Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff

Created on ‎10-27-2023 08:47 AM Edited on ‎10-23-2025 10:17 PM By Staff

Article Id 281466

Technical Tip: Using a single Azure Enterprise Application for multiple SAML Service Providers (SPs) for SSL VPN authentication

Description

 

This article describes the use of multiple Service Providers on a single Azure enterprise application for SAML SSL VPN authentication.

 

Scope

 

FortiGate, Microsoft Azure.

 

Solution

 

An Azure enterprise application provides the option to use multiple Identifiers (Entity IDs) and Reply URLs (Assertion Consumer Service URLs) for SAML SSO.

Users can log in to SSL VPN via SAML SSO authentication on different FortiGates using a single Azure application.

 

To create a new enterprise Azure application, follow this guide.

 

Follow the below steps to configure the Azure enterprise application with multiple service providers:

  • Login to Azure portal -> Microsoft Entra ID (formerly known as Azure Active Directory).
  • Select Enterprise applications and select the Enterprise application.
  • Select Setup single sign-on and select 'edit' on Basic SAML configuration.
  • Under Identifier (Entity ID), add the entity-id URL of both FortiGates and select Add identifier to add more.

syadav_0-1698354608324.png

 

  • Under Reply URL (Assertion Consumer Service URL), add the single-sign-on URL of both FortiGates and select Add reply URL to add more.

syadav_1-1698354608326.png

 

  • Single sign on URL is mandatory in the gallery application and optional in non-gallery application.
    • The screenshot below shows the Single sign on url as mandatory in a gallery application

 

syadav_2-1698354608327.png

 

  • The screenshot below shows the Single sign-on URL as optional in a non-gallery application

 

syadav_3-1698354608328.png

 

  • For gallery application, this can be any URL. For non-gallery application, leave it blank.

 

 

A Gallery application can be found the in Entra gallery catalog, as shown below:

 

syadav_4-1698354608330.png

 

A Non-gallery application can be created by selecting Create your own application:

 

syadav_5-1698354608330.png

 

After, select the option shown below to create a non-gallery application:

 

syadav_6-1698354608332.png

 

 

Configuration of the FortiGate would be the same except their local entity-id, single-sign-on-url and single-logout-url, which will have the FortiGate’s fqdn.


SAML configuration on Home FortiGate:

 

config user saml

    edit "azure-sslvpn"

        set cert "Fortinet_Factory"

        set entity-id "http://homegate.float-zone.com:4434/remote/saml/metadata/"

        set single-sign-on-url "https://homegate.float-zone.com:4434/remote/saml/login"

        set single-logout-url "https://homegate.float-zone.com:4434/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

        set idp-cert "SSLVPN-NG"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

 

SAML configuration on Office FortiGate:

 

config user saml

    edit "azure-sslvpn"

        set cert "Fortinet_Factory"

        set entity-id "http://officegate.float-zone.com:64843/remote/saml/metadata/"

        set single-sign-on-url "https://officegate.float-zone.com:64843/remote/saml/login"

        set single-logout-url "https://officegate.float-zone.com:64843/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

        set idp-cert "SSLVPN-NG"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

 

FortiClient SSLVPN Configuration for both FortiGates:

 

syadav_7-1698354608332.png

 

syadav_8-1698354608333.png

 

Users can now log in to SSL VPN on both FortiGates using Azure SAML SSO authentication.

Related Articles:

Technical Tip: How to fix crashing SAML daemon
Technical Tip: How to read SAML Debug output

Technical Tip: A basic explanation of SAML authentication

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...

Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting a...
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP

Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP wh...

Technical Tip: Set up SAML admin LDAP login on FortiGate (SP) with FortiAuthenticator (IDP)

Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP
Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) f...

Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1

Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...

4400
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.