Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Configuring FortiSASE with FortiAuthenticator Cloud in endpoint mode

Configuring FortiSASE with FortiAuthenticator Cloud in endpoint mode

To configure the FortiAuthenticator Cloud IdP information in FortiSASE:
  1. In FortiSASE, go to Configuration > VPN User SSO.
  2. Copy the following fields from the Configure Identity Provider page. You use these fields to complete the FortiAuthenticator Cloud SAML service provider configuration.
    • Entity ID
    • ACS URL
    • SLS URL
  3. Click Next in the single sign on (SSO) wizard.
  4. In the IdP Entity ID, IdP Single Sign-On URL, and IdP Single Log-Out URL fields, paste the corresponding values that you copied from the FortiAuthenticator Cloud SAML IdP > Service Providers fields.
  5. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded from FortiAuthenticator Cloud. Click Next.
  6. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
  7. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    8. Note

    FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

    FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.
  8. Review the SAML configuration, then click Submit.
  9. Click OK to confirm that SSO authentication will take priority over existing LDAP and RADIUS authentication methods.
  10. Invite Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) users to FortiSASE:
    1. (Optional) If you want to define a group of users, create a user group:
      1. Go to Configuration > Users.
      2. Click Create > User Group.
      3. In the Members field, click +.
      4. In the Select Entries pane, select the desired users to add to this user group.
      5. In the Remote Groups field, select Create.
      6. From the Remote Server dropdown list, select the desired server.
      7. In the Groups field, add the desired groups from the selected server to this user group. Click OK.
      8. Click OK.
    2. In Configuration > Single Sign On (SSO), click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.
Previous
Next

Configuring FortiSASE with FortiAuthenticator Cloud in endpoint mode

To configure the FortiAuthenticator Cloud IdP information in FortiSASE:
  1. In FortiSASE, go to Configuration > VPN User SSO.
  2. Copy the following fields from the Configure Identity Provider page. You use these fields to complete the FortiAuthenticator Cloud SAML service provider configuration.
    • Entity ID
    • ACS URL
    • SLS URL
  3. Click Next in the single sign on (SSO) wizard.
  4. In the IdP Entity ID, IdP Single Sign-On URL, and IdP Single Log-Out URL fields, paste the corresponding values that you copied from the FortiAuthenticator Cloud SAML IdP > Service Providers fields.
  5. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded from FortiAuthenticator Cloud. Click Next.
  6. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
  7. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    8. Note

    FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

    FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.
  8. Review the SAML configuration, then click Submit.
  9. Click OK to confirm that SSO authentication will take priority over existing LDAP and RADIUS authentication methods.
  10. Invite Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) users to FortiSASE:
    1. (Optional) If you want to define a group of users, create a user group:
      1. Go to Configuration > Users.
      2. Click Create > User Group.
      3. In the Members field, click +.
      4. In the Select Entries pane, select the desired users to add to this user group.
      5. In the Remote Groups field, select Create.
      6. From the Remote Server dropdown list, select the desired server.
      7. In the Groups field, add the desired groups from the selected server to this user group. Click OK.
      8. Click OK.
    2. In Configuration > Single Sign On (SSO), click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.
Previous
Next