fortigate_-_entra_id_saml_sso
This is an old revision of the document!
Table of Contents
Prerequisites
- Required subscriptions (FortiGate SSL VPN, Entra ID tenant)
- Certificates and basic setup
Add FortiGate SSL VPN in Entra ID
- Enterprise Applications → Add from Gallery → Select FortiGate SSL VPN
Configure Basic SAML Settings in Entra ID
- Identifier (Entity ID)
- Reply URL
- Sign-on URL
- Logout URL
- Attribute & Claim mappings
- Download SAML Signing Certificate
Create Test User and Security Group in Entra ID
- New user creation
- Assign user to FortiGate SSL VPN app
- Create Security Group (e.g., FortiGateAccess)
- Note Object ID
Upload Certificate to FortiGate
- Import Base64 certificate into FortiGate
- Rename certificate if needed
Configure FortiGate SAML Settings (CLI)
- Define SAML IdP (`config user saml`)
- Map entity-id, single-sign-on-url, logout-url, IdP URLs, certificate, attributes
Configure FortiGate User Group
- Create group (`config user group`)
- Match against Azure Security Group Object ID
Configure SSL VPN Portals and Firewall Policy
- Create VPN portal(s)
- Apply firewall rules for SAML group
Optional: Multiple SSL VPN Realms
- Enable SSL-VPN Realms feature
- Create multiple realms (e.g., FullTunnel, SplitTunnel)
- Configure portals and policies per realm
FortiClient Setup (Optional)
- Configure FortiClient for SSL VPN with SAML SSO
Testing and Validation
- Test SSO via Azure “Test” button
- Direct login to FortiGate VPN portal
- Use My Apps tile
- Debugging commands (`diagnose debug application samld`)
Troubleshooting Notes
- Certificate re-download after FQDN changes
- Signature verification requirements in FortiOS 7.2.12 / 7.4.9 / 7.6.4
- Common errors (e.g., “Signature element not found”)
fortigate_-_entra_id_saml_sso.1765574716.txt.gz · Last modified: 2025/12/12 21:25 by oso