Fortinet black logo

Administration Guide

Configuring FortiSASE with Microsoft Entra ID single sign on in SWG mode

Copy Link
Copy Doc ID 5d380088-d5b4-11ee-8c42-fa163e15d75b:797676
Download PDF

Configuring FortiSASE with Microsoft Entra ID single sign on in SWG mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) via SAML, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to configure FortiSASE as their secure web gateway (SWG) server and authenticate using their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > SWG User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
  5. Review the SAML configuration, then click Submit.

Configuring FortiSASE as a SWG server

The end user follows these instructions to configure SWG mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When the user configures SWG settings at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Entra ID credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.

Configuring FortiSASE with Microsoft Entra ID single sign on in SWG mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) via SAML, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to configure FortiSASE as their secure web gateway (SWG) server and authenticate using their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > SWG User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
  5. Review the SAML configuration, then click Submit.

Configuring FortiSASE as a SWG server

The end user follows these instructions to configure SWG mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When the user configures SWG settings at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Entra ID credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.