External IdP users are authenticated by its company's ID provider. After the user is authenticated, it is possible to access the cloud application based on its role.

External IdP user support enables users to log into FortiGate Cloud, FortiSASE, FortiAnalyzer Cloud, and FortiManager Cloud, with their company-provided user credentials using a third-party SAML identity provider.

1. Go to Manage -> Enterprise Applications, select 'New Application', and then 'Create your own application'.
   
                                         

2. Inside the enterprise application, go to Manage -> Single Sign-On, and select the SAML option.
                                                               

3. Under Basic SAML configuration, input temporary URLs (ie. https://customersso1.fortinet.com/) to be able to retrieve the IdP file to send to Fortinet Team.
                                                                          
                             

4. Under Attribute and Claims, add a new claim: 'username' and set the source attribute to 'user.userprincipalname'.
                                                           
                                                             

5. Under Attribute and Claims, add a group claim with the below settings:

   Which groups associated with the user should be returned in the claim? Groups assigned to the application.

   Source Attribute: Group ID.

   Advanced Options -> Select 'Customize the name of the group claim' with the value 'Role' for the name.
                                                                                        
                                                                           

6. Under SAML Certificates, download the Federation Metadata XML file and provide it to the Fortinet Team.
                                                                       
                                                                   
7. It is necessary to fill out the 'Enrollment Form' provided by the Fortinet 'Point of Contact' and submit it along with the Metadata XML File to the Fortinet team.
   NOTE: The user should reach out to Fortinet SE/Sales/their point of contact and request the 'Enrollment Form'.
                                                                          
   

                                                       

8. After receiving the SP URLs from the Fortinet team, update the SAML settings from Step 3.
9. Inside the enterprise application, go to Manage -> Users and Groups and add the desired groups for the application.

                                                          

                                    

10. Select the added group and copy the Group Object ID.
                                            
                                                          
11. Select the added group and copy the Group Object ID.
                                                   
                                                        
12. Under the FortiCloud IAM portal Permission Profiles tab, select Add New. Create a permission profile and add the relevant permissions to desired portals.
                                                                         
                                                                                                                        

13. Under the FortiCloud IAM portal Users tab, select Add New -> External IdP Role. Note that the Role Name value needs to be the same as the Role value set above in step 5. In this example, Role Name should be set to the value of Group Object ID copied in step 10.
    
    

14. Log in with the Portal URL (Relay State) provided by the Fortinet team: https://customersso1.fortinet.com/saml-idp/proxy/{realm}/login/

     

Related documents: 

External IdP roles 

Adding external IdP roles 
Setting up Azure as external IdP in FortiCloud - FortiCloud General | Fortinet Video Library