Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO

    Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO

    FortiTrust Identity (FortiTrust ID) performs the function of a SAML identity provider (IdP) as well as an IdP proxy and enforces multifactor authentication (MFA). FortiTrust ID is composed of FortiAuthenticator Cloud for IdP and IdP proxy functionality and FortiToken Cloud for MFA including adaptive authentication.

    A use case for IdP proxy is when using multiple IdPs to authenticate different user types. For example, you may authenticate employees using Microsoft Entra ID while contractors use Google Workspace or Okta.

    You can configure a single sign on (SSO) connection with FortiAuthenticator Cloud via SAML, where FortiAuthenticator Cloud is the IdP, namely, an IdP proxy, and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their corresponding IdP credentials.

    This example describes how to set up FortiTrust ID using FortiAuthenticator Cloud as a SAML IdP proxy for Entra ID.

    Caution

    These steps require FortiTrust ID to be running FortiAuthenticator Cloud 6.5.0 or later to support the following features to help with compatibility with third-party IdPs:

    • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.
    • Strip realm from username before sending.

    To upgrade to FortiAuthenticator Cloud instance, see the FortiTrust ID Release Notes corresponding to your version, specifically, the Upgrade Information section.
    1. In the Azure portal, do the following:
      1. Create an enterprise application using FortiSASE as a template from the Azure App Gallery and copy its application ID. See To create an enterprise application using FortiSASE as a template from the gallery and find the application ID of the FortiSASE enterprise application:.
      2. Register the enterprise application with Microsoft identity platform and generate an authentication key. See To register the enterprise application:.
      3. Add the enterprise application as an assignment. See To add the enterprise application as an assignment:.
    2. In FortiAuthenticator Cloud, do the following:
      1. Enable the SAML IdP service on the publicly facing interface. See To enable SAML IdP service on interface:.
      2. Create a remote OAuth server with Azure application ID and authentication key. See To create a remote OAuth server:.
      3. Start to create a remote SAML server. See To partially configure the remote SAML server on FortiAuthenticator Cloud:.
    3. In the Azure portal, configure SAML settings for the FortiSASE application in Azure. See To configure SAML settings for the FortiSASE application in Azure: and To collect SAML IdP URL information:.
    4. In FortiAuthenticator Cloud, do the following:
      1. Continue to create a remote SAML server. See To fully configure the remote SAML server on FortiAuthenticator Cloud:.
      2. Create a realm for domain name. See To create an Azure realm and add it to the IdP:.
      3. Enable SAML IdP portal. See To enable the SAML IdP portal:.
      4. Download IdP certificate. See To download the IdP certificate:.
      5. Start to create a SAML Service Provider (SP) entry for FortiSASE. See To partially configure a SAML SP entry for FortiSASE in FortiAuthenticator Cloud:.
    5. In FortiSASE, configure FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode. See Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode.
    6. In FortiAuthenticator Cloud, continue to create a SAML SP entry for FortiSASE. See Configuring FortiAuthenticator Cloud - III.
    Previous
    Next

    Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO

    Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO

    FortiTrust Identity (FortiTrust ID) performs the function of a SAML identity provider (IdP) as well as an IdP proxy and enforces multifactor authentication (MFA). FortiTrust ID is composed of FortiAuthenticator Cloud for IdP and IdP proxy functionality and FortiToken Cloud for MFA including adaptive authentication.

    A use case for IdP proxy is when using multiple IdPs to authenticate different user types. For example, you may authenticate employees using Microsoft Entra ID while contractors use Google Workspace or Okta.

    You can configure a single sign on (SSO) connection with FortiAuthenticator Cloud via SAML, where FortiAuthenticator Cloud is the IdP, namely, an IdP proxy, and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their corresponding IdP credentials.

    This example describes how to set up FortiTrust ID using FortiAuthenticator Cloud as a SAML IdP proxy for Entra ID.

    Caution

    These steps require FortiTrust ID to be running FortiAuthenticator Cloud 6.5.0 or later to support the following features to help with compatibility with third-party IdPs:

    • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.
    • Strip realm from username before sending.

    To upgrade to FortiAuthenticator Cloud instance, see the FortiTrust ID Release Notes corresponding to your version, specifically, the Upgrade Information section.
    1. In the Azure portal, do the following:
      1. Create an enterprise application using FortiSASE as a template from the Azure App Gallery and copy its application ID. See To create an enterprise application using FortiSASE as a template from the gallery and find the application ID of the FortiSASE enterprise application:.
      2. Register the enterprise application with Microsoft identity platform and generate an authentication key. See To register the enterprise application:.
      3. Add the enterprise application as an assignment. See To add the enterprise application as an assignment:.
    2. In FortiAuthenticator Cloud, do the following:
      1. Enable the SAML IdP service on the publicly facing interface. See To enable SAML IdP service on interface:.
      2. Create a remote OAuth server with Azure application ID and authentication key. See To create a remote OAuth server:.
      3. Start to create a remote SAML server. See To partially configure the remote SAML server on FortiAuthenticator Cloud:.
    3. In the Azure portal, configure SAML settings for the FortiSASE application in Azure. See To configure SAML settings for the FortiSASE application in Azure: and To collect SAML IdP URL information:.
    4. In FortiAuthenticator Cloud, do the following:
      1. Continue to create a remote SAML server. See To fully configure the remote SAML server on FortiAuthenticator Cloud:.
      2. Create a realm for domain name. See To create an Azure realm and add it to the IdP:.
      3. Enable SAML IdP portal. See To enable the SAML IdP portal:.
      4. Download IdP certificate. See To download the IdP certificate:.
      5. Start to create a SAML Service Provider (SP) entry for FortiSASE. See To partially configure a SAML SP entry for FortiSASE in FortiAuthenticator Cloud:.
    5. In FortiSASE, configure FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode. See Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode.
    6. In FortiAuthenticator Cloud, continue to create a SAML SP entry for FortiSASE. See Configuring FortiAuthenticator Cloud - III.
    Previous
    Next