Skip to main content
rickas27
rickas27
New Member
March 31, 2026
Solved

FortiCloud EMS integration and configuration with Entra ID

  • March 31, 2026
  • 2 replies
  • 352 views

I've followed the instructions in https://docs.fortinet.com/document/forticlient/7.2.0/new-features/792170/entra-id-integration-7-2-1 and ended up creating 2 separate Enterprise Applications where one was used to configure the Client Secret (for the Administration > Authentication Server), and the other was used for the SAML URLs (for User Management > SAML Configuration).

 

While this works, and I am able to register FortiClients by authenticating against Entra ID, I wonder if I did it  correctly.

 

Could this have been a single Enterprise Application?

 

Or if not, and they had to be separate, what is the Enterprise Application with the Client Secret used for?

And what is the Enterprise Application with the SAML URLs used for?

 

Also what is this?

To configure the Azure tenant app for initiating passthrough (domain):

Is this an alternative to registering an Entra ID user's endpoint to EMS using SAML (which is my goal)?

Best answer by Jean-Philippe_P

Hello again rickas27,

 

I found this solution, can you tell us if it helps, please?

 

FortiCloud EMS Integration with Entra ID

Based on the context provided and your description, it seems you have successfully integrated FortiClient EMS with Entra ID using two separate enterprise applications. Let's break down the components and their purposes:

 

Single vs. Multiple Enterprise Applications

  1. Single Enterprise Application: Typically, a single enterprise application can be used for both client secret configuration and SAML URL configuration. However, depending on the specific requirements and configurations of your environment, separating them might be necessary for security or organizational reasons.

  2. Multiple Enterprise Applications:

    • Client Secret Application: This application is used for configuring the client secret, which is essential for authentication purposes. It allows FortiClient EMS to authenticate against Entra ID securely.
    • SAML URLs Application: This application is used for configuring SAML URLs, which are crucial for setting up Single Sign-On (SSO) capabilities. It enables users to authenticate via SAML when accessing FortiClient EMS.

 

Purpose of Each Enterprise Application

  • Enterprise Application with Client Secret: This application is primarily used for authentication server configuration. It allows FortiClient EMS to authenticate users by validating the client secret against Entra ID.

  • Enterprise Application with SAML URLs: This application is used for user management and SAML configuration. It facilitates SSO by providing the necessary SAML endpoints for authentication and authorization processes.

Passthrough (Domain) Configuration

  • Azure Tenant App for Passthrough: This configuration is typically used for scenarios where direct passthrough authentication is required. It might serve as an alternative to registering an Entra ID user's endpoint to EMS using SAML, depending on your specific use case and requirements.

 

Follow-ups and Clarification Questions

  1. Single vs. Multiple Applications: Could you clarify if there are specific organizational or security policies that necessitate the use of separate applications?

  2. Passthrough Configuration: Are you considering passthrough as an alternative due to specific limitations or requirements in your current SAML setup?

  3. Documentation Reference: Have you reviewed the latest Fortinet documentation to ensure all configurations align with best practices?

 

If you have further questions or need additional clarification, feel free to ask!

2 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 3, 2026

Hello rickas27, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 6, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_PAnswer
Staff & Editor
April 7, 2026

Hello again rickas27,

 

I found this solution, can you tell us if it helps, please?

 

FortiCloud EMS Integration with Entra ID

Based on the context provided and your description, it seems you have successfully integrated FortiClient EMS with Entra ID using two separate enterprise applications. Let's break down the components and their purposes:

 

Single vs. Multiple Enterprise Applications

  1. Single Enterprise Application: Typically, a single enterprise application can be used for both client secret configuration and SAML URL configuration. However, depending on the specific requirements and configurations of your environment, separating them might be necessary for security or organizational reasons.

  2. Multiple Enterprise Applications:

    • Client Secret Application: This application is used for configuring the client secret, which is essential for authentication purposes. It allows FortiClient EMS to authenticate against Entra ID securely.
    • SAML URLs Application: This application is used for configuring SAML URLs, which are crucial for setting up Single Sign-On (SSO) capabilities. It enables users to authenticate via SAML when accessing FortiClient EMS.

 

Purpose of Each Enterprise Application

  • Enterprise Application with Client Secret: This application is primarily used for authentication server configuration. It allows FortiClient EMS to authenticate users by validating the client secret against Entra ID.

  • Enterprise Application with SAML URLs: This application is used for user management and SAML configuration. It facilitates SSO by providing the necessary SAML endpoints for authentication and authorization processes.

Passthrough (Domain) Configuration

  • Azure Tenant App for Passthrough: This configuration is typically used for scenarios where direct passthrough authentication is required. It might serve as an alternative to registering an Entra ID user's endpoint to EMS using SAML, depending on your specific use case and requirements.

 

Follow-ups and Clarification Questions

  1. Single vs. Multiple Applications: Could you clarify if there are specific organizational or security policies that necessitate the use of separate applications?

  2. Passthrough Configuration: Are you considering passthrough as an alternative due to specific limitations or requirements in your current SAML setup?

  3. Documentation Reference: Have you reviewed the latest Fortinet documentation to ensure all configurations align with best practices?

 

If you have further questions or need additional clarification, feel free to ask!

Jean-Philippe - Fortinet Community Team
rickas27
rickas27Author
New Member
April 7, 2026

Thanks for the response. This mostly answers my questions.

1. No, there is no requirement necessitating whether the the applications can be separate or together. It was merely a question for efficiency. However, since it works as separate applications, I will leave it as such.

 

2. I'm still unsure what this is for. I'm guessing it's when a user is already logged into an endpoint (e.g. Windows login) with the same credentials that the SAML SSO would authenticate against, so instead of asking to authenticate again, the user will already be authenticated.

 

3. I've reviewed whatever documentation I could find on the topic. Please share any specific documentation you are referring to.

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 8, 2026

Glad that it could help!

 

Here are some more answers:

 

Clarification and Follow-Up

  1. Separate vs. Combined Applications: It's common to separate applications for different functionalities, such as client secret management and SAML configuration, to enhance security and manageability. If your current setup works efficiently, maintaining separate applications is a valid approach.

  2. Passthrough Authentication: Your understanding is correct. Passthrough authentication typically allows users who are already authenticated on their endpoint (e.g., Windows login) to access other services without re-authenticating. This leverages the existing session to streamline user experience and reduce redundant authentication prompts.

 

Follow-Ups and Clarification Questions

  • Efficiency Considerations: Are there specific efficiency concerns you have with maintaining separate applications?
  • Passthrough Authentication: Are you looking to implement passthrough authentication, or is it more of a conceptual understanding you're seeking?
  • Documentation Needs: Is there a particular aspect of the integration or configuration you need more detailed documentation on?
Jean-Philippe - Fortinet Community Team
Terms & ConditionsAccessibility statement