FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 254908
Description This article describes how to leverage SAML authentication for explicit web proxy connections on FortiGate using Microsoft Azure as IdP.
Scope FortiGate v7.0.x, v7.2.x, and Microsoft Azure as SAML IdP.

In this example, SAML authentication is used on an explicit web proxy policy to authenticate end users via a captive portal.  For this purpose, configure FortiGate as SAML Service Provider and Microsoft Azure as SAML Identity Provider.




The IP address of the computer is and the interface port1 IP on FortiGate is


The authentication and authorization flow is as follows:

1) Client opens a browser and visits

2) This browser session will be redirected by the web proxy to the captive portal.

3) Authentication request is redirected to Microsoft Azure IdP's sign-in page.

4) After the user enters credentials, IdP authenticates the user and sends a SAML assertion message to the end user. This message contains the username and the group information that the user belongs to on Azure.

5) SAML Assertion is then submitted to the Service Provider by the end user.

6) The proxy policy on FortiGate configured with the SAML user group will authenticate the user to further allow the client access to the web.


To configure SAML authentication for explicit web proxy connection:

1) Enable explicit web proxy:


config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set https-incoming-port 8080


2) Enable explicit proxy and proxy captive portal on the interface facing LAN:


config system interface
    edit "port1"
        set vdom "root"
        set allowaccess ping https ssh snmp fgfm
        set type physical
        set explicit-web-proxy enable
        set explicit-ftp-proxy enable
        set proxy-captive-portal enable
        set stp enable
        set device-identification enable
        set role lan
        set snmp-index 8

3) Configure SAML:


config user saml
    edit "saml_user"
        set cert "Fortinet_Factory"
        set entity-id
        set single-sign-on-url
        set single-logout-url
        set idp-entity-id
        set idp-single-sign-on-url
        set idp-single-logout-url
        set idp-cert "REMOTE_Cert_1"

        set user-name "username"
        set group-name "group"
        set digest-method sha1


Ensure that the IdP provides username and group information in SAML assertion.

If group information is not received, FortiGate will fail to match the user with the SAML group configured in Proxy policy. Error 'The Page you requested has been blocked by a firewall policy restriction' will be shown on the end user browser post successful authentication with missing group info.

Configure a user group claim in the Azure portal under Enterprise Application -> Select SAML App -> SAML-based Sign-on -> Attributes & Claims -> Edit -> Add a group claim -> Security groups -> Customize the name of the group claim -> Name 'group'.

For more information, refer to:


4) Configure the user group on FortiGate:


config user group
    edit "SAMLGROUP"
        set member "saml_user"
            config match
                edit 1
                set server-name "saml_user"
                set group-name "df7a737c-739b-415e-819d-d86e9e6e41cf"


5) Configure the authentication scheme, rule, and setting:


config authentication scheme
    edit "saml"
        set method saml
        set saml-server "saml_user"


config authentication rule:

edit "saml"
    set srcintf "port1"
    set srcaddr "all"
    set active-auth-method "saml"

config authentication setting
    set captive-portal-type ip
    set captive-portal-ip


6) Configure the proxy policy:


config firewall proxy-policy
    edit 1
        set uuid 1325f09a-e490-51ed-e3cc-19b7383b105f
        set name "explicit-proxy-policy"
        set proxy explicit-web
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "" "" "" ""
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all

edit 2
    set name "Group_Authentication_Policy"
    set proxy explicit-web
    set dstintf "port2"
    set srcaddr "all"
    set dstaddr "all"
    set service "webproxy"
    set action accept
    set schedule "always"
    set logtraffic all
    set groups "SAMLGROUP"



When a user’s browser is configured with FortiGate interface IP as a proxy service and connects to a website ex:, an IdP sign-in page appears for the user to enter the credentials.


Post successful authentication, the user will be allowed to access internet websites based on the settings of the proxy policy.



User Authentication can be verified using the command given below.


diagnose wad user list

ID: 11, VDOM: root, IPv4:
user name   :
worker      : 0
duration    : 92
auth_type   : IP
auth_method : SAML
pol_id      : 2
g_id        : 16
user_based  : 0
expire      : no
bytes_in=91189 bytes_out=3823106
bytes_in=3814607 bytes_out=77480


From GUI: