Configuring SSO SAML users

Depending on the authentication source, the user configuration steps differ. This example shows configuring single sign on (SSO) users and user groups against an Azure Active Directory (AD) identity provider (IdP).

For configuring other authentication sources, see Authentication Sources and Access. When SSO is configured, other user types do not work.

To configure the SSO SAML configuration:

1. Go to Configuration > SWG User SSO.
2. In step one, Configure Identity Provider, collect the URLs on FortiSASE and enter them into the respective fields in the SSO settings of the respective Azure AD enterprise application.

   FortiSASE SAML field	Azure AD Basic SAML Configuration field
   Entity ID	Identifier (Entity ID)
   Assertion Consumer Service (ACS) URL	Reply URL (Assertion Consumer Service URL)
   Portal (Sign On) URL	Sign on URL
   Single Logout Service (SLS) URL	Logout Url (Optional)

   Click Next.

3. In step two, Configure Service Provider, collect the URLs from the Azure AD enterprise application Single sign-on > Set up <application name>. Enter them into the respective fields in FortiSASE.

   Azure AD > Set up <application name> fields	FortiSASE SAML field
   Login URL	IdP Single Sign-On URL
   Azure AD Identifier	IdP Entity ID
   Logout URL	IdP Single Log-Out URL

   Click Next.

4. With claims mapping, you can specify the identifier for the username and group name attributes in Azure. The default configuration uses username and group respectively, which matches the attribute names in Azure. If you need custom names, modify them here.
5. Enable and configure SAML Group Matching if you only want Azure AD users of a certain group to be allowed to authenticate. Otherwise, leave this setting disabled. You can further define more granular groups when you configure user group settings.
6. FortiSASE requires the IdP certificate is required. Configure the IdP certificate:
7. Download the certificate from Azure AD enterprise application > Single sign-on > SAML Signing Certificate. Download Certificate (Base64).
   1. On the IdP Certificate dropdown list, click Create.
   2. In the Import Remote Certificate slide-in, upload the certificate from Azure.
   3. Enter a unique name for the certificate, then click OK.
   4. Select the certificate, then click Next.
8. Review your settings. The click Submit to apply.
9. Upon successful configuration, FortiSASE prompts for instructions to onboard users. Follow the steps under SWG Users to download the SWG certificate for usage on the client. The certificate package contains the built-in certificate authority certificate for the FortiSASE instance. This must be installed in the certificate store on the client to trust the certificate chain for pages that FortiSASE has signed.

To configure an SSO user group:

1. Go to Configuration > Users.
2. Click Create. Select User Group, and click Next.
3. In the Name field, enter the desired name.
4. Under Remote Groups, click Create.
5. From the Remote Server dropdown list, select the SAML server that you created.
6. In the Groups field, enter the names of the group(s) that you will allow access on FortiSASE. This is the group object ID of the user group defined on Azure.
7. Click OK to finish. Click OK again to create the user group. You can apply this new user group to your SWG policies.