Skip to main content
UdaM
UdaM
Explorer III
April 27, 2025
Solved

FortiSASE ZTNA Shortcuts config with SMAL Authentication

  • April 27, 2025
  • 2 replies
  • 1049 views

Try to config ZTNA Shortcuts on SASE end point already integrated with Entra ID. Need clarify 

 

config user saml
edit "saml_ztna"
set cert "Fortinet_CA_SSL"
set entity-id "https://fgt9.myqalab.local:7831/samlap"
set single-sign-on-url "https://fgt9.myqalab.local:7831/XX/YY/ZZ/saml/login/"
set single-logout-url "https://fgt9.myqalab.local:7831/XX/YY/ZZ/saml/logout/"
set idp-entity-id "http://MYQALAB.LOCAL/adfs/services/trust"
set idp-single-sign-on-url "https://myqalab.local/adfs/ls"
set idp-single-logout-url "https://myqalab.local/adfs/ls"
set idp-cert "REMOTE_Cert_4"
set digest-method sha256
set adfs-claim enable
set user-claim-type upn
set group-claim-type group-sid
next
end
 

The entity-id single-sign-on and single-logout URLs from SASE and  idp URLs from SMAL authenticator ( In My case it's Entra ID ) 

 

i follow below guidelines

 

https://docs.fortinet.com/document/fortisase/latest/spa-using-ztna-deployment-guide/976373/configuring-authentication-on-the-fortigate-access-proxy 

 

ZTNA proxy access with SAML authentication example   

 

 

Best answer by sjoshi

Hi ,

 

In the case of ZTNA the SAML info must be validated betn hub fgt and the azure idp.

Here sase is just for ems for sync tag on the FCT endpoint and the FGT

2 replies

sjoshi
Staff
sjoshi
Staff
April 27, 2025

Hi UdaM,

As per your notes you are trying to setup ZTNA access proxy using HUB FGT with SAML auth using SASE for ems.
what is the idp you are using? Azure or FAC?
the url that you need to configure idp-single-sign-on-url & idp-single-logout-url should be exactly matching with what is present on the IDP side.

Thanks, Salon
    UdaM
    UdaMAuthor
    Explorer III
    April 27, 2025

    HI @sjoshi 

     

    Thank you for your replay ,

    My idp is AZURE. How about entity-id single-sign-on and single-logout URLs is it from SASE or FG HUB?

     

     

     

    sjoshi
    Staff
    sjoshiAnswer
    Staff
    April 28, 2025

    Hi ,

     

    In the case of ZTNA the SAML info must be validated betn hub fgt and the azure idp.

    Here sase is just for ems for sync tag on the FCT endpoint and the FGT

    Thanks, Salon
      Terms & ConditionsAccessibility statement