Configure SAML SSO in Microsoft Azure for FortiGate FortiOS 7.4.3 for Admin GUI Login

Don Goss
|
68 steps
|
6 minutes

Microsoft Entra

Azure

Fortinet

Click "Enterprise applications"

Click " New Application"

Click "Create your own application"

Input the name. (ex. fortigate-sso-hostname)

Click "Create"

Click "Single sign-on"

Click "SAML"

On Step 1, click "Edit"

Log into the FortiGate Firewall

Click "Security Fabric"

Click Fabric Connectors

Click on "Security Fabric Setup"

Click "Edit"

Click "Single Sign-On Settings"

Click "Service Provider (SP)"

Click the "Default admin profile" drop-down

Click on super_admin

Expand SP Details

Change http:// to https:// for "SP entity ID"

Copy the "SP Entity ID"

In Entra, click on "Add identifier" under "Identifier (Entra ID)"

Paste the "SP Entity ID" URL

Copy the "SP ACS (login) URL"

Click "Add reply URL" and paste the "SP ACS (login) URL" in the field

Copy the "SP portal URL"

Under "Sign on URL (Optional), paste the "SP portal URL" in the field

Copy the "SP SLS (logout) URL"

Under "Logout URL (Optional)" paste the "SP SLS (logout) URL"

Click "Save"

Click "X" to close the Basic SAML Configuration

Click "No, I'll test later"

Scroll down to Step 3 and Download the Certificate (Base64) file.

Under IdP Setting, click on "Custom"

Click on "IdP certificate"

Click "Import"

Click "Upload"

Select the downloaded certificate and click "OK"

Select the imported certificate

Copy the "Microsoft Entra Identifier"

Paste the "Microsoft Entra Identifier" into the "IdP entity ID" field

Copy the "Login URL"

Paste the "Login URL" into the "IdP single sign-on URL" field

Copy the "Logout URL"

Paste the "Logout URL" into the "IdP single logout URL" field

Click "OK"

Click on the Cli icon.

Type "config vpn certificate remote" [[enter]] Type "rename Remote_Cert_1 to Entra_SAML" [[enter]]

Click the "X" to close the Cli

Under Step 2, click "Edit"

Click "Add new claim"

Type "username" in the Name field. Leave Namespace empty.

Source must be Attribute.

In the Source attribute, type "user.userprinciplename"

Click user.userprincipalname DO NOT select the "user.userprincipalname"

Click Save

Click "Users and groups"

Click "Add user/group"

Click "None Selected" to add a group

Search for "FortiGate Admin SSL" [[Note: This needs to be created ahead of time. Create a Security Group that is allowed access to applications and add the users that need access.]]

Click the check box next to "FortiGate Admin SSL"

Click "Select"

Click here.

Go back to the FortiGate and click the User menu at the top right

Click "Logout"

Log back in to the firewall by click "Sign in with Security Fabric" This will redirect you to Microsoft 365 for authentication. It will also create a SSO Admin user automatically if your email address does not exist.

You are all set. This procedure must be repeated for each firewall that is set up SSO SAML w/ MFA. If there is more than one WAN interface, set up a DNS failover in DNSMadeEasy. The Monitoring and Failover settings should look like the below. You will want to monitor the Admin GUI Port. Also, make sure that the DNS record has a TTL of 30 seconds.