Skip to main content
rbraha
Staff
rbraha
Staff
May 12, 2025

Technical Tip: FortiPAM SAML authentication with Azure as IdP

  • May 12, 2025
  • 0 replies
  • 1687 views
Description

 

This article describes how to configure SAML authentication using Azure as IdP.

 

Scope

 

FortiPAM.

 

Solution

 

The SAML authentication has been deployed since FortiPAM 1.0 version.

 

This document will focus on SAML Authentication with Microsoft Azure as the SAML IDP.

Additionally, multiple-group can be used to authenticate users in FortiPAM.

 

Configuration Steps for Microsoft Azure SAML Application.

 

Note.

This configuration assumes users and groups are already created in Azure.

 

  1. 'Create your own application' in Azure and define a name for it:

 

Figure 1. Create your own application AzureFigure 1. Create your own application Azure

 

  1. Once the application is deployed, assign users and groups created before as desired:

     

    Figure 2. Adding user/groupsFigure 2. Adding user/groups

     

     

  2. Configure the Single Sign On URLs for the newly created SAML Application.

     

    Figure 3. Basic SAML ConfigurationFigure 3. Basic SAML Configuration

     

     

  3. Configure the Attribute and Claims for the newly created SAML Application.

When editing Attribute & Claim, make sure that the username claim name has value: 'user.userprincipalname' and group claim has the value: 'user.groups'.

 

However, the claim name must match with 'user-name' and 'group-name' attributes/claims configured in FortiPAM.

 

Figure 4. Creating Attributes & ClaimsFigure 4. Creating Attributes & Claims

 

Note.

Claim names are case-sensitive attributes.

 

  1. Username claim details.

     

    Figure 5. Username claim detailsFigure 5. Username claim details

     

     

  2. Group claim details.

     

    Figure 6. Group claim attributeFigure 6. Group claim attribute

     

  3. Download the certificate in Base64 format to be imported later on to FortiPAM.

     

    Figure 7. Download IdP certificateFigure 7. Download IdP certificate

     

Configuration steps in FortiPAM.

 

  1. Import the IdP certificate as downloaded in the previous step 7.

Go to Sytem-Certificates-Create/Import -> Remote Certificate.

 

Figure 8. Import IdP certificate on FortiPAMFigure 8. Import IdP certificate on FortiPAM

 

  1. Create a new Single Sign-On server matching the IdP settings configured previously in Azure.

     

    Figure 9. Create SSO in FortiPAMFigure 9. Create SSO in FortiPAM

     

     

Enable SAML authentication on FortiPAM.

 

config system global 

    set saml-authentication enable

end

 

  1. Create a remote SAML group on FortiPAM.

Go to User Management -> User Groups -> Create

 

Figure 10.Creating Saml Group in FortiPAMFigure 10.Creating Saml Group in FortiPAM

 

  1. Create a SAML user on FortiPAM

Go to User Management -> User Lists -> Create.

 

Note: Enable Force SAML login for new users created.

 

Figure 11. Create SAML userFigure 11. Create SAML user

 

  1. Results from authentication.

     

    Figure 12.User authenticatedFigure 12.User authenticated

     

 

Troubleshooting debug commands on FortiPAM CLI:

 

diagnose debug console timestamp enable
diagnose debug app samld -1
diagnose wad debug enable category auth
diagnose debug app fnbamd -1
diagnose debug enable

Terms & ConditionsAccessibility statement