Skip to main content
J_J
J_J
Explorer
January 7, 2026
Solved

FortiEMS cloud invite authentication via SAML/Entra

  • January 7, 2026
  • 2 replies
  • 457 views

I have an on prem AD synced to Entra - my EMS cloud is connected and the Entra domain is imported over. I have configured SAML so when the client is pushed to my contractors who are non-domain joined devices, they will be prompted for credentials before connecting to EMS. The SAML redirect is occurring, but I am receiving an invalid response error after attempted log in. Any Ideas?

 

EMS client packager version 7.4 patch 7.4.5

 

2026-01-07_15-41-48.jpg2026-01-07_16-25-04.jpgems .png

 

 

Best answer by J_J

This specific issue for me was resolved by copying out the x509 used in the SAML trace to create a new cert that i uploaded to the EMS - for whatever reason it was using a different cert to sign then the one generated at the time of creating the Azure app. 

 

NEW ISSUE: EMS cloud is only seeing the username from the SAML and domain users fall through a test policy where the entire Entra domain is attached for users to hit and land in the default

2 replies

mpapisetty
Staff
mpapisetty
Staff
January 8, 2026

Hi @J_J ,

This is most likely due to a certification verification issue. Check on this post to see if it helps - https://community.fortinet.com/t5/Support-Forum/Getting-SAML-error-with-FortiClient-EMS-Cloud/m-p/311154

J_J
J_JAuthor
Explorer
January 8, 2026

EMS cloud is connected the Entra domain - there is no specific ADFS host. The certificate is what was generated by the custom application made for the SSO SAML on Azure side....am i missing something? 

J_J
J_JAuthor
Explorer
January 8, 2026

I have verified that federation status - it was already disabled, and no domain was associated to it before.

 

2026-01-08_09-33-50.jpg

J_J
J_JAuthorAnswer
Explorer
January 9, 2026

This specific issue for me was resolved by copying out the x509 used in the SAML trace to create a new cert that i uploaded to the EMS - for whatever reason it was using a different cert to sign then the one generated at the time of creating the Azure app. 

 

NEW ISSUE: EMS cloud is only seeing the username from the SAML and domain users fall through a test policy where the entire Entra domain is attached for users to hit and land in the default

Terms & ConditionsAccessibility statement