Description
This article describes how to configure SAML SSO for administrator login with Azure AD acting as SAML IdP.
Solution
- Go to FortiManager -> System Settings -> SAML SSO, select 'Service Provider (SP)' as the single sign-on mode.
- SP Address will be automatically populated. This will be the FortiManager/FortiAnalyzer IP address or Fully Qualified Domain Name (FQDN).
- Go to the Azure single sign-on with SAML setup page.
- Copy and paste the SP details on FortiManager/FortiAnalyzer GUI to Azure (Step 1. Basic SAML Configuration).
FortiManager / FortiAnalyzer GUI |
Azure |
SP entity ID |
Identifier (Entity ID) |
SP ACS (login) URL |
Reply URL (Assertion Consumer Service URL) |
SP SLS (logout) URL |
Logout URL |
- Fill in 'Relay State' on Azure (Step 1. Basic SAML Configuration) using URL with the following format:
https://<IP address or FQDN>:<port number>/p/sso_sp/
- On Azure (Step 2. User Attributes & Claims), add a new claim with the details below.
Name: username.
Namespace: leave blank.
Source: Attribute.
Source attribute: user.userprincipalname.
The IdP (Azure AD) must send the 'username' assertion attribute.
Azure AD does not send an attribute with this name by default.
- Select the Save button to add this new claim. The other unused claims can be deleted. Select the close button in top right to return.
- On Azure (Step 3. Set up fortigate-saml-sso), download Azure AD SAML certificate in Base64 format.
-
On FortiManager SAML SSO -> IdP Settings -> IdP Type, select 'Custom'. Import the Azure AD SAML certificate as IdP Certificate. Copy and paste the details from Azure (Step 4. Set up fortigate-saml-sso) accordingly.
Azure |
FortiManager / FortiAnalzyer GUI |
Azure AD Identifier |
IdP Entity ID |
Login URL |
IdP Login URL |
Logout URL |
IdP Logout URL |
NOTE: Since FortiManager/FortiAnalyzer do not sign the logout request, using the 'Logout URL' copied from the Azure application page may cause an error during logout:
- Select 'Apply' on the FortiManager / FortiAnalyzer GUI after completion.
- Go to System Settings -> Admin -> Administrators and create a new administrator with the details below.
User Name: username on Azure AD.
Admin Type: SSO.
New Password: leave blank.
Confirm Password: leave blank.
Admin Profile: any admin profile.
- It is now possible to login through SAML authentication by selecting the 'Login via Single Sign-On' button.