• Required subscriptions (FortiGate SSL VPN, Entra ID tenant)
• Certificates and basic setup

• Enterprise Applications → Add from Gallery → Select FortiGate SSL VPN

• Identifier (Entity ID)
• Reply URL
• Sign-on URL
• Logout URL
• Attribute & Claim mappings
• Download SAML Signing Certificate

config user saml
  edit azure
    set cert <FortiGate Let'sEncrypt VPN Server Certificate Name>
    set entity-id "https://vpn.my.org:10443/remote/saml/metadata"
    set single-sign-on-url "https://vpn.my.org:10443/remote/saml/login"
    set single-logout-url "https://vpn.my.org:10443/remote/saml/logout"
    set idp-entity-id <Azure AD Identifier>
    set idp-single-sign-on-url <Azure Login URL>
    set idp-single-logout-url <Azure Logout URL>
    set idp-cert <Base64 SAML Certificate Name>
    set user-name username
    set group-name group
  next
end

• New user creation
• Assign user to FortiGate SSL VPN app
• Create Security Group (e.g., FortiGateAccess)
• Note Object ID

• Import Base64 certificate into FortiGate
• Rename certificate if needed

• Define SAML IdP (`config user saml`)
• Map entity-id, single-sign-on-url, logout-url, IdP URLs, certificate, attributes

• Create group (`config user group`)
• Match against Azure Security Group Object ID

• Create VPN portal(s)
• Apply firewall rules for SAML group

• Enable SSL-VPN Realms feature
• Create multiple realms (e.g., FullTunnel, SplitTunnel)
• Configure portals and policies per realm

• Configure FortiClient for SSL VPN with SAML SSO

• Test SSO via Azure “Test” button
• Direct login to FortiGate VPN portal
• Use My Apps tile
• Debugging commands (`diagnose debug application samld`)

• Certificate re-download after FQDN changes
• Signature verification requirements in FortiOS 7.2.12 / 7.4.9 / 7.6.4
• Common errors (e.g., “Signature element not found”)