method 1: Autoconnect with Entra ID domain-joined FortiClient endpoint

    To join the endpoint to an Entra ID domain:
    1. On the Windows machine, go to Settings > Accounts > Access work or school > Join this device to Microsoft ID.
    2. Enter the Entra ID domain account credentials.
    3. Reboot the endpoint.
    4. Log in with the configured Entra ID credentials.
    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. Specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    After the endpoint receives the updated configuration, when the user is logged in as the Entra ID domain user on the endpoint, FortiClient seamlessly connects to the VPN tunnel without displaying a prompt for credentials. The user does not need to manually authenticate the VPN tunnel connection.

    To configure FortiOS:

    conf user saml

    edit "azure_saml"

    set auth-url "https://graph.microsoft.com/v1.0/me"

    next

    end

    Method 2: Autoconnect with non Entra ID-joined FortiClient endpoint

    To create and configure app registration in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
    2. Select the FortiGate SSL VPN enterprise application.
    3. Note down the application ID and Azure domain.
    4. Go to Microsoft Entra ID > App registrations > All applications.
    5. Click the application that you selected in step 2.
    6. Go to Manage > Authentication > Add a platform > Mobile and desktop applications.
    7. In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID that you noted. For example, if your application ID is 123456, enter ms-appx-web://microsoft.aad.brokerplugin/123456.
    8. Save the configuration.
    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. Configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

      Configure the following in Advanced Settings:

      1. Toggle on Enable SAML Login.
      2. Ensure that Use External Browser as User-agent for SAML Login is disabled. You cannot use an eternal browser for this method.
      3. Toggle on Enable Azure Auto Login.
      4. In the Tenant Name field, enter the domain name obtained from the Azure portal.
      5. In the Client ID field, enter the application ID obtained from the Azure portal.
    4. Save the tunnel.
    5. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    To configure FortiOS:

    You must define a user, msgraph, and use it as a member of User & Authentication > User Groups. The following shows the relevant CLI commands:

    config user external-identity-provider
    edit "msgragh"
        set type ms-graph
        set version v1.0
    next
end
    config user group
    edit "SSLVPN_SAML_Entra_ID"
        set authtimeout 60
        set member "SSLVPN_SAML_Entra_ID" "msgragh"
    next
end

    config user saml

    edit "azure_saml"

    set auth-url "https://graph.microsoft.com/v1.0/me"

    next

    end

    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

      <vpn>

      <sslvpn>

      <connections>

      <connection>

      <name>SSL VPN HQ</name>

      <sso_enabled>1</sso_enabled>

      <azure_auto_login>

      <enabled>1</enabled>

      <azure_app>

      <tenant_name>Domain name obtained from the Azure portal.</tenant_name>

      <client_id>Application ID obtained from the Azure portal</client_id>

      </azure_app>

      </azure_auto_login>

      <connection>

      <connections>

      <sslvpn>

      <vpn>

    4. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    To manage application permissions:
    1. As an end user, log in to an endpoint that has the profile configured in To configure EMS: applied.
    2. FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to this VPN tunnel, Windows displays a prompt to select the desired Entra ID account. Select the desired account.

      You should now configure one of the following permission options. These steps assume that you have already configured Azure SAML SSL/IPsec VPN autoconnect as this document describes and you are signed in as a global administrator of the same tenant.

    3. To have Need admin approval shown to users, do the following:
      1. In the Azure portal, go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
      2. Set Assignment required? to Yes.
      3. Add the desired users to Users & Groups.
      4. Remove any permissions in App Registration.
      5. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
      6. Right-click and remove permission.
      7. If you want to disallow user consent for all applications, you can disable this by doing the following:
        1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
        2. For User consent for applications, select Do not allow user consent.

    4. To have users consent per a permissions request but avoid admin approval, do the following:
      1. Go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
      2. Set Assignment required? to No. This allows any valid user from this tenant to use the app. You no longer need to add users to Users and groups to have access to this app. As per Microsoft documentation, when an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed.
      3. Remove any permissions in App Registration.
      4. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
      5. Right-click and remove permission.
      6. Allow users to consent:
        1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
        2. Select User consent for applications > Allow user consent for apps from verified publishers for selected permissions.
        3. Go to Manage > Permission classifications.
        4. Ensure the following are listed under Low-risk permissions > Microsoft Graph:
          • email
          • User.Read
          • offline_access
          • profile
          • openid

      The next time that the Entra ID user signs in with FortiClient Entra ID autoconnect triggered, the user should see a popup requesting permissions.

    5. To grant admin consent to an enterprise application such that a user does not need to request consent, do one of the following:
      1. To grant this consent through the standard permission UI as a global administrator, do the following:
        1. Connect to the VPN. You are prompted as usual to grant permissions for your user account to the enterprise application.
        2. As a global administrator, there is an extra Consent on behalf of your organization checkbox. Select it to grant admin consent to the application. Other users do not need to grant consent.
      2. To grant this consent in the Azure portal, do the following:
        1. Go to Enterprise Application > <Your VPN application> > (sidebar) Security > Permissions.
        2. Click app registration in the sentence To configure requested permissions for apps you own, use the app registration.
        3. Go to API Permissions > Configured permissions > Add a permission > Request API permissions > Microsoft APIs > Microsoft Graph > Delegated Permissions.
        4. Select the following:
          • openID permissions:
            • offline_access
            • openid
            • profile
            • email
          • User > User.Read
        5. Add the permissions.
        6. After the permissions are added, they appear in the table on the same screen. Click Grant admin consent for <Tenant name>.
        7. Return to Enterprise Applications Permissions by clicking Enterprise applications in the sentence To view and manage consented permissions for individual apps, as well as your tenant's consent settings, try Enterprise applications.
        8. The Grant admin consent for <Tenant name> button is blue instead of being grayed out. Click the button. A popup opens that requires you to sign in as a global administrator and to allow the application permissions. The permissions that you used in App Permissions fill in the following table.

      After you complete either step, users no longer need to request consent and can autoconnect to VPN without having to give consent.

    Note

    The prompt to grant permissions does not appear if the Azure domain or tenant administrator has already granted permission on behalf of the organization.
    Previous
    Next

    Autoconnect on logging in as an Entra ID user

    Autoconnect on logging in as an Entra ID user

    You can configure FortiClient to automatically connect to a specified VPN tunnel using Microsoft Entra ID credentials.

    FortiClient supports two autoconnect methods with Entra ID SAML VPN:

    The following describes configuration for both methods.

    The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.

    The following configuration requires FortiOS 7.2.1 or a later version.

    The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL VPN.

    Method 1: Autoconnect with Entra ID domain-joined FortiClient endpoint

    To join the endpoint to an Entra ID domain:
    1. On the Windows machine, go to Settings > Accounts > Access work or school > Join this device to Microsoft ID.
    2. Enter the Entra ID domain account credentials.
    3. Reboot the endpoint.
    4. Log in with the configured Entra ID credentials.
    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. Specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    After the endpoint receives the updated configuration, when the user is logged in as the Entra ID domain user on the endpoint, FortiClient seamlessly connects to the VPN tunnel without displaying a prompt for credentials. The user does not need to manually authenticate the VPN tunnel connection.

    To configure FortiOS:

    conf user saml

    edit "azure_saml"

    set auth-url "https://graph.microsoft.com/v1.0/me"

    next

    end

    Method 2: Autoconnect with non Entra ID-joined FortiClient endpoint

    To create and configure app registration in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
    2. Select the FortiGate SSL VPN enterprise application.
    3. Note down the application ID and Azure domain.
    4. Go to Microsoft Entra ID > App registrations > All applications.
    5. Click the application that you selected in step 2.
    6. Go to Manage > Authentication > Add a platform > Mobile and desktop applications.
    7. In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID that you noted. For example, if your application ID is 123456, enter ms-appx-web://microsoft.aad.brokerplugin/123456.
    8. Save the configuration.
    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. Configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

      Configure the following in Advanced Settings:

      1. Toggle on Enable SAML Login.
      2. Ensure that Use External Browser as User-agent for SAML Login is disabled. You cannot use an eternal browser for this method.
      3. Toggle on Enable Azure Auto Login.
      4. In the Tenant Name field, enter the domain name obtained from the Azure portal.
      5. In the Client ID field, enter the application ID obtained from the Azure portal.
    4. Save the tunnel.
    5. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    To configure FortiOS:

    You must define a user, msgraph, and use it as a member of User & Authentication > User Groups. The following shows the relevant CLI commands:

    config user external-identity-provider
    edit "msgragh"
        set type ms-graph
        set version v1.0
    next
end
    config user group
    edit "SSLVPN_SAML_Entra_ID"
        set authtimeout 60
        set member "SSLVPN_SAML_Entra_ID" "msgragh"
    next
end

    config user saml

    edit "azure_saml"

    set auth-url "https://graph.microsoft.com/v1.0/me"

    next

    end

    To configure EMS:
    1. Go to Endpoint Profiles > Remote Access.
    2. Select the desired profile.
    3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

      <vpn>

      <sslvpn>

      <connections>

      <connection>

      <name>SSL VPN HQ</name>

      <sso_enabled>1</sso_enabled>

      <azure_auto_login>

      <enabled>1</enabled>

      <azure_app>

      <tenant_name>Domain name obtained from the Azure portal.</tenant_name>

      <client_id>Application ID obtained from the Azure portal</client_id>

      </azure_app>

      </azure_auto_login>

      <connection>

      <connections>

      <sslvpn>

      <vpn>

    4. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

      <vpn>

      <options>

      <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

      <autoconnect_on_install>1</autoconnect_on_install>

      <options>

      <vpn>

    To manage application permissions:
    1. As an end user, log in to an endpoint that has the profile configured in To configure EMS: applied.
    2. FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to this VPN tunnel, Windows displays a prompt to select the desired Entra ID account. Select the desired account.

      You should now configure one of the following permission options. These steps assume that you have already configured Azure SAML SSL/IPsec VPN autoconnect as this document describes and you are signed in as a global administrator of the same tenant.

    3. To have Need admin approval shown to users, do the following:
      1. In the Azure portal, go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
      2. Set Assignment required? to Yes.
      3. Add the desired users to Users & Groups.
      4. Remove any permissions in App Registration.
      5. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
      6. Right-click and remove permission.
      7. If you want to disallow user consent for all applications, you can disable this by doing the following:
        1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
        2. For User consent for applications, select Do not allow user consent.

    4. To have users consent per a permissions request but avoid admin approval, do the following:
      1. Go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
      2. Set Assignment required? to No. This allows any valid user from this tenant to use the app. You no longer need to add users to Users and groups to have access to this app. As per Microsoft documentation, when an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed.
      3. Remove any permissions in App Registration.
      4. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
      5. Right-click and remove permission.
      6. Allow users to consent:
        1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
        2. Select User consent for applications > Allow user consent for apps from verified publishers for selected permissions.
        3. Go to Manage > Permission classifications.
        4. Ensure the following are listed under Low-risk permissions > Microsoft Graph:
          • email
          • User.Read
          • offline_access
          • profile
          • openid

      The next time that the Entra ID user signs in with FortiClient Entra ID autoconnect triggered, the user should see a popup requesting permissions.

    5. To grant admin consent to an enterprise application such that a user does not need to request consent, do one of the following:
      1. To grant this consent through the standard permission UI as a global administrator, do the following:
        1. Connect to the VPN. You are prompted as usual to grant permissions for your user account to the enterprise application.
        2. As a global administrator, there is an extra Consent on behalf of your organization checkbox. Select it to grant admin consent to the application. Other users do not need to grant consent.
      2. To grant this consent in the Azure portal, do the following:
        1. Go to Enterprise Application > <Your VPN application> > (sidebar) Security > Permissions.
        2. Click app registration in the sentence To configure requested permissions for apps you own, use the app registration.
        3. Go to API Permissions > Configured permissions > Add a permission > Request API permissions > Microsoft APIs > Microsoft Graph > Delegated Permissions.
        4. Select the following:
          • openID permissions:
            • offline_access
            • openid
            • profile
            • email
          • User > User.Read
        5. Add the permissions.
        6. After the permissions are added, they appear in the table on the same screen. Click Grant admin consent for <Tenant name>.
        7. Return to Enterprise Applications Permissions by clicking Enterprise applications in the sentence To view and manage consented permissions for individual apps, as well as your tenant's consent settings, try Enterprise applications.
        8. The Grant admin consent for <Tenant name> button is blue instead of being grayed out. Click the button. A popup opens that requires you to sign in as a global administrator and to allow the application permissions. The permissions that you used in App Permissions fill in the following table.

      After you complete either step, users no longer need to request consent and can autoconnect to VPN without having to give consent.

    Note

    The prompt to grant permissions does not appear if the Azure domain or tenant administrator has already granted permission on behalf of the organization.
    Previous
    Next