Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Configuring FortiSASE with Entra ID SSO: SAML configuration fields

Configuring FortiSASE with Entra ID SSO: SAML configuration fields

Before you configure FortiSASE with Microsoft Entra ID single sign on (SSO) for endpoint mode (VPN user SSO) or secure web gateway (SWG) mode (SWG user SSO), review the following tables to understand which Entra ID basic SAML configuration fields correspond to FortiSASE SAML fields.

For the Configure Identity Provider step, this table maps the FortiSASE SAML fields that you must copy from FortiSASE and configure in Entra ID:

FortiSASE SAML field

Entra ID Basic SAML configuration field

Entity ID

Identifier (Entity ID)

Assertion Consumer Service (ACS) URL

Reply URL (Assertion Consumer Service URL)

Single Logout Service (SLS) URL

Logout Url (Optional)

Portal (Sign On) URL

Sign on URL

For the Configure Service Provider step, this table maps the Entra ID SAML fields that you must copy from FortiSASE and configure in FortiSASE:

FortiSASE SAML field

Entra ID Basic SAML configuration field

IdP Entity ID

Entra ID Identifier

IdP Single Sign-On URL

Login URL

IdP Single Log-Out URL

Logout URL

SAML Claims Mapping > Username

username

SAML Claims Mapping > Group Name

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

SAML Group Matching > Group ID

Object Id (See following steps for identifying this field from a newly created group in Entra ID.)

IdP Certificate

Base64 SAML certificate name (See following steps for downloading this certificate from Entra ID.) The certificate name must be alpanumeric and less than 30 characters.
Service Provider Certificate You can use the built-in FortiSASE Default Certificate or your custom certificate from the dropdown list. To import the certificate click + and import the certificate. See Certificates.
Digest Method Use SHA-1 and SHA-256 depending on the hashing method that the IdP supports.
Note

FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

While configuring Service Provider Certificate, the FortiSASE instances that have existing or old SSO configuration, are by default configured with legacy default certificate (i.e. Fortinet_Factory) as its service provider certificate.

FortiSASE administrators have an option to change legacy default certificate (i.e. Fortinet_Factory) to use new FortiSASE Default Certificate. Once FortiSASE is configured to use FortiSASE Default Certificate, FortiSASE administrators can no longer configure and use the legacy default certificate (i.e. Fortinet_Factory). Thus, ensure to update the service provider certificate in your IdP configuration. Other FortiSASE instances, with fresh SSO configuration have the direct option to use the FortiSASE Default Certificate in the Service Provider Certificate dropdown menu.
To find the Entra ID group ObjectID in Entra ID:

Enable and configure SAML group matching if you only want to allow Entra ID users of a certain group to authenticate. Otherwise, leave this setting disabled. You can define more granular groups when configuring user group settings.

  1. In the left pane of the Azure portal (three horizontal lines), go to Microsoft Entra ID > Manage > Groups.
  2. The default view shows all groups. Find the desired group and note the Object Id.

For details on creating a new security group, see Tutorial: Entra ID SSO Integration with FortiGate SSL VPN.

You can find the full group claims list in Configure group claims for applications by using Microsoft Entra ID.

To download the IdP certificate from Azure:
  1. In Entra ID, go to your Entra ID enterprise application, go to Single sign-on > SAML Signing Certificate.
  2. For Certificate (Base64), click Download to download the identity provider certificate to your computer.
Previous
Next

Configuring FortiSASE with Entra ID SSO: SAML configuration fields

Before you configure FortiSASE with Microsoft Entra ID single sign on (SSO) for endpoint mode (VPN user SSO) or secure web gateway (SWG) mode (SWG user SSO), review the following tables to understand which Entra ID basic SAML configuration fields correspond to FortiSASE SAML fields.

For the Configure Identity Provider step, this table maps the FortiSASE SAML fields that you must copy from FortiSASE and configure in Entra ID:

FortiSASE SAML field

Entra ID Basic SAML configuration field

Entity ID

Identifier (Entity ID)

Assertion Consumer Service (ACS) URL

Reply URL (Assertion Consumer Service URL)

Single Logout Service (SLS) URL

Logout Url (Optional)

Portal (Sign On) URL

Sign on URL

For the Configure Service Provider step, this table maps the Entra ID SAML fields that you must copy from FortiSASE and configure in FortiSASE:

FortiSASE SAML field

Entra ID Basic SAML configuration field

IdP Entity ID

Entra ID Identifier

IdP Single Sign-On URL

Login URL

IdP Single Log-Out URL

Logout URL

SAML Claims Mapping > Username

username

SAML Claims Mapping > Group Name

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

SAML Group Matching > Group ID

Object Id (See following steps for identifying this field from a newly created group in Entra ID.)

IdP Certificate

Base64 SAML certificate name (See following steps for downloading this certificate from Entra ID.) The certificate name must be alpanumeric and less than 30 characters.
Service Provider Certificate You can use the built-in FortiSASE Default Certificate or your custom certificate from the dropdown list. To import the certificate click + and import the certificate. See Certificates.
Digest Method Use SHA-1 and SHA-256 depending on the hashing method that the IdP supports.
Note

FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

While configuring Service Provider Certificate, the FortiSASE instances that have existing or old SSO configuration, are by default configured with legacy default certificate (i.e. Fortinet_Factory) as its service provider certificate.

FortiSASE administrators have an option to change legacy default certificate (i.e. Fortinet_Factory) to use new FortiSASE Default Certificate. Once FortiSASE is configured to use FortiSASE Default Certificate, FortiSASE administrators can no longer configure and use the legacy default certificate (i.e. Fortinet_Factory). Thus, ensure to update the service provider certificate in your IdP configuration. Other FortiSASE instances, with fresh SSO configuration have the direct option to use the FortiSASE Default Certificate in the Service Provider Certificate dropdown menu.
To find the Entra ID group ObjectID in Entra ID:

Enable and configure SAML group matching if you only want to allow Entra ID users of a certain group to authenticate. Otherwise, leave this setting disabled. You can define more granular groups when configuring user group settings.

  1. In the left pane of the Azure portal (three horizontal lines), go to Microsoft Entra ID > Manage > Groups.
  2. The default view shows all groups. Find the desired group and note the Object Id.

For details on creating a new security group, see Tutorial: Entra ID SSO Integration with FortiGate SSL VPN.

You can find the full group claims list in Configure group claims for applications by using Microsoft Entra ID.

To download the IdP certificate from Azure:
  1. In Entra ID, go to your Entra ID enterprise application, go to Single sign-on > SAML Signing Certificate.
  2. For Certificate (Base64), click Download to download the identity provider certificate to your computer.
Previous
Next