Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Configuring FortiSASE with Entra ID SSO in endpoint mode

Configuring FortiSASE with Entra ID SSO in endpoint mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID via SAML, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > VPN User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
    4. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    Note

    FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

    FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

  5. Review the SAML configuration, then click Submit.
  6. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.
  7. Invite Entra ID users to FortiSASE:
    1. (Optional) If you want to define a group of users, create a user group:
      1. Go to Configuration > Users.
      2. Click Create > User Group.
      3. In the Members field, click +.
      4. In the Select Entries pane, select the desired users to add to this user group.
      5. In the Remote Groups field, select Create.
      6. From the Remote Server dropdown list, select the desired server.
      7. In the Groups field, add the desired groups from the selected server to this user group. Click OK.
      8. Click OK.
    2. In Configuration > Single Sign On (SSO), click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.

Verifying Entra ID SAML SSO configuration

To verify the Azure SAML SSO configuration:
  1. In FortiClient on an endpoint, go to the REMOTE ACCESS tab. The tab should display a SAML Login button.
  2. Click the SAML Login button.
  3. In the dialog, sign in with your Entra ID credentials to connect to VPN.
Previous
Next

Related Videos

sidebar video

FortiSASE with Azure AD

  • 2,748 views
  • 2 years ago

Configuring FortiSASE with Entra ID SSO in endpoint mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID via SAML, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > VPN User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
    4. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    Note

    FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

    FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

  5. Review the SAML configuration, then click Submit.
  6. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.
  7. Invite Entra ID users to FortiSASE:
    1. (Optional) If you want to define a group of users, create a user group:
      1. Go to Configuration > Users.
      2. Click Create > User Group.
      3. In the Members field, click +.
      4. In the Select Entries pane, select the desired users to add to this user group.
      5. In the Remote Groups field, select Create.
      6. From the Remote Server dropdown list, select the desired server.
      7. In the Groups field, add the desired groups from the selected server to this user group. Click OK.
      8. Click OK.
    2. In Configuration > Single Sign On (SSO), click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.

Verifying Entra ID SAML SSO configuration

To verify the Azure SAML SSO configuration:
  1. In FortiClient on an endpoint, go to the REMOTE ACCESS tab. The tab should display a SAML Login button.
  2. Click the SAML Login button.
  3. In the dialog, sign in with your Entra ID credentials to connect to VPN.
Previous
Next