Fortinet Document Library

Version:


Table of Contents

User Guide

22.2.0
Copy Link

Set Up SSO with Azure AD

Before getting started, see SSO Configuration to learn more about our general SSO settings.

Note: See Quickstart: Enable single sign-on for an enterprise application - Azure AD for the prerequisites.

To set up SSO with Azure AD, perform the following procedures:

  1. Create an SSO integration in FortiMonitor

  2. Enable and configure Azure Active Directory SSO in Azure

  3. Create a SAML signing certificate

  4. Continue the SSO configuration in FortiMonitor

  5. Upload the metadata.xml file from FortiMonitor to Azure

Create an SSO integration in FortiMonitor

  1. Log in to fortimonitor.forticloud.com.

  2. Create an SSO integration by clicking Settings > Integrations > Microsoft Active Directory.

  3. Enter a URL Fragment. The URL Fragment is any custom word (text only) that will be attached to the FortiMonitor login URL. For example, if you set testing your FortiMonitor login will be fortimonitor.forticloud.com/sso/testing. Note that the URL fragment must be unique across all FortiMonitor customers. If you get an error saying the fragment is in use, please use something relevant to your organization.

    Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

  4. Open a new tab then go to Azure Active Directory Admin Center using one of the roles mentioned in the Prerequisites (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).

Note: Do not close the FortiMonitor tab.

Enable and configure Azure Active Directory SSO in Azure

  1. Form the Azure Active Directory Admin Center, click Azure Active Directory.

  2. From this page, create an Application for the SSO by clicking Add > Enterprise Application.

  3. Click Create your own application.

  4. Enter a name for the application then select Integrate any other application you don't find in the gallery (Non-gallery).

  5. Click Create. The dashboard for the newly created application will be displayed.

  6. Click Set up single sign on > SAML. The Set up Single Sign-On with SAML configuration
    page is displayed.

  7. Edit the Basic SAML Configuration then fill in the required information:

    1. Identifier (Entity ID): https://fortimonitor.forticloud.com/sso/<URL_Fragment>/metadata or https://my.panopta.com/sso/<URL_Fragment>/metadata

    2. Reply URL: https://fortimonitor.forticloud.com/sso/<URL_Fragment>/acs or https://my.panopta.com/sso/<URL_Fragment>/acs
      Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

  8. Save the configuration. Once the SAML is configured, the succeeding steps in Azure will be unlocked, which will allow you to proceed to the following procedure.

Create a SAML signing certificate and download the Azure metadata

  1. To create a new SAML signing certificate, click Edit in the SAML signing certificate section.

  2. Click New Certificate.

  3. For the Signing Option, select Sign SAML response and assertion.

  4. Once the new certificate is created, set this to Active.

  5. Click Save to close the configuration drawer.

  6. From the SAML Signing Certificate section, click Download to download the Federation Metadata XML.

Continue the SSO configuration in FortiMonitor

  1. Go back to the FortiMonitor tab and fill in the required information. The fields are described in Single sign-on (SSO).

  2. The following values can also be acquired from Azure.

    1. Username Field is the field that Azure uses for your email address. The correct value must exist in Azure.

    2. The Entity ID and the Login Binding can be found in the Federation Metadata XML file that you downloaded from Azure.

    3. Copy the Login URL from Azure.

    4. Download the certificate from Azure and copy the content to the Certificate field in FortiMonitor.

  3. In the User Configuration section of the configuration drawer, enable Auto Create Users.
    You may want to assign the roles manually so that the new user will get that role when they are added to FortiMonitor.

  4. Save the changes by clicking on Save.

Upload the metadata.xml file from FortiMonitor to Azure

  1. Download the metadata.xml file from FortiMonitor by going to a browser and entering:
    https://fortimonitor.forticloud.com/sso/{URL_Fragment}/metadata or https://my.panopta.com/sso/{URL_Fragment}/metadata

  2. Right-click and select Save As to save the xml file.

  3. Go back to Azure and upload the metadata file. From the Application created previously, upload the metadata.xml file.

  4. You can test the integration from the Azure SSO configuration page by clicking Test at the bottom of the page.

Note: If you are using Microsoft Edge Web Browser, switch to an InPrivate Edge window or a different browser to test the SSO integration.

Set Up SSO with Azure AD

Before getting started, see SSO Configuration to learn more about our general SSO settings.

Note: See Quickstart: Enable single sign-on for an enterprise application - Azure AD for the prerequisites.

To set up SSO with Azure AD, perform the following procedures:

  1. Create an SSO integration in FortiMonitor

  2. Enable and configure Azure Active Directory SSO in Azure

  3. Create a SAML signing certificate

  4. Continue the SSO configuration in FortiMonitor

  5. Upload the metadata.xml file from FortiMonitor to Azure

Create an SSO integration in FortiMonitor

  1. Log in to fortimonitor.forticloud.com.

  2. Create an SSO integration by clicking Settings > Integrations > Microsoft Active Directory.

  3. Enter a URL Fragment. The URL Fragment is any custom word (text only) that will be attached to the FortiMonitor login URL. For example, if you set testing your FortiMonitor login will be fortimonitor.forticloud.com/sso/testing. Note that the URL fragment must be unique across all FortiMonitor customers. If you get an error saying the fragment is in use, please use something relevant to your organization.

    Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

  4. Open a new tab then go to Azure Active Directory Admin Center using one of the roles mentioned in the Prerequisites (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).

Note: Do not close the FortiMonitor tab.

Enable and configure Azure Active Directory SSO in Azure

  1. Form the Azure Active Directory Admin Center, click Azure Active Directory.

  2. From this page, create an Application for the SSO by clicking Add > Enterprise Application.

  3. Click Create your own application.

  4. Enter a name for the application then select Integrate any other application you don't find in the gallery (Non-gallery).

  5. Click Create. The dashboard for the newly created application will be displayed.

  6. Click Set up single sign on > SAML. The Set up Single Sign-On with SAML configuration
    page is displayed.

  7. Edit the Basic SAML Configuration then fill in the required information:

    1. Identifier (Entity ID): https://fortimonitor.forticloud.com/sso/<URL_Fragment>/metadata or https://my.panopta.com/sso/<URL_Fragment>/metadata

    2. Reply URL: https://fortimonitor.forticloud.com/sso/<URL_Fragment>/acs or https://my.panopta.com/sso/<URL_Fragment>/acs
      Note: New users should use fortimonitor.forticloud.com for the SSO URL. For long time customers of Panopta, continue using my.panopta.com.

  8. Save the configuration. Once the SAML is configured, the succeeding steps in Azure will be unlocked, which will allow you to proceed to the following procedure.

Create a SAML signing certificate and download the Azure metadata

  1. To create a new SAML signing certificate, click Edit in the SAML signing certificate section.

  2. Click New Certificate.

  3. For the Signing Option, select Sign SAML response and assertion.

  4. Once the new certificate is created, set this to Active.

  5. Click Save to close the configuration drawer.

  6. From the SAML Signing Certificate section, click Download to download the Federation Metadata XML.

Continue the SSO configuration in FortiMonitor

  1. Go back to the FortiMonitor tab and fill in the required information. The fields are described in Single sign-on (SSO).

  2. The following values can also be acquired from Azure.

    1. Username Field is the field that Azure uses for your email address. The correct value must exist in Azure.

    2. The Entity ID and the Login Binding can be found in the Federation Metadata XML file that you downloaded from Azure.

    3. Copy the Login URL from Azure.

    4. Download the certificate from Azure and copy the content to the Certificate field in FortiMonitor.

  3. In the User Configuration section of the configuration drawer, enable Auto Create Users.
    You may want to assign the roles manually so that the new user will get that role when they are added to FortiMonitor.

  4. Save the changes by clicking on Save.

Upload the metadata.xml file from FortiMonitor to Azure

  1. Download the metadata.xml file from FortiMonitor by going to a browser and entering:
    https://fortimonitor.forticloud.com/sso/{URL_Fragment}/metadata or https://my.panopta.com/sso/{URL_Fragment}/metadata

  2. Right-click and select Save As to save the xml file.

  3. Go back to Azure and upload the metadata file. From the Application created previously, upload the metadata.xml file.

  4. You can test the integration from the Azure SSO configuration page by clicking Test at the bottom of the page.

Note: If you are using Microsoft Edge Web Browser, switch to an InPrivate Edge window or a different browser to test the SSO integration.