Differences

This shows you the differences between two versions of the page.

--- fortigate_-_entra_id_saml_sso [2025/12/12 21:45] – oso
+++ fortigate_-_entra_id_saml_sso [2025/12/13 00:22] (current) – [SAML Claim Mapping (Azure → FortiGate)] oso
@@ Line 15: / Line 15: @@
   * Download the **SAML Base64 Signing Certificate**
+===== SAML Claim Mapping (Azure → FortiGate) =====
+FortiGate is strict about SAML attribute names.
+The attributes defined in Azure **must match exactly** the attributes that FortiGate expects under:
+<code>
+set user-name
+set group-name
+</code>
+=== Required Claims in Entra ID ===
+Under **Single Sign-On → User Attributes & Claims**:
+**Add this claim** (FortiGate requires the literal name)
+  * Claim name: ''username'', source: ''user.userprincipalname''
+**Edit the existing “groups” claim** so that it sends **Group Object IDs** (not display names).
+  * The expected claim name must be ''group''
+{{:2024-01-15_14_16_40.png?nolink|}}
+This ensures that the SAML token contains:
+<code>
+username = user@domain
+group    = <Azure AD Group Object ID>
+</code>
+=== Why this matters ===
+FortiGate matches SAML attributes using the `user-name` and `group-name` fields in the IdP configuration:
+<code>
+set user-name "username"
+set group-name "group"
+</code>
+If the Azure claim sends the wrong attribute or the Object ID doesn't match exactly, FortiGate will not associate the session with the group, and the VPN connection will be denied.
+https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
 ====== Create Test User and Security Group in Entra ID ======
   * Create test user
@@ Line 118: / Line 157: @@
   * https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-400-Bad-Request-error-when-trying-to-connect/ta-p/365087
   * https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812
+  * https://www.youtube.com/watch?v=nDH2wvveLrI