Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Configuring FortiSASE with FortiAuthenticator Cloud as SAML IdP proxy for Entra ID SSO

Configuring FortiSASE with FortiAuthenticator Cloud as SAML IdP proxy for Entra ID SSO

FortiTrust Identity (FortiTrustID) performs the function of a SAML identity provider (IdP) as well as an IdP proxy and enforces multifactor authentication (MFA). FortiTrustID is composed of FortiAuthenticator Cloud for IdP and IdP proxy functionality and FortiToken Cloud for MFA including adaptive authentication.

A use case for IdP proxy is when using multiple IdPs to authenticate different user types. For example, you may authenticate employees using Microsoft Entra ID while contractors use Google Workspace or Okta.

You can configure a single sign on (SSO) connection with FortiAuthenticator Cloud via SAML, where FortiAuthenticator Cloud is the IdP, namely, an IdP proxy, and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their corresponding IdP credentials.

This example describes how to set up FortiAuthenticator Cloud as a SAML IdP proxy for Entra ID.

Caution

These steps require FortiTrustID to be running FortiAuthenticator Cloud 6.5.0 and above to support the following features to help with compatibility with third-party IdPs:

  • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.
  • Strip realm from username before sending.

To upgrade to FortiAuthenticator Cloud 6.5.0 and above, which supports the above features, you will need to send a request to fortitrustid-support@fortinet.com. See the FortiTrustID Release Notes corresponding to your version, specifically, the Upgrade Information section.
  1. In the Azure portal, do the following:
    1. Create an enterprise application using FortiSASE as a template from the Azure App Gallery and copy its application ID. See To create an enterprise application using FortiSASE as a template from the gallery and find the application ID of the FortiSASE enterprise application:.
    2. Register the enterprise application with Microsoft identity platform and generate an authentication key. See To register the enterprise application:.
    3. Add the enterprise application as an assignment. See To add the enterprise application as an assignment:.
  2. In FortiAuthenticator Cloud, do the following:
    1. Create a remote OAuth server with Azure application ID and authentication key. See To create a remote OAuth server:.
    2. Start to create a remote SAML server. See To partially configure the remote SAML server on FortiAuthenticator Cloud:.
  3. In the Azure portal, configure SAML settings for the FortiSASE application in Azure. See To configure SAML settings for the FortiSASE application in Azure: and To collect SAML IdP URL information:.
  4. In FortiAuthenticator Cloud, do the following:
    1. Continue to create a remote SAML server. See To fully configure the remote SAML server on FortiAuthenticator Cloud:.
    2. Create a realm for domain name. See To create an Azure realm and add it to the IdP:.
    3. Enable SAML IdP portal. See To enable the SAML IdP portal:.
    4. Download IdP certificate. See To download the IdP certificate:.
    5. Start to create a SAML Service Provider (SP) entry for FortiSASE. See To partially configure a SAML SP entry for FortiSASE in FortiAuthenticator Cloud:.
  5. In FortiSASE, configure FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode. See Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode.
  6. In FortiAuthenticator Cloud, continue to create a SAML SP entry for FortiSASE. See Configuring FortiAuthenticator Cloud - III.
Previous
Next

Configuring FortiSASE with FortiAuthenticator Cloud as SAML IdP proxy for Entra ID SSO

FortiTrust Identity (FortiTrustID) performs the function of a SAML identity provider (IdP) as well as an IdP proxy and enforces multifactor authentication (MFA). FortiTrustID is composed of FortiAuthenticator Cloud for IdP and IdP proxy functionality and FortiToken Cloud for MFA including adaptive authentication.

A use case for IdP proxy is when using multiple IdPs to authenticate different user types. For example, you may authenticate employees using Microsoft Entra ID while contractors use Google Workspace or Okta.

You can configure a single sign on (SSO) connection with FortiAuthenticator Cloud via SAML, where FortiAuthenticator Cloud is the IdP, namely, an IdP proxy, and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their corresponding IdP credentials.

This example describes how to set up FortiAuthenticator Cloud as a SAML IdP proxy for Entra ID.

Caution

These steps require FortiTrustID to be running FortiAuthenticator Cloud 6.5.0 and above to support the following features to help with compatibility with third-party IdPs:

  • Sends username in this parameter: specify the parameter name in which the remote IdP receives the username so as to prefill the username login field.
  • Strip realm from username before sending.

To upgrade to FortiAuthenticator Cloud 6.5.0 and above, which supports the above features, you will need to send a request to fortitrustid-support@fortinet.com. See the FortiTrustID Release Notes corresponding to your version, specifically, the Upgrade Information section.
  1. In the Azure portal, do the following:
    1. Create an enterprise application using FortiSASE as a template from the Azure App Gallery and copy its application ID. See To create an enterprise application using FortiSASE as a template from the gallery and find the application ID of the FortiSASE enterprise application:.
    2. Register the enterprise application with Microsoft identity platform and generate an authentication key. See To register the enterprise application:.
    3. Add the enterprise application as an assignment. See To add the enterprise application as an assignment:.
  2. In FortiAuthenticator Cloud, do the following:
    1. Create a remote OAuth server with Azure application ID and authentication key. See To create a remote OAuth server:.
    2. Start to create a remote SAML server. See To partially configure the remote SAML server on FortiAuthenticator Cloud:.
  3. In the Azure portal, configure SAML settings for the FortiSASE application in Azure. See To configure SAML settings for the FortiSASE application in Azure: and To collect SAML IdP URL information:.
  4. In FortiAuthenticator Cloud, do the following:
    1. Continue to create a remote SAML server. See To fully configure the remote SAML server on FortiAuthenticator Cloud:.
    2. Create a realm for domain name. See To create an Azure realm and add it to the IdP:.
    3. Enable SAML IdP portal. See To enable the SAML IdP portal:.
    4. Download IdP certificate. See To download the IdP certificate:.
    5. Start to create a SAML Service Provider (SP) entry for FortiSASE. See To partially configure a SAML SP entry for FortiSASE in FortiAuthenticator Cloud:.
  5. In FortiSASE, configure FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode. See Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode.
  6. In FortiAuthenticator Cloud, continue to create a SAML SP entry for FortiSASE. See Configuring FortiAuthenticator Cloud - III.
Previous
Next