Skip to main content
damianhlozano
damianhlozano
Explorer II
December 5, 2025
Question

Firewall policies using Entra ID users

  • December 5, 2025
  • 5 replies
  • 958 views

Hello team!!

 

In one of our fortigates I need to create different security profiles based in the Entra ID user.

I am trying to follow this, but I have many doubts:

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/33053/outbound-firewall-authentication-with-microsoft-entra-id-as-a-saml-idp

This Fortigate has 7.6.4

 

In the first explanation, the second point says:

"The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP."

Does this means that the user must write his Entra ID credentials to navigate?

Is there a way to use passive authentication?

 

Based in the response, probable I will need to ask more questions

 

Thanks in advance.

Regards,

Damián

 

5 replies

AEK
SuperUser
AEK
SuperUser
December 5, 2025

Hi Damian

I didn't try it before so I can be wrong, but I guess since it is SAML then it is SSO then it can be passive authentication in case the user has already authenticated before with the IdP.

AEK
    damianhlozano
    damianhlozanoAuthor
    Explorer II
    December 7, 2025

    Thank you AEK!

     

    In this case, 

    The user used to logon on Windows should be the Entra ID user?

    The computer should be joined to the domain?

    Anyone knows?

     

    Thanks

    Regards,

    Damián

    yderek
    Staff
    yderek
    Staff
    December 7, 2025

    @damianhlozano  From my understanding, the first time user to open the browser trying to visit some site, they need to authenticate themself using SAML and since it's SSO hence that not reuqire them to authenticate again after that for web activity 

      damianhlozano
      damianhlozanoAuthor
      Explorer II
      December 7, 2025

      Thank you yderek!!

       

      Anyone knows what happen if a user restart his computer?  Does he needs to login again?

      Is there a time out?

       

      Thanks 

      Regards,

      Damián

      AEK
      SuperUser
      AEK
      SuperUser
      December 7, 2025

      Hi Damian

      I'm not Windows expert but after some research it seems there is SAML authentication based Windows login with Entra ID.

      https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

      In that case in theory yes it is possible to use SSO as you are requesting.

      And in this case yes the device need to be Entra joined.

      And regarding the timeout know that SAML has login timeout, so when sessions is idle (no traffic) for some time (depending on configuration) the SAML session expires and you are redirected to authentication page.

      As per my experience with SAML, as long as the session didn't expire you can reboot the host and the SAML session remains active.

      As said before, most info above are not from experience but from research and deduction, unless mentioned.

      AEK
        Jasongao
        Jasongao
        New Member
        December 8, 2025

        Hi

        yes, we have the same problem,  I setup the SAMML auth with Entra ID, it doesn't work,  The vendor told me that, this feature has in under developing,  recommend us to use the FSSO. 

        damianhlozano
        damianhlozanoAuthor
        Explorer II
        December 9, 2025

        Hi!!!

        Is there a way to make this work using external connector without FortiAuthenticator?

        In many places we have Fortigate connecting local AD with an external connector and we can see all users on Fortigate Dashboards, with SSO I think there is not a way to check users connected to Fortigate.

         

        If not, I will need to test all this before deploying.

         

        Regards,

        Damián

        Terms & ConditionsAccessibility statement