Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Identity & Access Management (IAM)

    Home FortiCloud Services 25.2.0 Identity & Access Management (IAM)
    25.2.0
    25.2.0

    Adding external IdP roles to the application

    Adding external IdP roles to the application

    Once you have configured the external IdP application, you can begin to add external IdP roles. For more information on roles, see External IdP roles.

    This document only covers configuring external IdP with Okta and Microsoft Entra ID. However, multiple external identity providers are supported by FortiCloud. This topic includes the following examples on adding external IdP roles:

    Adding roles in Okta

    External IdP roles can be added in Okta.

    To add external IdP roles in Okta:

    1. In Okta, go to Applications > Applications.

    2. Navigate to the application you created when enrolling.

    3. Edit the General > SAML Settings:

      1. In Group Attribute Statements, set the Name to Role and the Filter to Contains > externidp_.

      2. Click Next.

      3. Click Finish.

    4. Assign the users and groups:

      1. Go to Directory > Groups.

      2. Click Add group.

      3. Set the Name to extidp_<name>.

      4. Click Save.

      5. Select Group name > Everyone.

      6. Select the group you created.

      7. Click Assign people to select the users you want to add.

      8. Go to the Applications tab and click Assign applications to select the application you created.

    5. Create the external IdP roles:

      1. Go to Applications > Applications.

      2. Select the application and go to the Assignments tab.

      3. Copy the group name.

      4. In the FortiCloud IAM portal, create an external IdP role with the role Name set to the group name you copied. See Adding external IdP roles.

      5. Repeat these steps for other groups, as needed.

        You can now log into FortiCloud Services using the external IdP roles. See Selecting IdP roles.

    Adding roles in Entra ID

    External IdP roles can be added in Entra ID.

    To add external IdP roles in Entra ID:

    1. In Microsoft Azure, select Microsoft Entra ID.

    2. Go to Enterprise applications.

    3. Navigate to the application you created when enrolling.

    4. Select Set up single sign on.

    5. Edit Attributes & Claims:

      1. Click Add new claim to create a username source attribute.

      2. Click Add a group claim to create a role group claim.

    6. Assign the users and groups:

      1. Go to Overview > Assign users and groups.

      2. Click Add user/group.

      3. Select Users and groups.

      4. Search for the desired groups and select them.

      5. Click Assign.

    7. Create the external IdP roles:

      1. Go to Overview > Assign users and groups.

      2. Select the group.

      3. Copy the Object Id.

      4. In the FortiCloud IAM portal, create an external IdP role with the role Name set to the Object Id. See Adding external IdP roles.

      5. Repeat these steps for other groups, as needed.

        You can now log into FortiCloud Services using the external IdP roles. See Selecting IdP roles.

    Previous
    Next

    Related Videos

    Adding external IdP roles to the application

    Adding external IdP roles to the application

    Once you have configured the external IdP application, you can begin to add external IdP roles. For more information on roles, see External IdP roles.

    This document only covers configuring external IdP with Okta and Microsoft Entra ID. However, multiple external identity providers are supported by FortiCloud. This topic includes the following examples on adding external IdP roles:

    Adding roles in Okta

    External IdP roles can be added in Okta.

    To add external IdP roles in Okta:

    1. In Okta, go to Applications > Applications.

    2. Navigate to the application you created when enrolling.

    3. Edit the General > SAML Settings:

      1. In Group Attribute Statements, set the Name to Role and the Filter to Contains > externidp_.

      2. Click Next.

      3. Click Finish.

    4. Assign the users and groups:

      1. Go to Directory > Groups.

      2. Click Add group.

      3. Set the Name to extidp_<name>.

      4. Click Save.

      5. Select Group name > Everyone.

      6. Select the group you created.

      7. Click Assign people to select the users you want to add.

      8. Go to the Applications tab and click Assign applications to select the application you created.

    5. Create the external IdP roles:

      1. Go to Applications > Applications.

      2. Select the application and go to the Assignments tab.

      3. Copy the group name.

      4. In the FortiCloud IAM portal, create an external IdP role with the role Name set to the group name you copied. See Adding external IdP roles.

      5. Repeat these steps for other groups, as needed.

        You can now log into FortiCloud Services using the external IdP roles. See Selecting IdP roles.

    Adding roles in Entra ID

    External IdP roles can be added in Entra ID.

    To add external IdP roles in Entra ID:

    1. In Microsoft Azure, select Microsoft Entra ID.

    2. Go to Enterprise applications.

    3. Navigate to the application you created when enrolling.

    4. Select Set up single sign on.

    5. Edit Attributes & Claims:

      1. Click Add new claim to create a username source attribute.

      2. Click Add a group claim to create a role group claim.

    6. Assign the users and groups:

      1. Go to Overview > Assign users and groups.

      2. Click Add user/group.

      3. Select Users and groups.

      4. Search for the desired groups and select them.

      5. Click Assign.

    7. Create the external IdP roles:

      1. Go to Overview > Assign users and groups.

      2. Select the group.

      3. Copy the Object Id.

      4. In the FortiCloud IAM portal, create an external IdP role with the role Name set to the Object Id. See Adding external IdP roles.

      5. Repeat these steps for other groups, as needed.

        You can now log into FortiCloud Services using the external IdP roles. See Selecting IdP roles.

    Previous
    Next