<\/a>Prerequisites<\/h2>\n\n\n\nTo get started, you need the following items:<\/p>\n\n\n\n
- An Azure AD subscription. If you don’t have a subscription, you can get a free account<\/a>.<\/li>
- A FortiGate SSL VPN with single sign-on (SSO) enabled.<\/li><\/ul>\n\n\n\n
<\/a>Tutorial description<\/h2>\n\n\n\nIn this tutorial, you’ll configure and test Azure AD SSO in a test environment.<\/p>\n\n\n\n
FortiGate SSL VPN supports SP-initiated SSO.<\/p>\n\n\n\n
<\/a>Add FortiGate SSL VPN from the gallery<\/h2>\n\n\n\nTo configure the integration of FortiGate SSL VPN into Azure AD, you need to add FortiGate SSL VPN from the gallery to your list of managed SaaS apps:<\/p>\n\n\n\n
- Sign in to the Azure portal with a work or school account or with a personal Microsoft account.<\/li>
- In the left pane, select Azure Active Directory<\/strong>.<\/li>
- Go to Enterprise applications<\/strong> and then select All Applications<\/strong>.<\/li>
- To add an application, select New application<\/strong>.<\/li>
- In the Add from the gallery<\/strong> section, enter FortiGate SSL VPN<\/strong> in the search box.<\/li>
- Select FortiGate SSL VPN<\/strong> in the results panel and then add the app. Wait a few seconds while the app is added to your tenant.<\/li><\/ol>\n\n\n\n
Alternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.<\/a><\/p>\n\n\n\nAlternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards here<\/a>.<\/p>\n\n\n\n<\/a>Configure and test Azure AD SSO for FortiGate SSL VPN<\/h2>\n\n\n\nYou’ll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.<\/p>\n\n\n\n
To configure and test Azure AD SSO with FortiGate SSL VPN, you’ll complete these high-level steps:<\/p>\n\n\n\n
- Configure Azure AD SSO<\/a><\/strong> to enable the feature for your users.
- Create an Azure AD test user<\/a><\/strong> to test Azure AD single sign-on.<\/li>
- Grant access to the test user<\/a><\/strong> to enable Azure AD single sign-on for that user.<\/li><\/ol><\/li>
- Configure FortiGate SSL VPN SSO<\/a><\/strong> on the application side.
- Create a FortiGate SAML SSO user group<\/strong> as a counterpart to the Azure AD representation of the user.<\/li><\/ol><\/li>
- Test SSO<\/a><\/strong> to verify that the configuration works.<\/li><\/ol>\n\n\n\n
<\/a>Configure Azure AD SSO<\/h3>\n\n\n\nFollow these steps to enable Azure AD SSO in the Azure portal:<\/p>\n\n\n\n
- In the Azure portal, on the FortiGate SSL VPN<\/strong> application integration page, in the Manage<\/strong> section, select single sign-on<\/strong>.<\/li>
- On the Select a single sign-on method<\/strong> page, select SAML<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, select the Edit<\/strong> button for Basic SAML Configuration<\/strong> to edit the settings:
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/saas-apps\/media\/fortigate-ssl-vpn-tutorial\/saml-configuration.png\")
<\/li>- On the Set up Single Sign-On with SAML<\/strong> page, enter the following values:a. In the Identifier<\/strong> box, enter a URL in the pattern
https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/metadata<\/code>.b. In the Reply URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.c. In the Sign on URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.d. In the Logout URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>\/remote\/saml\/logout<\/code>. NoteThese values are just patterns. You need to use the actual Sign on URL<\/strong>, Identifier<\/strong>, Reply URL<\/strong>, and Logout URL<\/strong> that is configured on the FortiGate.<\/li>- The FortiGate SSL VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration. The following screenshot shows the list of default attributes.
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/saas-apps\/media\/fortigate-ssl-vpn-tutorial\/claims.png\")
<\/li> - The claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the Perform FortiGate command-line configuration<\/strong> section of this tutorial. Names are case-sensitive.NameSource attributeusernameuser.userprincipalnamegroupuser.groupsTo create these additional claims:a. Next to User Attributes & Claims<\/strong>, select Edit<\/strong>.b. Select Add new claim<\/strong>.c. For Name<\/strong>, enter username<\/strong>.d. For Source attribute<\/strong>, select user.userprincipalname<\/strong>.e. Select Save<\/strong>. NoteUser Attributes & Claims<\/strong> allow only one group claim. To add a group claim, delete the existing group claim user.groups [SecurityGroup]<\/strong> already present in the claims to add the new claim or edit the existing one to All groups<\/strong>.f. Select Add a group claim<\/strong>.g. Select All groups<\/strong>.h. Under Advanced options<\/strong>, select the Customize the name of the group claim<\/strong> check box.i. For Name<\/strong>, enter group<\/strong>.j. Select Save<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, in the SAML Signing Certificate<\/strong> section, select the Download<\/strong> link next to Certificate (Base64)<\/strong> to download the certificate and save it on your computer:
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/saas-apps\/common\/certificatebase64.png\")
<\/li>- In the Set up FortiGate SSL VPN<\/strong> section, copy the appropriate URL or URLs, based on your requirements:
![\"Screenshot](\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/saas-apps\/common\/copy-configuration-urls.png\")
<\/li><\/ol>\n\n\n\n<\/a>Create an Azure AD test user<\/h4>\n\n\n\nIn this section, you’ll create a test user named B.Simon in the Azure portal.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Select Users<\/strong>, and then select All users<\/strong>.<\/li>
- Select New user<\/strong> at the top of the screen.<\/li>
- In the User<\/strong> properties, complete these steps:
- In the Name<\/strong> box, enter B.Simon<\/strong>.<\/li>
- In the User name<\/strong> box, enter <username>@<companydomain>.<extension>. For example,
B.Simon@contoso.com<\/code>.<\/li>- Select Show password<\/strong>, and then write down the value that’s displayed in the Password<\/strong> box.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li><\/ol>\n\n\n\n
<\/a>Grant access to the test user<\/h4>\n\n\n\nIn this section, you’ll enable B.Simon to use Azure single sign-on by granting that user access to FortiGate SSL VPN.<\/p>\n\n\n\n
- In the Azure portal, select Enterprise applications<\/strong>, and then select All applications<\/strong>.<\/li>
- In the applications list, select FortiGate SSL VPN<\/strong>.<\/li>
- On the app’s overview page, in the Manage<\/strong> section, select Users and groups<\/strong>.<\/li>
- Select Add user<\/strong>, then select Users and groups<\/strong> in the Add Assignment<\/strong> dialog.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> in the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- If you’re expecting any role value in the SAML assertion, in the Select Role<\/strong> dialog box, select the appropriate role for the user from the list. Click the Select<\/strong> button at the bottom of the screen.<\/li>
- In the Add Assignment<\/strong> dialog box, select Assign<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a>Create a security group for the test user<\/h4>\n\n\n\nIn this section, you’ll create a security group in Azure Active Directory for the test user. FortiGate will use this security group to grant the user network access via the VPN.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Then select Groups<\/strong>.<\/li>
- Select New group<\/strong> at the top of the screen.<\/li>
- In the New Group<\/strong> properties, complete these steps:
- In the Group type<\/strong> list, select Security<\/strong>.<\/li>
- In the Group name<\/strong> box, enter FortiGateAccess<\/strong>.<\/li>
- In the Group description<\/strong> box, enter Group for granting FortiGate VPN access<\/strong>.<\/li>
- For the Azure AD roles can be assigned to the group (Preview)<\/strong> settings, select No<\/strong>.<\/li>
- In the Membership type<\/strong> box, select Assigned<\/strong>.<\/li>
- Under Members<\/strong>, select No members selected<\/strong>.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> from the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li>
- After you’re back in the Groups<\/strong> section in Azure Active Directory, find the FortiGate Access<\/strong> group and note the Object Id<\/strong>. You’ll need it later.<\/li><\/ol>\n\n\n\n
<\/a>Configure FortiGate SSL VPN SSO<\/h3>\n\n\n\n<\/a>Upload the Base64 SAML Certificate to the FortiGate appliance<\/h4>\n\n\n\nAfter you completed the SAML configuration of the FortiGate app in your tenant, you downloaded the Base64-encoded SAML certificate. You need to upload this certificate to the FortiGate appliance:<\/p>\n\n\n\n
- Sign in to the management portal of your FortiGate appliance.<\/li>
- In the left pane, select System<\/strong>.<\/li>
- Under System<\/strong>, select Certificates<\/strong>.<\/li>
- Select Import<\/strong> > Remote Certificate<\/strong>.<\/li>
- Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK<\/strong>.<\/li><\/ol>\n\n\n\n
After the certificate is uploaded, take note of its name under System<\/strong> > Certificates<\/strong> > Remote Certificate<\/strong>. By default, it will be named REMOTE_Cert_N<\/em>, where N<\/em> is an integer value.<\/p>\n\n\n\n<\/a>Complete FortiGate command-line configuration<\/h4>\n\n\n\nAlthough you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.<\/p>\n\n\n\n
To complete these steps, you’ll need the values you recorded earlier:<\/p>\n\n\n\nFortiGate SAML CLI setting<\/th> Equivalent Azure configuration<\/th><\/tr><\/thead> SP entity ID (entity-id<\/code>)<\/td>Identifier (Entity ID)<\/td><\/tr> SP Single Sign-On URL (single-sign-on-url<\/code>)<\/td>Reply URL (Assertion Consumer Service URL)<\/td><\/tr> SP Single Logout URL (single-logout-url<\/code>)<\/td>Logout URL<\/td><\/tr> IdP Entity ID (idp-entity-id<\/code>)<\/td>Azure AD Identifier<\/td><\/tr> IdP Single Sign-On URL (idp-single-sign-on-url<\/code>)<\/td>Azure Login URL<\/td><\/tr> IdP Single Logout URL (idp-single-logout-url<\/code>)<\/td>Azure Logout URL<\/td><\/tr> IdP certificate (idp-cert<\/code>)<\/td>Base64 SAML certificate name (REMOTE_Cert_N)<\/td><\/tr> Username attribute (user-name<\/code>)<\/td>username<\/td><\/tr> Group name attribute (group-name<\/code>)<\/td>group<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Note<\/p>\n\n\n\n
The Sign on URL under Basic SAML Configuration is not used in the FortiGate configurations. It is used to trigger SP-initiated single sign on to redirect the user to the SSL VPN portal page.<\/p>\n\n\n\n
- Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.<\/li>
- Run these commands and substitute the
<values><\/code> with the information that you collected previously:ConsoleCopyconfig user saml edit azure set cert <FortiGate VPN Server Certificate Name> set entity-id < Identifier (Entity ID)Entity ID> set single-sign-on-url < Reply URL Reply URL> set single-logout-url <Logout URL> set idp-entity-id <Azure AD Identifier> set idp-single-sign-on-url <Azure Login URL> set idp-single-logout-url <Azure Logout URL> set idp-cert <Base64 SAML Certificate Name> set user-name username set group-name group next end<\/code><\/li><\/ol>\n\n\n\n
<\/a>Tutorial description<\/h2>\n\n\n\nIn this tutorial, you’ll configure and test Azure AD SSO in a test environment.<\/p>\n\n\n\n
FortiGate SSL VPN supports SP-initiated SSO.<\/p>\n\n\n\n
<\/a>Add FortiGate SSL VPN from the gallery<\/h2>\n\n\n\nTo configure the integration of FortiGate SSL VPN into Azure AD, you need to add FortiGate SSL VPN from the gallery to your list of managed SaaS apps:<\/p>\n\n\n\n
- Sign in to the Azure portal with a work or school account or with a personal Microsoft account.<\/li>
- In the left pane, select Azure Active Directory<\/strong>.<\/li>
- Go to Enterprise applications<\/strong> and then select All Applications<\/strong>.<\/li>
- To add an application, select New application<\/strong>.<\/li>
- In the Add from the gallery<\/strong> section, enter FortiGate SSL VPN<\/strong> in the search box.<\/li>
- Select FortiGate SSL VPN<\/strong> in the results panel and then add the app. Wait a few seconds while the app is added to your tenant.<\/li><\/ol>\n\n\n\n
Alternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.<\/a><\/p>\n\n\n\nAlternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards here<\/a>.<\/p>\n\n\n\n<\/a>Configure and test Azure AD SSO for FortiGate SSL VPN<\/h2>\n\n\n\nYou’ll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.<\/p>\n\n\n\n
To configure and test Azure AD SSO with FortiGate SSL VPN, you’ll complete these high-level steps:<\/p>\n\n\n\n
- Configure Azure AD SSO<\/a><\/strong> to enable the feature for your users.
- Create an Azure AD test user<\/a><\/strong> to test Azure AD single sign-on.<\/li>
- Grant access to the test user<\/a><\/strong> to enable Azure AD single sign-on for that user.<\/li><\/ol><\/li>
- Configure FortiGate SSL VPN SSO<\/a><\/strong> on the application side.
- Create a FortiGate SAML SSO user group<\/strong> as a counterpart to the Azure AD representation of the user.<\/li><\/ol><\/li>
- Test SSO<\/a><\/strong> to verify that the configuration works.<\/li><\/ol>\n\n\n\n
<\/a>Configure Azure AD SSO<\/h3>\n\n\n\nFollow these steps to enable Azure AD SSO in the Azure portal:<\/p>\n\n\n\n
- In the Azure portal, on the FortiGate SSL VPN<\/strong> application integration page, in the Manage<\/strong> section, select single sign-on<\/strong>.<\/li>
- On the Select a single sign-on method<\/strong> page, select SAML<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, select the Edit<\/strong> button for Basic SAML Configuration<\/strong> to edit the settings:<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, enter the following values:a. In the Identifier<\/strong> box, enter a URL in the pattern
https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/metadata<\/code>.b. In the Reply URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.c. In the Sign on URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.d. In the Logout URL<\/strong> box, enter a URL in the pattern https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>\/remote\/saml\/logout<\/code>. NoteThese values are just patterns. You need to use the actual Sign on URL<\/strong>, Identifier<\/strong>, Reply URL<\/strong>, and Logout URL<\/strong> that is configured on the FortiGate.<\/li>- The FortiGate SSL VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration. The following screenshot shows the list of default attributes.<\/li>
- The claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the Perform FortiGate command-line configuration<\/strong> section of this tutorial. Names are case-sensitive.NameSource attributeusernameuser.userprincipalnamegroupuser.groupsTo create these additional claims:a. Next to User Attributes & Claims<\/strong>, select Edit<\/strong>.b. Select Add new claim<\/strong>.c. For Name<\/strong>, enter username<\/strong>.d. For Source attribute<\/strong>, select user.userprincipalname<\/strong>.e. Select Save<\/strong>. NoteUser Attributes & Claims<\/strong> allow only one group claim. To add a group claim, delete the existing group claim user.groups [SecurityGroup]<\/strong> already present in the claims to add the new claim or edit the existing one to All groups<\/strong>.f. Select Add a group claim<\/strong>.g. Select All groups<\/strong>.h. Under Advanced options<\/strong>, select the Customize the name of the group claim<\/strong> check box.i. For Name<\/strong>, enter group<\/strong>.j. Select Save<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, in the SAML Signing Certificate<\/strong> section, select the Download<\/strong> link next to Certificate (Base64)<\/strong> to download the certificate and save it on your computer:<\/li>
- In the Set up FortiGate SSL VPN<\/strong> section, copy the appropriate URL or URLs, based on your requirements:<\/li><\/ol>\n\n\n\n
<\/a>Create an Azure AD test user<\/h4>\n\n\n\nIn this section, you’ll create a test user named B.Simon in the Azure portal.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Select Users<\/strong>, and then select All users<\/strong>.<\/li>
- Select New user<\/strong> at the top of the screen.<\/li>
- In the User<\/strong> properties, complete these steps:
- In the Name<\/strong> box, enter B.Simon<\/strong>.<\/li>
- In the User name<\/strong> box, enter <username>@<companydomain>.<extension>. For example,
B.Simon@contoso.com<\/code>.<\/li>- Select Show password<\/strong>, and then write down the value that’s displayed in the Password<\/strong> box.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li><\/ol>\n\n\n\n
<\/a>Grant access to the test user<\/h4>\n\n\n\nIn this section, you’ll enable B.Simon to use Azure single sign-on by granting that user access to FortiGate SSL VPN.<\/p>\n\n\n\n
- In the Azure portal, select Enterprise applications<\/strong>, and then select All applications<\/strong>.<\/li>
- In the applications list, select FortiGate SSL VPN<\/strong>.<\/li>
- On the app’s overview page, in the Manage<\/strong> section, select Users and groups<\/strong>.<\/li>
- Select Add user<\/strong>, then select Users and groups<\/strong> in the Add Assignment<\/strong> dialog.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> in the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- If you’re expecting any role value in the SAML assertion, in the Select Role<\/strong> dialog box, select the appropriate role for the user from the list. Click the Select<\/strong> button at the bottom of the screen.<\/li>
- In the Add Assignment<\/strong> dialog box, select Assign<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a>Create a security group for the test user<\/h4>\n\n\n\nIn this section, you’ll create a security group in Azure Active Directory for the test user. FortiGate will use this security group to grant the user network access via the VPN.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Then select Groups<\/strong>.<\/li>
- Select New group<\/strong> at the top of the screen.<\/li>
- In the New Group<\/strong> properties, complete these steps:
- In the Group type<\/strong> list, select Security<\/strong>.<\/li>
- In the Group name<\/strong> box, enter FortiGateAccess<\/strong>.<\/li>
- In the Group description<\/strong> box, enter Group for granting FortiGate VPN access<\/strong>.<\/li>
- For the Azure AD roles can be assigned to the group (Preview)<\/strong> settings, select No<\/strong>.<\/li>
- In the Membership type<\/strong> box, select Assigned<\/strong>.<\/li>
- Under Members<\/strong>, select No members selected<\/strong>.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> from the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li>
- After you’re back in the Groups<\/strong> section in Azure Active Directory, find the FortiGate Access<\/strong> group and note the Object Id<\/strong>. You’ll need it later.<\/li><\/ol>\n\n\n\n
<\/a>Configure FortiGate SSL VPN SSO<\/h3>\n\n\n\n<\/a>Upload the Base64 SAML Certificate to the FortiGate appliance<\/h4>\n\n\n\nAfter you completed the SAML configuration of the FortiGate app in your tenant, you downloaded the Base64-encoded SAML certificate. You need to upload this certificate to the FortiGate appliance:<\/p>\n\n\n\n
- Sign in to the management portal of your FortiGate appliance.<\/li>
- In the left pane, select System<\/strong>.<\/li>
- Under System<\/strong>, select Certificates<\/strong>.<\/li>
- Select Import<\/strong> > Remote Certificate<\/strong>.<\/li>
- Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK<\/strong>.<\/li><\/ol>\n\n\n\n
After the certificate is uploaded, take note of its name under System<\/strong> > Certificates<\/strong> > Remote Certificate<\/strong>. By default, it will be named REMOTE_Cert_N<\/em>, where N<\/em> is an integer value.<\/p>\n\n\n\n<\/a>Complete FortiGate command-line configuration<\/h4>\n\n\n\nAlthough you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.<\/p>\n\n\n\n
To complete these steps, you’ll need the values you recorded earlier:<\/p>\n\n\n\nFortiGate SAML CLI setting<\/th> Equivalent Azure configuration<\/th><\/tr><\/thead> SP entity ID (entity-id<\/code>)<\/td>Identifier (Entity ID)<\/td><\/tr> SP Single Sign-On URL (single-sign-on-url<\/code>)<\/td>Reply URL (Assertion Consumer Service URL)<\/td><\/tr> SP Single Logout URL (single-logout-url<\/code>)<\/td>Logout URL<\/td><\/tr> IdP Entity ID (idp-entity-id<\/code>)<\/td>Azure AD Identifier<\/td><\/tr> IdP Single Sign-On URL (idp-single-sign-on-url<\/code>)<\/td>Azure Login URL<\/td><\/tr> IdP Single Logout URL (idp-single-logout-url<\/code>)<\/td>Azure Logout URL<\/td><\/tr> IdP certificate (idp-cert<\/code>)<\/td>Base64 SAML certificate name (REMOTE_Cert_N)<\/td><\/tr> Username attribute (user-name<\/code>)<\/td>username<\/td><\/tr> Group name attribute (group-name<\/code>)<\/td>group<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Note<\/p>\n\n\n\n
The Sign on URL under Basic SAML Configuration is not used in the FortiGate configurations. It is used to trigger SP-initiated single sign on to redirect the user to the SSL VPN portal page.<\/p>\n\n\n\n
- Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.<\/li>
- Run these commands and substitute the
<values><\/code> with the information that you collected previously:ConsoleCopyconfig user saml edit azure set cert <FortiGate VPN Server Certificate Name> set entity-id < Identifier (Entity ID)Entity ID> set single-sign-on-url < Reply URL Reply URL> set single-logout-url <Logout URL> set idp-entity-id <Azure AD Identifier> set idp-single-sign-on-url <Azure Login URL> set idp-single-logout-url <Azure Logout URL> set idp-cert <Base64 SAML Certificate Name> set user-name username set group-name group next end<\/code><\/li><\/ol>\n\n\n\n
To configure the integration of FortiGate SSL VPN into Azure AD, you need to add FortiGate SSL VPN from the gallery to your list of managed SaaS apps:<\/p>\n\n\n\n
- Sign in to the Azure portal with a work or school account or with a personal Microsoft account.<\/li>
- In the left pane, select Azure Active Directory<\/strong>.<\/li>
- Go to Enterprise applications<\/strong> and then select All Applications<\/strong>.<\/li>
- To add an application, select New application<\/strong>.<\/li>
- In the Add from the gallery<\/strong> section, enter FortiGate SSL VPN<\/strong> in the search box.<\/li>
- Select FortiGate SSL VPN<\/strong> in the results panel and then add the app. Wait a few seconds while the app is added to your tenant.<\/li><\/ol>\n\n\n\n
Alternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.<\/a><\/p>\n\n\n\n
Alternatively, you can also use the Enterprise App Configuration Wizard<\/a>. In this wizard, you can add an application to your tenant, add users\/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards here<\/a>.<\/p>\n\n\n\n
<\/a>Configure and test Azure AD SSO for FortiGate SSL VPN<\/h2>\n\n\n\n
You’ll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.<\/p>\n\n\n\n
To configure and test Azure AD SSO with FortiGate SSL VPN, you’ll complete these high-level steps:<\/p>\n\n\n\n
- Configure Azure AD SSO<\/a><\/strong> to enable the feature for your users.
- Create an Azure AD test user<\/a><\/strong> to test Azure AD single sign-on.<\/li>
- Grant access to the test user<\/a><\/strong> to enable Azure AD single sign-on for that user.<\/li><\/ol><\/li>
- Configure FortiGate SSL VPN SSO<\/a><\/strong> on the application side.
- Create a FortiGate SAML SSO user group<\/strong> as a counterpart to the Azure AD representation of the user.<\/li><\/ol><\/li>
- Test SSO<\/a><\/strong> to verify that the configuration works.<\/li><\/ol>\n\n\n\n
<\/a>Configure Azure AD SSO<\/h3>\n\n\n\n
Follow these steps to enable Azure AD SSO in the Azure portal:<\/p>\n\n\n\n
- In the Azure portal, on the FortiGate SSL VPN<\/strong> application integration page, in the Manage<\/strong> section, select single sign-on<\/strong>.<\/li>
- On the Select a single sign-on method<\/strong> page, select SAML<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, select the Edit<\/strong> button for Basic SAML Configuration<\/strong> to edit the settings:
<\/li>- On the Set up Single Sign-On with SAML<\/strong> page, enter the following values:a. In the Identifier<\/strong> box, enter a URL in the pattern
https:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/metadata<\/code>.b. In the Reply URL<\/strong> box, enter a URL in the patternhttps:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.c. In the Sign on URL<\/strong> box, enter a URL in the patternhttps:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port>\/remote\/saml\/login<\/code>.d. In the Logout URL<\/strong> box, enter a URL in the patternhttps:\/\/<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>\/remote\/saml\/logout<\/code>. NoteThese values are just patterns. You need to use the actual Sign on URL<\/strong>, Identifier<\/strong>, Reply URL<\/strong>, and Logout URL<\/strong> that is configured on the FortiGate.<\/li>- The FortiGate SSL VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration. The following screenshot shows the list of default attributes.
<\/li>- The claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the Perform FortiGate command-line configuration<\/strong> section of this tutorial. Names are case-sensitive.NameSource attributeusernameuser.userprincipalnamegroupuser.groupsTo create these additional claims:a. Next to User Attributes & Claims<\/strong>, select Edit<\/strong>.b. Select Add new claim<\/strong>.c. For Name<\/strong>, enter username<\/strong>.d. For Source attribute<\/strong>, select user.userprincipalname<\/strong>.e. Select Save<\/strong>. NoteUser Attributes & Claims<\/strong> allow only one group claim. To add a group claim, delete the existing group claim user.groups [SecurityGroup]<\/strong> already present in the claims to add the new claim or edit the existing one to All groups<\/strong>.f. Select Add a group claim<\/strong>.g. Select All groups<\/strong>.h. Under Advanced options<\/strong>, select the Customize the name of the group claim<\/strong> check box.i. For Name<\/strong>, enter group<\/strong>.j. Select Save<\/strong>.<\/li>
- On the Set up Single Sign-On with SAML<\/strong> page, in the SAML Signing Certificate<\/strong> section, select the Download<\/strong> link next to Certificate (Base64)<\/strong> to download the certificate and save it on your computer:
<\/li>- In the Set up FortiGate SSL VPN<\/strong> section, copy the appropriate URL or URLs, based on your requirements:
<\/li><\/ol>\n\n\n\n<\/a>Create an Azure AD test user<\/h4>\n\n\n\n
In this section, you’ll create a test user named B.Simon in the Azure portal.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Select Users<\/strong>, and then select All users<\/strong>.<\/li>
- Select New user<\/strong> at the top of the screen.<\/li>
- In the User<\/strong> properties, complete these steps:
- In the Name<\/strong> box, enter B.Simon<\/strong>.<\/li>
- In the User name<\/strong> box, enter <username>@<companydomain>.<extension>. For example,
B.Simon@contoso.com<\/code>.<\/li>- Select Show password<\/strong>, and then write down the value that’s displayed in the Password<\/strong> box.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li><\/ol>\n\n\n\n
<\/a>Grant access to the test user<\/h4>\n\n\n\n
In this section, you’ll enable B.Simon to use Azure single sign-on by granting that user access to FortiGate SSL VPN.<\/p>\n\n\n\n
- In the Azure portal, select Enterprise applications<\/strong>, and then select All applications<\/strong>.<\/li>
- In the applications list, select FortiGate SSL VPN<\/strong>.<\/li>
- On the app’s overview page, in the Manage<\/strong> section, select Users and groups<\/strong>.<\/li>
- Select Add user<\/strong>, then select Users and groups<\/strong> in the Add Assignment<\/strong> dialog.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> in the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- If you’re expecting any role value in the SAML assertion, in the Select Role<\/strong> dialog box, select the appropriate role for the user from the list. Click the Select<\/strong> button at the bottom of the screen.<\/li>
- In the Add Assignment<\/strong> dialog box, select Assign<\/strong>.<\/li><\/ol>\n\n\n\n
<\/a>Create a security group for the test user<\/h4>\n\n\n\n
In this section, you’ll create a security group in Azure Active Directory for the test user. FortiGate will use this security group to grant the user network access via the VPN.<\/p>\n\n\n\n
- In the left pane of the Azure portal, select Azure Active Directory<\/strong>. Then select Groups<\/strong>.<\/li>
- Select New group<\/strong> at the top of the screen.<\/li>
- In the New Group<\/strong> properties, complete these steps:
- In the Group type<\/strong> list, select Security<\/strong>.<\/li>
- In the Group name<\/strong> box, enter FortiGateAccess<\/strong>.<\/li>
- In the Group description<\/strong> box, enter Group for granting FortiGate VPN access<\/strong>.<\/li>
- For the Azure AD roles can be assigned to the group (Preview)<\/strong> settings, select No<\/strong>.<\/li>
- In the Membership type<\/strong> box, select Assigned<\/strong>.<\/li>
- Under Members<\/strong>, select No members selected<\/strong>.<\/li>
- In the Users and groups<\/strong> dialog box, select B.Simon<\/strong> from the Users<\/strong> list, and then click the Select<\/strong> button at the bottom of the screen.<\/li>
- Select Create<\/strong>.<\/li><\/ol><\/li>
- After you’re back in the Groups<\/strong> section in Azure Active Directory, find the FortiGate Access<\/strong> group and note the Object Id<\/strong>. You’ll need it later.<\/li><\/ol>\n\n\n\n
<\/a>Configure FortiGate SSL VPN SSO<\/h3>\n\n\n\n
<\/a>Upload the Base64 SAML Certificate to the FortiGate appliance<\/h4>\n\n\n\n
After you completed the SAML configuration of the FortiGate app in your tenant, you downloaded the Base64-encoded SAML certificate. You need to upload this certificate to the FortiGate appliance:<\/p>\n\n\n\n
- Sign in to the management portal of your FortiGate appliance.<\/li>
- In the left pane, select System<\/strong>.<\/li>
- Under System<\/strong>, select Certificates<\/strong>.<\/li>
- Select Import<\/strong> > Remote Certificate<\/strong>.<\/li>
- Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK<\/strong>.<\/li><\/ol>\n\n\n\n
After the certificate is uploaded, take note of its name under System<\/strong> > Certificates<\/strong> > Remote Certificate<\/strong>. By default, it will be named REMOTE_Cert_N<\/em>, where N<\/em> is an integer value.<\/p>\n\n\n\n
<\/a>Complete FortiGate command-line configuration<\/h4>\n\n\n\n
Although you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.<\/p>\n\n\n\n
To complete these steps, you’ll need the values you recorded earlier:<\/p>\n\n\n\n
FortiGate SAML CLI setting<\/th> Equivalent Azure configuration<\/th><\/tr><\/thead> SP entity ID ( entity-id<\/code>)<\/td>Identifier (Entity ID)<\/td><\/tr> SP Single Sign-On URL ( single-sign-on-url<\/code>)<\/td>Reply URL (Assertion Consumer Service URL)<\/td><\/tr> SP Single Logout URL ( single-logout-url<\/code>)<\/td>Logout URL<\/td><\/tr> IdP Entity ID ( idp-entity-id<\/code>)<\/td>Azure AD Identifier<\/td><\/tr> IdP Single Sign-On URL ( idp-single-sign-on-url<\/code>)<\/td>Azure Login URL<\/td><\/tr> IdP Single Logout URL ( idp-single-logout-url<\/code>)<\/td>Azure Logout URL<\/td><\/tr> IdP certificate ( idp-cert<\/code>)<\/td>Base64 SAML certificate name (REMOTE_Cert_N)<\/td><\/tr> Username attribute ( user-name<\/code>)<\/td>username<\/td><\/tr> Group name attribute ( group-name<\/code>)<\/td>group<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Note<\/p>\n\n\n\n
The Sign on URL under Basic SAML Configuration is not used in the FortiGate configurations. It is used to trigger SP-initiated single sign on to redirect the user to the SSL VPN portal page.<\/p>\n\n\n\n
- Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.<\/li>
- Run these commands and substitute the
<values><\/code> with the information that you collected previously:ConsoleCopyconfig user saml edit azure set cert <FortiGate VPN Server Certificate Name> set entity-id < Identifier (Entity ID)Entity ID> set single-sign-on-url < Reply URL Reply URL> set single-logout-url <Logout URL> set idp-entity-id <Azure AD Identifier> set idp-single-sign-on-url <Azure Login URL> set idp-single-logout-url <Azure Logout URL> set idp-cert <Base64 SAML Certificate Name> set user-name username set group-name group next end<\/code><\/li><\/ol>\n\n\n\n
- Under System<\/strong>, select Certificates<\/strong>.<\/li>
- In the Group name<\/strong> box, enter FortiGateAccess<\/strong>.<\/li>
- Select New group<\/strong> at the top of the screen.<\/li>
- In the applications list, select FortiGate SSL VPN<\/strong>.<\/li>
- In the User name<\/strong> box, enter <username>@<companydomain>.<extension>. For example,
- Select New user<\/strong> at the top of the screen.<\/li>
- On the Select a single sign-on method<\/strong> page, select SAML<\/strong>.<\/li>
- Test SSO<\/a><\/strong> to verify that the configuration works.<\/li><\/ol>\n\n\n\n
- Grant access to the test user<\/a><\/strong> to enable Azure AD single sign-on for that user.<\/li><\/ol><\/li>
- Create an Azure AD test user<\/a><\/strong> to test Azure AD single sign-on.<\/li>
- Go to Enterprise applications<\/strong> and then select All Applications<\/strong>.<\/li>