The following section shows the steps required to configure a SAML Remote Authentication Server on FortiTrust-ID. The configuration is divided into two main parts: the first is performed on Azure/Entra ID, and the second is completed on FortiTrust-ID. After completing both parts, FortiTrust-ID will import users from the SAML server.

Prerequisite:

A directory must exist in Microsoft Azure. If a directory is not available, it can be created by navigating to:

Azure Portal → Azure AD → Create a tenant → Microsoft Entra ID / Azure AD B2C.

1. Azure Configuration:

1. Create a customized application. The name of the application must be remembered, as it will be used in Single Sign-On (SSO) URLs. To create the application, navigate to Enterprise Applications -> New Application -> Create your own application.

   The application name used in this example is 'Azure_fortitrust'.

2. After creating the application, it is possible to access it and review key details such as Name, Application (client) ID, and Object ID. Proceed to configure Single Sign-On by selecting the corresponding option.

   The Application (client) ID will be required later during the OAuth configuration on FortiTrust-ID.

3. Under Single Sign-On, proceed with the basic SAML Configuration. The required information for this section can also be obtained from the FortiTrust-ID portal. The values listed below must be customized using the correct FortiTrust-ID FQDN and the defined Application Name.

Identifier (Entity-ID): https://<fortitrust-fqdn>/saml-idp/proxy/<Application-Name>/metadata

Reply-URL:  https://<fortitrust-fqdn>/saml-idp/proxy/<Application-Name>/saml/?acs

Sing on URL: https://<fortitrust-fqdn>/saml-idp/proxy/<Application-Name>/login/

Logout URL: https://<fortitrust-fqdn>/saml-idp/proxy/<Application-Name>/saml/?sls

4. In the Attributes & Claims section, it is possible to define custom attributes required for SAML assertions. These attributes will be included in the SAML token sent to FortiTrust-ID.

   In this example, the User-Groups attribute will be added.

   To configure this:

• Navigate to Edit under Attributes & Claims.
• Select Add a group claim.
• Choose the All groups option.

5. After completing the Basic SAML Configuration and Attributes & Claims, download the necessary authentication files, which will be required later during the FortiTrust-ID configuration.

Files to download:

• Certificate (Base64): Used for validating SAML assertions.
• Federation Metadata XML: Contains important SAML configuration information such as endpoints, issuer, and certificate detail.

Leave the other steps as the default. No further modifications are required on the Single-Sign-On end.

6. Go to Users and Groups. Select Add user/group. Under Users (None Selected), select the users to be assigned to this application. These users will be imported into FortiTrust-ID later and these users would be able to authenticate via Single Sign-On to this application.

7. Go to the Home Menu and search for 'Microsoft Entra roles and Admnistrator'. From there, search for 'Directory Readers' and enter it.

Search for Application-Name and make it a part of Directory-Readers by adding assignments.

8. Go to Home Menu and search for App Registration, find the Azure_fortitrust application, and enter it. From there, go to Certificates & secrets and create a New Client Secret. Make sure to fill in a description and select an expiry date for this Secret. Copy the value on this client-secret, as this will be required for configuration on FortiTrust-ID under Oauth-Configuration.

2. Configuration on FortiTrust-ID:

Go to FortiTrust-ID and navigate to Remote Auth.Servers -> Oauth. Select Create New and fill in the following:

• Name: A Customized Name.
• Oauth source: Azure Directory.
• Client ID: Application ID that was created above during step 1.b.
• Client Key: The Value of the Client Secret Key Created above during step 1.h.

After completing this step, go to Remote Auth. Server -> SAML and Create New.

Note: The name of the server must be the same as the Application_Name.

Portal-URL is automatically filled in after creating the name of the Server.

For Entity-ID, select the recommended version for Azure IdP.

ACS (login) and (logout) URL: Needs to be copied from Azure Saml-Configurations.

Under IdP Metadata, import the Federation Metadata XML which was downloaded before.

Under Group Membership -> Select Cloud -> Select the Oauth Server that was created.

3. Testing:

On FortiTrust-ID, navigate to Authentication -> User Management -> Remote Users -> SAML -> Import.

In the Logs, it will be visible whether the user has been imported successfully without errors.

Another option is to create Remote-Sync-Rules, which allows for automatic user imports based on the configured synchronization frequency. Users imported via SyncRule can be assigned a FortToken Cloud or FortiToken Logo and can be placed into specific groups, depending on the setup and configuration.