Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP
This topic discusses the configurations steps required if your users are managed through Microsoft Entra ID (formerly Azure Active Directory), as a part of the overall configuration in SAML-based authentication for FortiClient remote access dialup IPsec VPN clients. Microsoft Entra ID will be configured as Identity Provider (IdP) and FortiGate as Service Provider (SP) during SAML Authentication for IPsec connection.
To configure a user on Microsoft Entra ID:
-
Login to the Azure portal (portal.azure.com).
-
Search for Microsoft Entra ID service in the search bar and click on it.
-
In the left side menu, go to Users.
-
Select New user > Create new user.
-
In the Basic properties:
-
In the Display name field, enter testuser.
-
In the User principal name field, enter the username@companydomain.extension. For example, testuser@<mydomain>.onmicrosoft.com.
-
Select Show password and then write down the value that's displayed in the Password box.
-
Select Review + create.
-
-
Select Create.
To configure a Security group and add user to it on Microsoft Entra ID:
In this section, we create a security group named IT in Microsoft Entra ID for the testuser. FortiGate will use this security group to grant the user network access through the VPN.
-
In the Azure portal, navigate to Microsoft Entra ID service.
-
In the left side menu, go to Groups.
-
Select New Group.
-
In the Group type list, select Security.
-
In the Group name field, enter IT.
-
(Optional) In the Group description field, enter Group for granting FortiGate VPN access.
-
For the Microsoft Entra roles can be assigned to the group (Preview) settings, select No.
-
In the Membership type field, select Assigned.
-
Under Members, select No members selected.
-
In the Users and groups dialog field, select testuser from the Users list, and then click Select.
-
Select Create.
-
-
Back in the Groups section in Microsoft Entra ID, find the IT group and note the Object Id. This will be needed later.
To configure Enterprise application on Azure portal:
-
Configure user and groups:
-
In the Azure portal, search for Enterprise applications service in the search bar.
-
Click on New application and search for FortiGate SSL VPN.
The application is named for “SSL VPN” but should still work with the IPsec VPN configuration.
-
Once the application is found, select it, change the Name to FortiGate IPsec VPN, and click Create. It may take a few seconds to create the application.
-
Once the application is created, go to Enterprise application > All applications > FortiGate IPsec VPN.
-
On the application's overview page, in the Manage section, select Users and groups.
-
Select Add user/group, then select Users in the Add Assignment dialog.
-
In the Users and groups dialog, select testuser in the Users list, and then click Select.
-
(Optional) If you are expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the user from the list. Click Select.
-
In the Add Assignment dialog, select Assign.
-
-
Configure single sign-on:
-
Browse to Enterprise application > All applications > FortiGate IPsec VPN application.
-
In the Manage section, select Single sign-on.
-
In the Select a single sign-on method page, select SAML.
-
In the Set up Single Sign-On with SAML page, select Edit for Basic SAML Configuration to edit the settings:
-
In Identifier, enter a URL in the pattern https://<FortiGate IP or FQDN address>:<Custom SAML-IKE port>/remote/saml/metadata
-
In Reply URL, enter a URL in the pattern https://<FortiGate IP or FQDN address>:<Custom SAML-IKE port>/remote/saml/login
-
In Sign on URL, enter a URL in the pattern https://<FortiGate IP or FQDN address>:< Custom SAML-IKE port >/remote/saml/login
-
In Logout URL, enter a URL in the pattern https://<FortiGate IP or FQDN address>:< Custom SAML-IKE port >/remote/saml/logout
These URLs can be retrieved and copied directly from the FortiGate. Go to To configure SAML server on FortiGate: to get these URLs.
-
-
Click Save.
-
The FortiGate IPsec VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration.
-
The claims required by FortiGate IPsec VPN are shown in the following table. Names are case-sensitive.
To create these additional claims:
-
Next to User Attributes & Claims, select Edit.
-
Select Add new claim.
-
For Name, enter username.
-
For Source attribute, select user.userprincipalname.
-
Select Save.
-
Select Add a group claim.
-
Select All groups.
-
Under Advanced options, select the Customize the name of the group claim.
-
For Name, enter group.
-
Select Save.
-
-
In the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select Download next to Certificate (Base64) to download the certificate and save it on your computer. This will be needed in the step To export SAML IdP server certificate and import it on FortiGate:
-
In the Set up FortiGate SAML IPsec section, copy the URLs (Login URL, Microsoft Entra Identifier, Logout URL) and paste it inside FortiGate’s SAML server configuration, discussed in To configure SAML server on FortiGate:.
-
To export SAML IdP server certificate and import it on FortiGate:
-
On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.
-
Select Upload to locate and upload the .cer remote certificate from your computer.
-
Click OK. The certificate will now be visible under System > Certificates > Remote Certificate.
To configure SAML server on FortiGate:
-
On the FortiGate, go to User & Authentication > Single Sign-On > Create new.
-
Enter the Name as saml-entra-id.
-
In the Address field, enter the FQDN/IP information in the following format:
<ipsec-vpn-gateway-fqdn/ip-address>:<saml-ike-authentication-port>
The Address field is used by FortiClient to initiate IPsec connection to FortiGate.
-
In Service Provider Configuration, copy the following URLs (Entity ID, Assertion consumer service URL, Single logout service URL) and use it in Azure in Enterprise application > All applications > FortiGate IPsec VPN > Single sign-on page > Basic SAML Configuration. Use the following mapping to copy the required values:
FortiGate settings
Microsoft Entra ID settings
Entity ID Identifier (Entity ID) Assertion consumer service URL Reply URL (Assertion Consumer Service URL) Assertion consumer service URL
Sign on URL
Single logout service URL Logout URL (Optional) The following demonstrates on the FortiGate:
The following demonstrates on Microsoft Entra ID:
-
On the FortiGate GUI, click Next.
-
In Identity Provider Details, set the Type as Custom.
-
Paste the URLs copied from last step of section To configure Enterprise application on Azure portal: according to the following mapping:
Microsoft Entra IDsettings
FortiGate settings
Login URL Assertion consumer service URL Microsoft Entra Identifier Entity ID Logout URL
Single logout service URL
-
Select the Certificate from the dropdown. This certificate was imported into FortiGate in section To export SAML IdP server certificate and import it on FortiGate:.
-
In the Additional SAML Attributes section, enter the following attributes:
Attribute used to identify users username Attribute used to identify groups group -
Click Submit to save the changes.
To configure SAML user group on FortiGate:
-
Go to User & Authentication > User Groups > Create New.
-
Enter Name as SAML-ENTRA-ID-Group.
-
In Remote Groups, click Add.
-
From the Remote Server dropdown, select saml-entra-id SAML server.
-
In Groups, click Specify and paste the Object ID copied in the section To configure a Security group and add user to it on Microsoft Entra ID:.
-
Click OK.
-
Click OK.
To associate SAML server with IPsec gateway interface:
Use the FortiGate CLI to bind and associate the SAML server with the VPN gateway interface (port1) as follows:
config system interface edit "port1" set ike-saml-server "saml-entra-id" next end
Configuring SAML on IdP and SP is now complete. The next step is to use SAML configuration inside IPsec configuration. To configure IPsec, see Configuring IPsec IKEv2 on FortiGate.