Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Searching user groups from Entra ID SSO

Searching user groups from Entra ID SSO

After performing preliminary steps and determining the Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) single sign on (SSO) credentials, you can proceed to configure them in FortiSASE to allow dynamic group discovery from Entra ID SSO and select a group for SAML group matching.

Note

The following example is for searching user groups from Entra ID SSO from FortiSASE for an endpoint mode SSO configuration and demonstrates general steps that also apply to a secure web gateway mode SSO configuration.
To search user groups from Entra ID SSO in endpoint mode:
  1. Go to Configuration > VPN User SSO.
    1. For a new configuration, enter the Entra ID SSO fields.
    2. For an existing configuration, click the pencil icon to the right of Identity Provider Configuration.
  2. Select SAML Group Matching and click Search.
  3. From the SAML Provider Type dropdown list, select Entra ID. Next to SAML Provider Credential, click Change.
  4. Enter the Entra ID credentials obtained from the Entra ID portal:
    • Tenant ID
    • Client ID
    • Client Secret
  5. Click OK to save the credentials.
  6. Click Select group next to SAML Remote User Groups and notice that the groups are dynamically obtained from Entra ID and populated. Select a remote user group from the table and click OK to save the changes.
  7. Notice that the Configure Service Provider page has the Group Name automatically filled in with the selected user group's name. Click Next to advance this page and click Submit on the Review page to submit the VPN user SSO configuration settings.
Previous
Next

Searching user groups from Entra ID SSO

After performing preliminary steps and determining the Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) single sign on (SSO) credentials, you can proceed to configure them in FortiSASE to allow dynamic group discovery from Entra ID SSO and select a group for SAML group matching.

Note

The following example is for searching user groups from Entra ID SSO from FortiSASE for an endpoint mode SSO configuration and demonstrates general steps that also apply to a secure web gateway mode SSO configuration.
To search user groups from Entra ID SSO in endpoint mode:
  1. Go to Configuration > VPN User SSO.
    1. For a new configuration, enter the Entra ID SSO fields.
    2. For an existing configuration, click the pencil icon to the right of Identity Provider Configuration.
  2. Select SAML Group Matching and click Search.
  3. From the SAML Provider Type dropdown list, select Entra ID. Next to SAML Provider Credential, click Change.
  4. Enter the Entra ID credentials obtained from the Entra ID portal:
    • Tenant ID
    • Client ID
    • Client Secret
  5. Click OK to save the credentials.
  6. Click Select group next to SAML Remote User Groups and notice that the groups are dynamically obtained from Entra ID and populated. Select a remote user group from the table and click OK to save the changes.
  7. Notice that the Configure Service Provider page has the Group Name automatically filled in with the selected user group's name. Click Next to advance this page and click Submit on the Review page to submit the VPN user SSO configuration settings.
Previous
Next