Description
This article describes how to configure SAML SSO for administrator login with Azure AD acting as SAML IdP.
Solution
1) Go to FortiManager -> System Settings -> SAML SSO, select 'Service Provider (SP)' as the single sign-on mode.
2) SP Address will be auto populate. This will be the FortiManager/FortiAnalyzer IP address or Fully Qualified Domain Name (FQDN).
3) Go to Azure single sign-on with SAML setup page.
4) Copy and paste the SP details on FortiManager/FortiAnalyzer GUI to Azure (Step 1. Basic SAML Configuration).
| FortiManager / FortiAnalyzer GUI | Azure |
| SP entity ID | Identifier (Entity ID) |
| SP ACS (login) URL | Reply URL (Assertion Consumer Service URL) |
| SP SLS (logout) URL | Logout URL |
5) Fill in 'Relay State' on Azure (Step 1. Basic SAML Configuration) using URL with the following format.:
https://<IP address or FQDN>:<port number>/p/sso_sp/
6) On Azure (Step 2. User Attributes & Claims), add a new claim with the details below.
Name: username.
Namespace: leave blank.
Source: Attribute.
Source attribute: user.userprincipalname.
The IdP (Azure AD) must send the 'username' assertion attribute.
Name: username.
Namespace: leave blank.
Source: Attribute.
Source attribute: user.userprincipalname.
The IdP (Azure AD) must send the 'username' assertion attribute.
Azure AD does not send an attribute with this name by default.
7) Select the Save button to add this new claim. The other unused claims can be deleted. Select the close button in top right to return.
8) On Azure (Step 3. Set up fortigate-saml-sso), download Azure AD SAML certificate in Base64 format.
9) On FortiManager SAML SSO -> IdP Settings -> IdP Type, select 'Custom'. Import the Azure AD SAML certificate as IdP Certificate. Copy and paste the details from Azure (Step 4. Set up fortigate-saml-sso) accordingly.
8) On Azure (Step 3. Set up fortigate-saml-sso), download Azure AD SAML certificate in Base64 format.
9) On FortiManager SAML SSO -> IdP Settings -> IdP Type, select 'Custom'. Import the Azure AD SAML certificate as IdP Certificate. Copy and paste the details from Azure (Step 4. Set up fortigate-saml-sso) accordingly.
| Azure | FortiManager / FortiAnalzyer GUI |
| Azure AD Identifier | IdP Entity ID |
| Login URL | IdP Login URL |
| Logout URL | IdP Logout URL |
NOTE: Since FortiManager/FortiAnalyzer do not sign the logout request, using the "Logout URL" copied from the Azure application page may cause an error during logout:
Instead, you may use the following IdP Logout URL in the FortiManager/FortiAnalyzer configuration:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
10) Select 'Apply' on FortiManager / FortiAnalyzer GUI after complete.
11) Go to System Settings -> Admin -> Administrators and create a new administrator with the details below.
User Name: username on Azure AD.
admin Type: SSO.
New Password: leave blank.
Confirm Password: leave blank.
Admin Profile: any admin profile.
12) It is now possible to login through SAML authentication by select 'Login via Single Sign-On' button.
User Name: username on Azure AD.
admin Type: SSO.
New Password: leave blank.
Confirm Password: leave blank.
Admin Profile: any admin profile.
12) It is now possible to login through SAML authentication by select 'Login via Single Sign-On' button.
