Configuring FortiAuthenticator Cloud - II

To fully configure the remote SAML server on FortiAuthenticator Cloud:

1. Go to the open web browser and continue configuring Create New Remote SAML Server in FortiAuthenticator Cloud.
2. Confirm Type is still set to Proxy.
3. For the Entity ID, ensure the Azure identity provider (IdP) option is still selected.
4. Since by this point you have already completed the Entra ID SAML configuration and obtained the IdP metadata file, under IdP Metadata, click Import IdP metadata, select the Federation Metadata XML file saved previously, and click OK to import the file. After importing the XML file, observe that the IdP entity ID and IdP single sign-on URL fields have been populated accordingly.
5. For Send username in this parameter, enter login_hint.
6. Ensure Strip realm from username before sending is unchecked.
7. In Single logout, confirm Enable SAML single logout is still checked.
8. In Group Membership, select Cloud and choose the previously created Azure OAuth server. Update the Groups field to match what is configured on the Azure side.
9. Click OK to save changes.

To create an Azure realm and add it to the IdP:

1. In FortiAuthenticator Cloud, go to Authentication > User Management > Realms.
2. Click Create New.
3. Enter the realm name. This should be the domain of the SAML usernames. For example, for usernames such as jsmith@domain.com, the realm name should be set as domain.com.
4. Select the User source as the newly created remote SAML authentication server.
5. Click OK.

To enable the SAML IdP portal:

1. In FortiAuthenticator Cloud, go to Authentication > SAML IdP > General.
2. Enable SAML identity provider portal, and enter the following:
   1. Username input format: username@realm (default)
   2. Realms: click Add a realm to add the realm associated with the remote server for Azure IdP.
   3. Default IdP certificate: select a default certificate to use.
3. Ensure Legacy login sequence is disabled.
4. Click OK to save changes.

To download the IdP certificate:

1. In FortiAuthenticator Cloud, go to Certificate Management > End Entities > Local Services.
2. Click Export Certificate to export the certificate being used as the Default IdP certificate.
3. In the file browser, choose where to save the file and click Save.

To partially configure a SAML SP entry for FortiSASE in FortiAuthenticator Cloud:

1. In FortiAuthenticator Cloud, go to Authentication > SAML IdP > Service Providers and create a new reference for the service provider that you will be using as your SAML client.
2. Enter the following information:
   1. SP name: enter a name for the service provider (SP) device.
   2. IdP prefix: select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog or select Generate prefix, and click OK.
   3. Server certificate: select the same certificate as the default IdP certificate used in Authentication > SAML IdP > General. See Configuring SAML IdP settings.
3. Copy the following information to use for configuring FortiSASE later:
   • IdP entity id
   • IdP single sign-on URL
   • IdP single logout URL
4. Click Save.
5. Keep this page open in your web browser since you will continue configuring it after configuring FortiSASE.