Skip to main content
idavidsonukdn
idavidsonukdn
New Member
November 16, 2023
Question

FortiSASE LDAPS integration with Azure AAD

  • November 16, 2023
  • 2 replies
  • 1953 views

Hi, I am attempting to configure our FortiSASE solution to talk with Microsoft Azure/Entra LDAPS service so it can lookup Users and Groups. We already have SSO working between FortiSASE and Entra.

 

We have a private PKI solution in play.

I have setup Microsoft Entra Domain Services LDAPS service and can connect and browse using LDP.exe and self-signed certificates as per Microsoft documentation.

How do I get FortiSASE to talk to the Microsoft Entra Domain Services LDAPS service? I am unable to use the self-signed certs described in the Microsoft documentation even as a test!

And as I cannot install (or figure out how to) our private PKI root CA and SubCA into Entra I can't use that either.

 

All advice welcome on this one!

 

#fortisase

2 replies

pvalente
Staff
pvalente
Staff
November 17, 2023

Hi David, 

 

Is this the configuration you're trying to achieve "Searching user groups from Entra ID SSO"?

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/aa1ee3b9-4750-11ee-8e6d-fa163e15d75b/FortiSASE-Administration_Guide.pdf (Pag 126-127)

 

https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-configure-ldaps

 

For this configuration, perhaps it would be better to open a case for follow up and revise configuration, SASE and Azure Entra ID.

 

 

 

 

 

 

    idavidsonukdn
    idavidsonukdnAuthor
    New Member
    November 17, 2023

    Hi Pedro,

    We have SSO working for user authentication using Entra AAD.

     

    Profile – the endpoint profile needs to be matched against an LDAP server (https://docs.fortinet.com/document/fortisase/latest/administration-guide/209451/profile) and will not pick this info up from a SAML authentication request.

     

    ZTNA Tagging – Same goes for an tagging objects, these need to be populated with an LDAP query and not a SAML auth request https://docs.fortinet.com/document/fortisase/latest/administration-guide/442107/tagging-rule-types

     

     

    From what I gather from many hours playing with this, is that FortiSASE cannot use Entra LDAP service. Happy for someone to prove me wrong :)

     

    Ian

    Terms & ConditionsAccessibility statement