Description

This article describes the use of multiple Service Providers on a single Azure enterprise application for SAML Administrator login.

Scope

FortiGate.

Solution

Azure enterprise application gives the option to use multiple Identifier (Entity ID) and Reply URLs (Assertion Consumer Service URL) for SAML SSO.

Administrators can log in to different FortiGates via SAML administrator SSO login using a single Azure application.

To create a new enterprise Azure application, please follow this guide:
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...

Follow the below steps to configure the Azure enterprise application with multiple service providers:

• Login to Azure portal -> Microsoft Entra ID (formerly known as Azure Active Directory).
• Select Enterprise applications then select the Enterprise application.
• Select Setup single sign-on then click Edit on Basic SAML configuration.
• Under Identifier (Entity ID) add the entity-id URL of both FortiGates and Select Add an identifier if more than two FortiGates are used.

• Under Reply URL (Assertion Consumer Service URL) add the single-sign-on URL of both FortiGates and select Add reply URL if more than two FortiGates are required.

• A single sign-on URL is mandatory in the gallery application and optional in the non-gallery application.
  • The screenshot below shows the Single sign-on URL as mandatory in a gallery application:

• The screenshot below shows the Single sign-on URL as optional in a non-gallery application:

• For gallery applications, this can be any URL, and for non-gallery applications leave it blank.

A Gallery application can be found in the Entra gallery catalog, as shown below:

A non-gallery application can be created by selecting 'Create your own application':

Then select the option shown below which will create a non-gallery application:

Configuration of the FortiGate would be the same except for their local entity-id, which will have the FortiGate’s FQDN or IP address.

System SAML configuration on Home FortiGate:

config system saml

    set status enable

    set default-profile "super_admin"

    set cert "Fortinet_Factory"

    set entity-id "https://10.0.0.254/metadata"

    set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"

    set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

    set idp-cert "REMOTE_Cert_4"

    set server-address "10.0.0.254"

end

System SAML configuration on Office FortiGate:

config system saml

    set status enable

    set default-profile "super_admin"

    set cert "Fortinet_Factory"

    set entity-id "https://10.0.0.253/metadata"

    set idp-entity-id "https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/"

    set idp-single-sign-on-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2"

    set idp-cert "REMOTE_Cert_5"

    set server-address "10.0.0.253"

end

Administrators can now log in to multiple FortiGates using Azure SAML SSO authentication.

Related article:
Technical Tip: Using a single Azure Enterprise Application for multiple SAML Service Providers (SPs)...