Fortinet black logo

Administration Guide

Home FortiSandbox 4.4.3 Administration Guide
4.4.3
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

Configuring the Microsoft Entra ID (formerly Azure AD)

Configuring the Microsoft Entra ID (formerly Azure AD)

The following Entra ID configuration demonstrates how to add the FortiSandbox as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Entra ID IdP. Some steps are performed concurrently on the FortiSandbox.

Tooltip

This example is configured with an Entra ID free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Entra ID documentation for more information.

To configure Entra ID:
  1. Create a new enterprise application.
  2. Configure the SAML SSO settings on the application and FortiSandbox.
  3. Assign Entra ID users and groups to the application.

Create a new enterprise application

To create a new enterprise application:
  1. Log in to the Azure portal.
  2. In the Azure portal menu, click Microsoft Entra ID.
  3. In the left navigation pane menu go to Manage > Enterprise applications.
  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

Configure the SAML SSO settings on the application and FortiSandbox

Tooltip

This task requires going back and forth between Azure and the FortiSandbox GUI. We recommend keeping the FortiSandbox GUI open for the entire procedure.
To configure the SAML SSO settings on the application and FortiSandbox

  1. On the Enterprise Application overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. Click Edit of Section 1 (Basic SAML Configuration)

  3. Keep the Azure Portal open and in FortiSandbox go to System > SAML SSO and click Enable next to Enable SSO.
  4. In Azure go to Set up Single Sign-On with SAML > Edit Section 1 and copy the following URLs from the FortiSandbox to the Basic SAML Configuration section:

    From FortiSandbox

    To Azure field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    Identifier (Entity ID)

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    Reply URL and Sign on URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    Logout URL

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need to update the Public IP to Private IP manually. Otherwise, the URLs will not work.

  5. Click Save.
  6. Edit Section 2 (Attributes & Claims) > Add new claim.

  7. Configure the new claim:

    Claim

    Value

    Name

    username

    Namespace

    Leave blank

    Source

    Attribute

    Source attribute

    user.userprincipalname

    The value of this attribute has to match the username of the administrator who will be logging in

  8. Click the Save button to add this new claim.

  9. Click the close button (X) at the top-right to return.

  10. In Section 3 (SAML Certificates), download the Certificate (Base64).

  11. To import this certificate into FortiSandbox, go to System > Certificates.
  12. On FortiSandbox, go to System > SSO to configure the SSO settings. Copy the following URLs fromEntra ID SAML-based Sign-on > Section 4 page:

    From Azure

    To FortiSandbox field

    Microsoft Entra Identifier

    IdP Entity ID

    Login URL

    IdP login URL

    Logout URL

    IdP logout URL

  13. For IdP certificate, choose the certificate you imported earlier.
  14. Click OK, to save you settings to FortiSandbox.

Assign Entra ID users and groups to the application

To assign Entra ID users and groups to the application:
  1. In Azure, go to Manage > Users and groups and click Add user/group.

  2. Select the users or groups.

Previous
Next

Configuring the Microsoft Entra ID (formerly Azure AD)

The following Entra ID configuration demonstrates how to add the FortiSandbox as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Entra ID IdP. Some steps are performed concurrently on the FortiSandbox.

Tooltip

This example is configured with an Entra ID free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Entra ID documentation for more information.

To configure Entra ID:
  1. Create a new enterprise application.
  2. Configure the SAML SSO settings on the application and FortiSandbox.
  3. Assign Entra ID users and groups to the application.

Create a new enterprise application

To create a new enterprise application:
  1. Log in to the Azure portal.
  2. In the Azure portal menu, click Microsoft Entra ID.
  3. In the left navigation pane menu go to Manage > Enterprise applications.
  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

Configure the SAML SSO settings on the application and FortiSandbox

Tooltip

This task requires going back and forth between Azure and the FortiSandbox GUI. We recommend keeping the FortiSandbox GUI open for the entire procedure.
To configure the SAML SSO settings on the application and FortiSandbox

  1. On the Enterprise Application overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. Click Edit of Section 1 (Basic SAML Configuration)

  3. Keep the Azure Portal open and in FortiSandbox go to System > SAML SSO and click Enable next to Enable SSO.
  4. In Azure go to Set up Single Sign-On with SAML > Edit Section 1 and copy the following URLs from the FortiSandbox to the Basic SAML Configuration section:

    From FortiSandbox

    To Azure field

    SP Entity ID

    (https://10.1.0.1/sso_sp)

    Identifier (Entity ID)

    SP login URL

    (https://10.1.0.1/sso_sp/op/?acs)

    Reply URL and Sign on URL

    SP logout URL

    (https://10.1.0.1/sso_sp/op/?sls)

    Logout URL

    Tooltip

    If you are deploying FortiSandbox or FortiAuthenticator on a public cloud you will need to update the Public IP to Private IP manually. Otherwise, the URLs will not work.

  5. Click Save.
  6. Edit Section 2 (Attributes & Claims) > Add new claim.

  7. Configure the new claim:

    Claim

    Value

    Name

    username

    Namespace

    Leave blank

    Source

    Attribute

    Source attribute

    user.userprincipalname

    The value of this attribute has to match the username of the administrator who will be logging in

  8. Click the Save button to add this new claim.

  9. Click the close button (X) at the top-right to return.

  10. In Section 3 (SAML Certificates), download the Certificate (Base64).

  11. To import this certificate into FortiSandbox, go to System > Certificates.
  12. On FortiSandbox, go to System > SSO to configure the SSO settings. Copy the following URLs fromEntra ID SAML-based Sign-on > Section 4 page:

    From Azure

    To FortiSandbox field

    Microsoft Entra Identifier

    IdP Entity ID

    Login URL

    IdP login URL

    Logout URL

    IdP logout URL

  13. For IdP certificate, choose the certificate you imported earlier.
  14. Click OK, to save you settings to FortiSandbox.

Assign Entra ID users and groups to the application

To assign Entra ID users and groups to the application:
  1. In Azure, go to Manage > Users and groups and click Add user/group.

  2. Select the users or groups.

Previous
Next