Fortinet black logo

SIA Agent-based Deployment Guide

Home FortiSASE SIA Agent-based Deployment Guide

Configuring FortiSASE with Entra ID SSO

Configuring FortiSASE with Entra ID SSO

Before completing the following steps, see Configuring with Entra ID SSO: SAML configuration fields for details on how Microsoft Entra ID SAML fields map to FortiSASE SAML fields.

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > VPN User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate.
    4. For Digest Method, select SHA-1.
      5. Note

      FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

      FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

  5. Review the SAML configuration, then click Submit.

  6. Click OK for the prompt that informs you that SSO authentication takes priority over existing LDAP and RADIUS authentication methods.

  7. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.
  8. Invite Entra ID users to FortiSASE:
    1. (Optional) Create a user group using the steps in Defining a user group of Entra ID SAML SSO users.
    2. In Configuration > VPN User SSO, click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.
Previous
Next

Configuring FortiSASE with Entra ID SSO

Before completing the following steps, see Configuring with Entra ID SSO: SAML configuration fields for details on how Microsoft Entra ID SAML fields map to FortiSASE SAML fields.

To configure FortiSASE with Entra ID SSO:
  1. In FortiSASE, go to Configuration > VPN User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Azure. Copy these values.
  2. Create and configure your FortiSASE environment in Azure:
    1. In the Azure portal, go to Entra ID > Enterprise applications > New application.
    2. Search for and select FortiSASE.
    3. Click Create.
    4. Assign Entra ID users and groups to FortiSASE.
    5. Go to Set up single sign on.
    6. For the SSO method, select SAML.
    7. In Basic Configuration, enter the values that you copied in step 1 in the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL fields. Click Save.
  3. Obtain the IdP information from Azure:
    1. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
    2. The Set up <FortiSASE instance name> box lists the IdP information that you must provide to FortiSASE. Copy the values in the Login URL, Entra ID Identifier, and Logout URL fields.
  4. Configure the IdP information in FortiSASE:
    1. In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the Entra ID Identifier, Login URL, and Logout URL fields, respectively.
    2. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
    3. In the Service Provider Certificate field, use FortiSASE Default Certificate.
    4. For Digest Method, select SHA-1.
      5. Note

      FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE signed by a well-known public CA and remains same across all of your points of presence.

      FortiSASE Default Certificate also periodically renews. Thus, if the IdPs are using Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with new SP certificate. To avoid having to update your IdP configuration frequently, we recommend uploading your own certificate.

  5. Review the SAML configuration, then click Submit.

  6. Click OK for the prompt that informs you that SSO authentication takes priority over existing LDAP and RADIUS authentication methods.

  7. (Optional) If you want Entra ID to perform SP signature verification, download the Service Provider Certificate from FortiSASE from System > Certificate, select FortiSASE Default Certificate and click Download. On the Azure application, under SAML Certificates, upload the FortiSASE Default Certificate and select the digest method that matches to what is configured on FortiSASE in step 4.d.
  8. Invite Entra ID users to FortiSASE:
    1. (Optional) Create a user group using the steps in Defining a user group of Entra ID SAML SSO users.
    2. In Configuration > VPN User SSO, click Onboard Users.
    3. Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
    4. Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.
Previous
Next