Skip to main content
amalsky
Staff
amalsky
Staff
May 29, 2026

Technical Tip: Deploy FortiGate-VM with Microsoft Entra ID SAML IPsec VPN on Microsoft Azure using a single PowerShell automation script

  • May 29, 2026
  • 0 replies
  • 136 views

Description

This article describes how to deploy a FortiGate-VM on Microsoft Azure and automatically configure Microsoft Entra ID SAML authentication for IPsec VPN, using a single PowerShell automation.

Scope

FortiOS v7.4 and v7.6.

Solution

This automation script was designed to work with the official Fortinet Terraform deployment available on GitHub:

Fortinet/fortigate-terraform-deploy


The official Fortinet Terraform project deploys a single FortiGate-VM PAYG (Pay-As-You-Go) instance on Microsoft Azure.


The provided PowerShell automation script extends the standard Terraform deployment by automatically configuring a complete Microsoft Entra ID SAML authentication lab for FortiGate IPsec VPN testing.


The script automates both the Azure side and the FortiGate side of the configuration, including:

  • Deploys FortiGateVM using Terraform.

  • Configures Azure Network Security Group rules.

  • Creates Microsoft Entra ID Enterprise Applications.

  • Configures SAML settings automatically.

  • Creates and assigns Microsoft Entra ID groups.

  • Downloads and imports the Microsoft Entra ID signing certificate.

  • Configures FortiGate SAML settings.

  • Applies the required firewall policies.


The script was validated using FortiOS v7.4.9 on Microsoft Azure.


The following components must be installed before running the script:

  • PowerShell v5.x or PowerShell v7.x.

  • Azure CLI.

  • Terraform.


Clone the Official Fortinet Terraform Repository:


git clone https://github.com/fortinet/fortigate-terraform-deploy.git


Navigate to the deployment folder:

cd fortigate-terraform-deploy\azure\7.4\single


Copy the PowerShell automation script into this folder.

Log in to Azure: az login --use-device-code.

Create the Configuration File.

Create mylab.psd1: @{

SubscriptionId = "<subscription-id>"

TenantId = "<tenant-id>"

TestUserUPN = "vpnuser@tenant.onmicrosoft.com"

}


The script validates the environment automatically before execution.

Example validation section:

$azv = az version onlyshowerrors 2>$null | ConvertFromJson

if (not $azv) {

throw "Azure CLI not found."

}


The script supports the following execution modes.

Default deployment:

.\runfgtsamllabfullv2.ps1


Keep the environment running after deployment:

.\runfgtsamllabfullv2.ps1 NoDestroy


Skip Terraform deployment and configure only Azure and FortiGate settings:

.\runfgtsamllabfullv2.ps1 SkipTerraform


The following variables must be customized before execution:

  • $TerraformPath.

  • $SubscriptionId.

  • $TenantId.

  • $ResourceGroup.

  • $AppName.

  • $VpnGroupName.

  • $TestUserUPN.

  • $PSK.


The script automatically deploys FortiGate VM using Terraform.

Terraform deployment section:

terraform init upgrade

terraform apply autoapprove


After deployment, the script retrieves the FortiGate public IP address and administrator credentials are automatically:

$FGTPublicUrl = terraform output raw FGTPublicIP

$FgtUsername = terraform output raw Username

$FgtPassword = terraform output raw Password


The script automatically configures the required Azure Network Security Group rules for:

UDP/500

UDP/4500

TCP/10428


Example:

EnsureNsgRule "AllowIKEUDP500" 100 Udp 500

EnsureNsgRule "AllowIPSECUDP4500" 101 Udp 4500

EnsureNsgRule "AllowSAMLTCP10428" 110 Tcp 10428


It automatically creates the Microsoft Entra ID security group used for SAML authentication.

Example:

$VpnGroupName = "IPSEC_VPN_USERS_LAB"


The test user is automatically added to the VPN group:

az ad group member add group $VpnGroupId memberid $UserId


The script automatically creates the Microsoft Entra ID Enterprise Application and configures the SAML URLs.

Example:

$EntityId = "https://${FGTPublicIP}:10428/remote/saml/metadata"

$ReplyUrl = "https://${FGTPublicIP}:10428/remote/saml/login"

$LogoutUrl = "https://${FGTPublicIP}:10428/remote/saml/logout"


As well, it configures the Microsoft Entra ID application to emit security group object IDs inside the SAML assertion:

groupMembershipClaims = "SecurityGroup"


One of the most important fixes implemented in the script is configuring the correct Microsoft Entra ID groups claim URI.

Microsoft Entra ID sends group information inside the SAML assertion using the following URI format:

$AzureGroupsClaimUri = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"


If the default placeholder value below is used instead:

group


FortiGate is unable to correctly identify the group attribute inside the SAML response.


This causes the following authentication failure during EAP processing:

handle_req-Failed SAML cache group matching.


EAP failed for the user.

It automatically configures the correct URI value to prevent this issue and enable successful group matching between Microsoft Entra ID and the FortiGate user group configuration.


Lastly, configure a dedicated SAML callback port:

$SamlPort = 10428


On the FortiGate, this is applied automatically:

config system global

set auth-ike-saml-port 10428

end


Using a dedicated SAML callback port helps avoid conflicts with:

  • SSL VPN services.

  • HTTPS administrative access.

  • SAML authentication redirection handling.


The FortiGate SAML server is created.

Example :

config user saml

 edit "azuresaml"

  set username "username"

  set groupname       "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

 next

end


Phase1 configuration is created:


config vpn ipsec phase1-interface

   edit "TEST_IPSEC"

       set type dynamic

       set interface "port1"

       set ike-version 2
       set peertype any

       set net-device disable

       set mode-cfg enable

       set proposal aes128-sha256 aes256-sha256 

       set dhgrp 20 21 14

       set eap enable

       set eap-identity send-request  

       set authusrgrp "SAML_IPSEC_VPN"

       set transport udp

       set ipv4-start-ip 172.16.100.10

       set ipv4-end-ip 172.16.100.100

       set dns-mode auto

       set ipv4-split-include "FCT_SPLIT"

       set save-password enable

      set psksecret ENC passwordmask
    
   next
  end

 

It keeps generating a configuration for the phase2 interface associated firewall policy, automatically assigned IP POOL in the following range:


$PoolStart = "172.16.100.10"

$PoolEnd = "172.16.100.100"

```


The generated FortiGate configuration:

config firewall address

  edit "IPSec_Tunnel_Pool"

   set type iprange

   set startip 172.16.100.10

   set endip 172.16.100.100

  next

end


The following tasks and verifications are automatically handled by the script:

  • Incorrect SAML group name attribute.

  • Missing Azure Network Security Group rules.

  • Incorrect SAML callback port.

  • Incorrect Entity ID.

  • Stale identifier URI values in Microsoft Entra ID.

  • Missing security group membership claims.

  • PowerShell version compatibility issues.


Additional notes:

  • Use a standalone FortiClient during testing.

  • FortiEMS-managed FortiClient endpoints may override local SAML settings.

  • Store the script securely.

  • Replace all example passwords and pre-shared keys before deployment.

  • The script was designed for lab automation and validation workflows.

  • The script can be downloaded from the following repository: fortigate-azure-saml-lab.

    Terms & ConditionsAccessibility statement