Fortinet white logo
Fortinet white logo

Administration Guide

Configuring FortiSASE with Entra ID SSO in SWG agentless mode

Configuring FortiSASE with Entra ID SSO in SWG agentless mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to configure FortiSASE as their secure web gateway (SWG) server and authenticate using their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > SWG User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
    4. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    5. Note

      FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE that a well-known public CA signed and remains same across all of your points of presence.

      FortiSASE Default Certificate periodically renews. Thus, if IdPs use Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with the new SP certificate. To avoid updating your IdP configuration frequently, uploading your own certificate is recommended.

  5. Review the SAML configuration, then click Submit.
  6. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.

Configuring FortiSASE as a SWG server

The end user follows these instructions to configure SWG agentless mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When the user configures SWG settings at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Entra ID credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.

Configuring FortiSASE with Entra ID SSO in SWG agentless mode

Configuring FortiSASE with Entra ID SSO in SWG agentless mode

You can configure a single sign on (SSO) connection with Microsoft Entra ID, where Entra ID is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to configure FortiSASE as their secure web gateway (SWG) server and authenticate using their Entra ID credentials.

Before completing the following steps, see Configuring FortiSASE with Entra ID SSO: SAML configuration fields for details on how Entra ID SAML fields map to FortiSASE SAML fields.

Configuring FortiSASE with Entra ID SSO

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > SWG User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
    4. For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Azure if Certificate Verification is enabled on Azure.
    5. Note

      FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE that a well-known public CA signed and remains same across all of your points of presence.

      FortiSASE Default Certificate periodically renews. Thus, if IdPs use Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with the new SP certificate. To avoid updating your IdP configuration frequently, uploading your own certificate is recommended.

  5. Review the SAML configuration, then click Submit.
  6. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.

Configuring FortiSASE as a SWG server

The end user follows these instructions to configure SWG agentless mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When the user configures SWG settings at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Entra ID credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.