Skip to main content
albaker1
albaker1
New Member
July 1, 2025
Solved

Authentication for RA VPN when using FortiClientEMS and SAML SSO

  • July 1, 2025
  • 4 replies
  • 912 views

We just received licensing for FortiClientEMS, and I'm not following the documentation for setting this up.

 

1. The request to build the FortiClientEMS server has been sent, but it will be a few days before it's ready. I don't have the ability to test anything on the server at the moment.

2. We want to use Entra ID for the SAML SSO authentication. Do I need to configure SAML SSO on the FortiGate or the FortiClientEMS server? On the admin guide, this is stated: "Communication between EMS AD connector and AD servers: Enables synchronization of AD groups and users with EMS for endpoint management, policy enforcement, and SAML-based authentication." This occurs over TCP-8871, so I'm confused if the FortiGate or FortiClientEMS server authenticates the user. However, on all our FortiGates that are configured to use SAML SSO for administration, this is configured on the FortiGates.

3. The FortiClientEMS documentation shows TCP-389/636 for LDAP to the AD servers. We do have on-prem AD servers, but all remote clients (such as what will be used for this VPN) are joined via Entra ID. Do we need to open up the LDAP ports?

4. Are there any good/useful YouTube videos for this? I've not found a useful one yet.

Thanks - Allyn

 

Best answer by kurtt

For EMS, you will need one Entra Enterprise App for Dir Sync purposes when adding the domain to EMS. Then you will want to add another for SAML based auth to Entra for EMS. This allows you to require users auth in when using invitations to join EMS. IE, BYOD devices, etc. You still need SAML auth setup on the Fortigates as well for doing the actual auth for VPN connections. So this would be 3 apps total in entra. 1 for fortigate saml auth, 1 for saml auth in EMS, and 1 for dir sync in EMS.

4 replies

kurtt
kurttAnswer
Visitor III
July 1, 2025

For EMS, you will need one Entra Enterprise App for Dir Sync purposes when adding the domain to EMS. Then you will want to add another for SAML based auth to Entra for EMS. This allows you to require users auth in when using invitations to join EMS. IE, BYOD devices, etc. You still need SAML auth setup on the Fortigates as well for doing the actual auth for VPN connections. So this would be 3 apps total in entra. 1 for fortigate saml auth, 1 for saml auth in EMS, and 1 for dir sync in EMS.

kurtt
kurtt
Visitor III
July 1, 2025

Also, you dont need ldap for the entra joined systems.

albaker1
albaker1Author
New Member
July 1, 2025

Thank you, kurtt! That's what I needed to know. Thank you very much.

 

    kurtt
    kurtt
    Visitor III
    July 1, 2025

    No prob!

    Terms & ConditionsAccessibility statement