Outbound firewall authentication with Azure AD as a SAML IdP

In this example, users are managed through Microsoft Azure Active Directory (AD). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Azure AD as a SAML identity provider (IdP).

The SAML interaction occurs as follows:

  1. The user initiates web traffic to the internet.
  2. The FortiGate redirects to the local captive portal, then redirects the user to the SAML IdP.
  3. The user connects to the Microsoft log in page for the SAML authentication request.
  4. The SAML IdP sends the SAML assertion containing the user and group.
  5. The browser forwards the SAML assertion to the SAML SP.
  6. If the user and group are allowed by the FortiGate, the user is allowed to access the internet.

In this example environment, a user is added in the Azure AD belonging to the security group called Firewall.

  • Username: John Locus
  • User login: jlocus@azure.kldocs.com
  • Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)

The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.