Configure the domain and SAML SP in Microsoft Azure AD PowerShell
FortiAuthenticator currently supports use with Microsoft Azure Active Directory Module for Windows PowerShell.
To configure the domain and SAML SP using Microsoft Azure AD PowerShell:
- Launch the Microsoft Azure Active Directory Module for Windows PowerShell.
- Enter the following command in PowerShell:
Install-Module -Name MSonline
.
Accept the next two default ("Y") prompts for installing the NuGet Provider and installing from PSGallery.- If you are using Windows 2016 or earlier, you must first enable TLS 1.2 enforcement for Azure AD Connect. For instructions on enabling TLS 1.2 eforcement, see Azure AD Connect: TLS 1.2 enforcement for Azure Active Directory Connect.
- Enter the following command:
Connect-MsolService
.
The Microsoft Sign in window opens. Login with your Azure ID. - Add a federated domain by entering the following command.
New-MsolDomain -Name <your domain> -Authentication Federated
- Obtain the DNS record and create a new text record in your domain provider to allow the domain to be verified. To obtain the DNS record, use the following command:
Get-MsolDomainVerificationDns -DomainName ftnt.xyz -Mode DnsTxtRecord
From the output, copy the Text field results and create a new text record in your domain with a 60 minute interval. - Configure the domain as a SAML service provider.
You can create these variables inside a text editor and then copy and paste them into a PowerShell window.$domain = "<your domain>"
"
$cert = "<your certificate. This can be obtained by downloading your certificate from FortiAuthenticator and opening it with a text editor.>"
$protocol = "SAMLP"
$IssuerUrl = "<The IdP entity ID from FortiAuthenticator>"
$LogonUrl = "<The IdP single sign-on URL from FortiAuthenticator>"
$LogoffUrl = "<The IdP single logout URL from FortiAuthenticator>
Once completed, enter the following command into PowerShell to verify the domain:Confirm-MsolDomain -DomainName $domain -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol -IssuerUri $IssuerUrl -PassiveLogOnUri $LogonURL -LogOffUri $LogOffUrl
The return text from the above command should read "AvailableImmediately The domain has been successfully verified for your account."