Fortinet black logo

Agent-based VPN Autoconnect Using Entra ID SSO

Home FortiSASE Agent-based VPN Autoconnect Using Entra ID SSO

Deployment overview

Deployment overview

You can achieve FortiSASE agent-based remote user authentication by configuring the authentication source as a SAML identity provider, such as the cloud-based Microsoft Entra ID single sign on (SSO) service.

When you configure FortiSASE to use the Entra ID SSO service to authenticate Windows agent-based FortiClient VPN users, with the VPN autoconnect feature, you can configure FortiClient to automatically establish an SSL VPN connection with one of the FortiSASE security points of presence (PoPs) immediately after FortiClient is installed, and every time a user logs into Windows using Entra ID credentials. VPN autoconnect for FortiClient is a Windows-only feature.

In the use case that this deployment guide considers, the user follows this typical workflow:

  1. The user logs into Windows using Entra ID credentials and installs FortiClient using a custom installer.
  2. After installation, FortiClient receives its remote access configuration from the FortiSASE Endpoint Management Service and uses Entra ID login information to automatically establish an SSL VPN connection.
  3. Whenever the user logs in to Windows using their Entra ID credentials, FortiClient silently and automatically establishes an SSL VPN connection to the FortiSASE security PoP without the user needing to reenter their credentials or open the FortiClient console.

Entra ID is the remote authentication source configured for this use case. This VPN autoconnect use case uses different ways for achieving SSO in Entra ID:

  • SAML authentication for Windows authentication on a workstation joined to Entra ID
  • OAuth 2.0 authorization for FortiClient VPN user authentication on the FortiSASE security PoP

Intended audience

Midlevel network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy VPN autoconnect for FortiSASE agent-based remote users using Entra ID SSO via SAML should find this guide helpful. A working knowledge of Microsoft Azure portal configuration and FortiClient usage is helpful.

About this guide

This deployment guide describes the steps involved in deploying the Windows-only VPN autoconnect feature for FortiSASE agent-based Windows endpoints using Entra ID SSO for VPN authentication. Since several configuration steps are behind the scenes on the FortiSASE backend, this deployment guide focuses on the Azure portal configuration and FortiClient agent steps required for deploying this use case.

Previous
Next

Deployment overview

You can achieve FortiSASE agent-based remote user authentication by configuring the authentication source as a SAML identity provider, such as the cloud-based Microsoft Entra ID single sign on (SSO) service.

When you configure FortiSASE to use the Entra ID SSO service to authenticate Windows agent-based FortiClient VPN users, with the VPN autoconnect feature, you can configure FortiClient to automatically establish an SSL VPN connection with one of the FortiSASE security points of presence (PoPs) immediately after FortiClient is installed, and every time a user logs into Windows using Entra ID credentials. VPN autoconnect for FortiClient is a Windows-only feature.

In the use case that this deployment guide considers, the user follows this typical workflow:

  1. The user logs into Windows using Entra ID credentials and installs FortiClient using a custom installer.
  2. After installation, FortiClient receives its remote access configuration from the FortiSASE Endpoint Management Service and uses Entra ID login information to automatically establish an SSL VPN connection.
  3. Whenever the user logs in to Windows using their Entra ID credentials, FortiClient silently and automatically establishes an SSL VPN connection to the FortiSASE security PoP without the user needing to reenter their credentials or open the FortiClient console.

Entra ID is the remote authentication source configured for this use case. This VPN autoconnect use case uses different ways for achieving SSO in Entra ID:

  • SAML authentication for Windows authentication on a workstation joined to Entra ID
  • OAuth 2.0 authorization for FortiClient VPN user authentication on the FortiSASE security PoP

Intended audience

Midlevel network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy VPN autoconnect for FortiSASE agent-based remote users using Entra ID SSO via SAML should find this guide helpful. A working knowledge of Microsoft Azure portal configuration and FortiClient usage is helpful.

About this guide

This deployment guide describes the steps involved in deploying the Windows-only VPN autoconnect feature for FortiSASE agent-based Windows endpoints using Entra ID SSO for VPN authentication. Since several configuration steps are behind the scenes on the FortiSASE backend, this deployment guide focuses on the Azure portal configuration and FortiClient agent steps required for deploying this use case.

Previous
Next