Configuring the Azure AD
The following Azure AD configuration demonstrates how to add the FortiSandbox as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Azure AD IdP. Some steps are performed concurrently on the FortiSandbox .
This example is configured with an Azure AD free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Azure AD documentation for more information. |
To configure Azure AD:
- Create a new enterprise application.
- Configure the SAML SSO settings on the application and FortiSandbox.
- Assign Azure AD users and groups to the application.
Create a new enterprise application.
To create a new enterprise application:
- Log in to the Azure portal.
- In the Azure portal menu, click Azure Active Directory.
- In the left navigation pane menu go to Manage > Enterprise applications.
- Click New application.
- Click Create your own application.
- Enter a name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create.
Configure the SAML SSO settings on the application and FortiSandbox
This task requires going back and forth between Azure and the FortiSandbox GUI. We recommend keepingthe FortiSandbox GUI open for the entire procedure. |
To configure the SAML SSO settings on the application and FortiSandbox
- On the Enterprise Application overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.
- Click Edit of Section 1 (Basic SAML Configuration)
- Keep the Azure Portal open and in FortiSandbox go to System > SAML SSO and click Enable next to Enable SSO.
- In Azure go to Set up Single Sign-On with SAML > Edit Section 1 and copy the following URLs from the FortiSandbox to the Basic SAML Configuration section:
From ForiSandbox
To Azure field
SP Entity ID
(
https://10.1.0.1/sso_sp
)Identifier (Entity ID)
SP login URL
(
https://10.1.0.1/sso_sp/op/?acs
)Reply URL and Sign on URL
SP logout URL
(
https://10.1.0.1/sso_sp/op/?sls
)Logout URL
If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need manually updated to the Private IP to the Public IP. Otherwise, the URLs will not work.
- Click Save.
- Edit Section 2 (Attributes & Claims) > Add new claim.
- Configure the new claim:
Name
username
Namespace
Leave blank.
Source
Attribute
Source attribute
user.userprincipalname
The value of this attribute has to match the username of the administrator who will be logging in.
-
Click the Save button to add this new claim.
-
Click the close button (X) at the top-right to return.
- In Section 3 (SAML Certificates), download the Certificate (Base64).
- To import this certificate into FortiSandbox, go to System > Certificates.
- On FortiSandbox, go to System > SSO to configure the SSO settings. Copy the following URLs from Azure AD SAML-based Sign-on > Section 4 page:
From Azure
To FortiSandbox field
Azure AD Identifier
IdP Entity ID
Login URL
IdP login URL
Logout URL
IdP logout URL
- For IdP certificate, choose the certificate you imported earlier.
- Click OK, to save you settings to FortiSandbox.
Assign Azure AD users and groups to the application
To assign Azure AD users and groups to the application:
- In Azure, go to Manage > Users and groups and click Add user/group.
- Select the users or groups.