Configuring SAML SSO Login for FortiGate Administrators with Entra ID
This article explains the process of setting up administrator login on FortiGate through the utilization of the SAML standard for authentication and authorization.
To configure SAML Single Sign-On (SSO) login for FortiGate administrators using Microsoft Entra ID (formerly Azure Active Directory) as the SAML Identity Provider (IdP), follow these comprehensive steps:
Step 1: Prepare Your Environment
Before starting the configuration, ensure you have the following prerequisites:
- A FortiGate device with administrative access.
- An active Microsoft Entra ID tenant.
- Basic knowledge of SAML and how it works.
Step 2: Configure Microsoft Entra ID as a SAML IdP
-
Log into Microsoft Entra Admin Center:
- Navigate to the Microsoft Entra Admin Center.
- Use your administrator credentials to log in.
-
Register a New Application:
- Go to Enterprise applications > New application.
- Select Create your own application, give it a name (e.g., “FortiGate”), and choose “Integrate any other application you don’t find in the gallery”.
-
Set Up Single Sign-On:
- In the newly created application, go to the Single sign-on section.
- Choose the SAML option.
-
Basic SAML Configuration:
- Fill out the required fields:
- Identifier (Entity ID): This should be a unique identifier for your FortiGate instance, e.g.,
https:///saml
. - Reply URL (Assertion Consumer Service URL): This is where Entra ID will send its authentication response. It typically looks like
https:///remote/saml/acs
. - Leave other fields at their default values unless specific configurations are needed.
- Identifier (Entity ID): This should be a unique identifier for your FortiGate instance, e.g.,
- Fill out the required fields:
-
User Attributes & Claims:
- Ensure that you configure user attributes correctly. Common claims include:
NameID
– Typically set to user email or UPN.- Additional claims can be added based on your requirements.
- Ensure that you configure user attributes correctly. Common claims include:
-
Download Federation Metadata XML:
- After saving your settings, download the Federation Metadata XML file from this page. You will need this later for configuring FortiGate.
Step 3: Configure FortiGate for SAML Authentication
-
Access FortiGate Admin Interface:
- Log into your FortiGate device using an admin account.
-
Create a New User Group for SSO Users:
- Navigate to
User & Device
>User Groups
. - Click on
Create New
, name it appropriately (e.g., “SAML_Admins”), and add users who will authenticate via SSO.
- Navigate to
-
Configure Authentication Method:
- Go to
User & Device
>Authentication
>SAML
. - Click on
Create New
.
- Go to
-
Fill in SAML Settings:
- Set up the following parameters based on information from your Entra ID configuration:
- Name: A descriptive name for this configuration (e.g., “Entra_SSO”).
- Entity ID: Use the same Entity ID configured in Entra ID.
- SSO URL: This is usually found in the downloaded metadata file; it’s where FortiGate will send authentication requests.
- Upload or copy-paste relevant certificates from the metadata file if necessary.
- Set up the following parameters based on information from your Entra ID configuration:
-
Configure User Group Mapping:
- Under User Groups, select the group you created earlier (“SAML_Admins”) so that users in this group can authenticate through SSO.
-
Set Up Administrative Access Using SSO:
- Go to
System
>Admin Profiles
. - Create or edit an existing profile and enable “SAML” under “Authentication Method”.
- Go to
-
Assign Profile to Administrators:
- Assign this profile to administrators who should use SSO by navigating to
System
>Administrators
, selecting an admin account, and changing their profile accordingly.
- Assign this profile to administrators who should use SSO by navigating to
Step 4: Testing Your Configuration
- Open a web browser and navigate to your FortiGate login page.
- You should see an option for logging in via SSO.
- Click on it, which should redirect you to Microsoft Entra ID for authentication.
- Enter valid credentials; upon successful authentication, you should be redirected back to FortiGate with administrative access.
Step 5: Troubleshooting Common Issues
- If users cannot log in, check logs both on FortiGate (
Log & Report
) and within Microsoft Entra ID (Sign-ins
) for any errors related to authentication attempts. - Ensure that all URLs are correctly configured without typos.
- Verify that user accounts exist in both systems and are properly mapped with correct claims.
By following these detailed steps, you can successfully configure SAML-based Single Sign-On login for administrators on a FortiGate device using Microsoft Entra ID as your Identity Provider.
Authoritative Sources Used:
- Fortinet Documentation
- Microsoft Learn
- SANS Institute Publications