Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ckarwei
Staff
Staff

Created on ‎09-23-2021 02:37 AM Edited on ‎02-12-2025 10:00 PM By Community Manager

Article Id 198324

Technical Tip: FortiManager/FortiAnalyzer configuring SAML SSO login with Azure AD

Description


This article describes how to configure SAML SSO for administrator login with Azure AD acting as SAML IdP in FortiManager or FortiAnalyzer.

Solution

 

  1. Go to FortiManager/FortiAnalyzer -> System Settings -> SAML SSO, select 'Service Provider (SP)' as the single sign-on mode.
  2. SP Address will be automatically populated. This will be the FortiManager/FortiAnalyzer IP address or Fully Qualified Domain Name (FQDN).
  3. Go to the Azure single sign-on with SAML setup page.
  4. Copy and paste the SP details on FortiManager/FortiAnalyzer GUI to Azure (Step 1. Basic SAML Configuration).

 

FortiManager / FortiAnalyzer GUI Azure
SP entity ID Identifier (Entity ID)
SP ACS (login) URL Reply URL (Assertion Consumer Service URL)
SP SLS (logout) URL Logout URL

 

  1. Fill in 'Relay State' on Azure (Step 1. Basic SAML Configuration) using URL with the following format: https://<IP address or FQDN>:<port number>/p/sso_sp/

 

  
  1. On Azure (Step 2. User Attributes & Claims), add a new claim with the details below.

Name: username.
Namespace: leave blank.
Source: Attribute.
Source attribute: user.userprincipalname.

The IdP (Azure AD) must send the 'username' assertion attribute. Azure AD does not send an attribute with this name by default.
 
 
Refer to documentation for other attributes that can be used: SAML admin authentication.
 
  1. Select the Save button to add this new claim. The other unused claims can be deleted. Select the close button in top right to return.
  1. On Azure (Step 3. Set up fortigate-saml-sso), download Azure AD SAML certificate in Base64 format.
  1. On FortiManager SAML SSO -> IdP Settings -> IdP Type, select 'Custom'. Import the Azure AD SAML certificate as IdP Certificate. Copy and paste the details from Azure (Step 4. Set up fortigate-saml-sso) accordingly.
     
Azure FortiManager / FortiAnalzyer GUI
Azure AD Identifier IdP Entity ID
Login URL IdP Login URL
Logout URL IdP Logout URL
 
Note:
Since FortiManager/FortiAnalyzer do not sign the logout request, using the 'Logout URL' copied from the Azure application page may cause an error during logout:
 
iyotov_0-1659610322509.png

 

Instead, use the following IdP Logout URL in the FortiManager/FortiAnalyzer configuration:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

 

  1. Select 'Apply' on the FortiManager / FortiAnalyzer GUI after completion.
  1. Go to System Settings -> Admin -> Administrators and create a new administrator with the details below.
 
User Name: username on Azure AD.
Admin Type: SSO.
New Password: leave blank.
Confirm Password: leave blank.
Admin Profile: any admin profile.
  1. It is now possible to log in through SAML authentication by selecting the 'Login via Single Sign-On' button.
24901
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.