Description
This article describes the use of multiple Service Providers on a single Azure enterprise application for SAML SSL VPN authentication.
Scope
FortiGate, Microsoft Azure.
Solution
An Azure enterprise application provides the option to use multiple Identifiers (Entity IDs) and Reply URLs (Assertion Consumer Service URLs) for SAML SSO.
Users can log in to SSL VPN via SAML SSO authentication on different FortiGates using a single Azure application.
To create a new enterprise Azure application, follow this guide.
Follow the below steps to configure the Azure enterprise application with multiple service providers:
- Login to Azure portal -> Microsoft Entra ID (formerly known as Azure Active Directory).
- Select Enterprise applications and select the Enterprise application.
- Select Setup single sign-on and select 'edit' on Basic SAML configuration.
- Under Identifier (Entity ID), add the entity-id URL of both FortiGates and select Add identifier to add more.
- Under Reply URL (Assertion Consumer Service URL), add the single-sign-on URL of both FortiGates and select Add reply URL to add more.
- Single sign on URL is mandatory in the gallery application and optional in non-gallery application.
- The screenshot below shows the Single sign on url as mandatory in a gallery application
- The screenshot below shows the Single sign-on URL as optional in a non-gallery application
- For gallery application, this can be any URL. For non-gallery application, leave it blank.
A Gallery application can be found the in Entra gallery catalog, as shown below:
A Non-gallery application can be created by selecting Create your own application:
After, select the option shown below to create a non-gallery application:
Configuration of the FortiGate would be the same except their local entity-id, single-sign-on-url and single-logout-url, which will have the FortiGate’s fqdn.
SAML configuration on Home FortiGate:
config user saml
edit "azure-sslvpn"
set cert "Fortinet_Factory"
set entity-id "http://homegate.float-zone.com:4434/remote/saml/metadata/"
set single-sign-on-url "https://homegate.float-zone.com:4434/remote/saml/login"
set single-logout-url "https://homegate.float-zone.com:4434/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"
set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"
set idp-cert "SSLVPN-NG"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
SAML configuration on Office FortiGate:
config user saml
edit "azure-sslvpn"
set cert "Fortinet_Factory"
set entity-id "http://officegate.float-zone.com:64843/remote/saml/metadata/"
set single-sign-on-url "https://officegate.float-zone.com:64843/remote/saml/login"
set single-logout-url "https://officegate.float-zone.com:64843/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"
set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"
set idp-cert "SSLVPN-NG"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
FortiClient SSLVPN Configuration for both FortiGates:
Users can now log in to SSL VPN on both FortiGates using Azure SAML SSO authentication.
