Fortinet black logo

Administration Guide

Home FortiSandbox 4.4.0 Administration Guide
4.4.0
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

Configuring the Azure AD

Configuring the Azure AD

The following Azure AD configuration demonstrates how to add the FortiSandbox as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Azure AD IdP. Some steps are performed concurrently on the FortiSandbox .

Tooltip

This example is configured with an Azure AD free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Azure AD documentation for more information.

To configure Azure AD:
  1. Create a new enterprise application.
  2. Configure the SAML SSO settings on the application and FortiSandbox.
  3. Assign Azure AD users and groups to the application.

Create a new enterprise application.

To create a new enterprise application:
  1. Log in to the Azure portal.
  2. In the Azure portal menu, click Azure Active Directory.
  3. In the left navigation pane menu go to Manage > Enterprise applications.
  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

Configure the SAML SSO settings on the application and FortiSandbox

Tooltip

This task requires going back and forth between Azure and the FortiSandbox GUI. We recommend keepingthe FortiSandbox GUI open for the entire procedure.
To configure the SAML SSO settings on the application and FortiSandbox

  1. On the Enterprise Application overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. Click Edit of Section 1 (Basic SAML Configuration)

  3. Keep the Azure Portal open and in FortiSandbox go to System > SAML SSO and click Enable next to Enable SSO.
  4. In Azure go to Set up Single Sign-On with SAML > Edit Section 1 and copy the following URLs from the FortiSandbox to the Basic SAML Configuration section:

    From ForiSandbox

    To Azure field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    Identifier (Entity ID)

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    Reply URL and Sign on URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    Logout URL

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need manually updated to the Private IP to the Public IP. Otherwise, the URLs will not work.

  5. Click Save.
  6. Edit Section 2 (Attributes & Claims) > Add new claim.

  7. Configure the new claim:

    Name

    username

    Namespace

    Leave blank.

    Source

    Attribute

    Source attribute

    user.userprincipalname

    The value of this attribute has to match the username of the administrator who will be logging in.

  8. Click the Save button to add this new claim.

  9. Click the close button (X) at the top-right to return.

  10. In Section 3 (SAML Certificates), download the Certificate (Base64).

  11. To import this certificate into FortiSandbox, go to System > Certificates.
  12. On FortiSandbox, go to System > SSO to configure the SSO settings. Copy the following URLs from Azure AD SAML-based Sign-on > Section 4 page:

    From Azure

    To FortiSandbox field

    Azure AD Identifier

    IdP Entity ID

    Login URL

    IdP login URL

    Logout URL

    IdP logout URL

  13. For IdP certificate, choose the certificate you imported earlier.
  14. Click OK, to save you settings to FortiSandbox.

Assign Azure AD users and groups to the application

To assign Azure AD users and groups to the application:
  1. In Azure, go to Manage > Users and groups and click Add user/group.

  2. Select the users or groups.

Previous
Next

Configuring the Azure AD

The following Azure AD configuration demonstrates how to add the FortiSandbox as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Azure AD IdP. Some steps are performed concurrently on the FortiSandbox .

Tooltip

This example is configured with an Azure AD free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Azure AD documentation for more information.

To configure Azure AD:
  1. Create a new enterprise application.
  2. Configure the SAML SSO settings on the application and FortiSandbox.
  3. Assign Azure AD users and groups to the application.

Create a new enterprise application.

To create a new enterprise application:
  1. Log in to the Azure portal.
  2. In the Azure portal menu, click Azure Active Directory.
  3. In the left navigation pane menu go to Manage > Enterprise applications.
  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

Configure the SAML SSO settings on the application and FortiSandbox

Tooltip

This task requires going back and forth between Azure and the FortiSandbox GUI. We recommend keepingthe FortiSandbox GUI open for the entire procedure.
To configure the SAML SSO settings on the application and FortiSandbox

  1. On the Enterprise Application overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. Click Edit of Section 1 (Basic SAML Configuration)

  3. Keep the Azure Portal open and in FortiSandbox go to System > SAML SSO and click Enable next to Enable SSO.
  4. In Azure go to Set up Single Sign-On with SAML > Edit Section 1 and copy the following URLs from the FortiSandbox to the Basic SAML Configuration section:

    From ForiSandbox

    To Azure field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    Identifier (Entity ID)

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    Reply URL and Sign on URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    Logout URL

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need manually updated to the Private IP to the Public IP. Otherwise, the URLs will not work.

  5. Click Save.
  6. Edit Section 2 (Attributes & Claims) > Add new claim.

  7. Configure the new claim:

    Name

    username

    Namespace

    Leave blank.

    Source

    Attribute

    Source attribute

    user.userprincipalname

    The value of this attribute has to match the username of the administrator who will be logging in.

  8. Click the Save button to add this new claim.

  9. Click the close button (X) at the top-right to return.

  10. In Section 3 (SAML Certificates), download the Certificate (Base64).

  11. To import this certificate into FortiSandbox, go to System > Certificates.
  12. On FortiSandbox, go to System > SSO to configure the SSO settings. Copy the following URLs from Azure AD SAML-based Sign-on > Section 4 page:

    From Azure

    To FortiSandbox field

    Azure AD Identifier

    IdP Entity ID

    Login URL

    IdP login URL

    Logout URL

    IdP logout URL

  13. For IdP certificate, choose the certificate you imported earlier.
  14. Click OK, to save you settings to FortiSandbox.

Assign Azure AD users and groups to the application

To assign Azure AD users and groups to the application:
  1. In Azure, go to Manage > Users and groups and click Add user/group.

  2. Select the users or groups.

Previous
Next