Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
asrour
Staff
Staff

Created on ‎08-08-2024 10:13 AM Edited on ‎09-05-2024 11:00 PM By Community Manager

Article Id 331636

Technical Tip: Configure Microsoft Entra ID as the Identity Provider (IDP)

Description

This article describes how to configure a Microsoft Entra ID as the Identity Provider (IDP).
Scope FortiManager and FortiAnalyzer.
Solution

FortiManager / FortiAnalyzer will be the Service provider(SP).

Microsoft Azure will be the identity provider (IdP).

 

  1. In FortiManager: Navigate to System Settings -> SAML SSO -> Single Sign-On Mode: Service Provider (SP).
    The Server Address is automatically populated, which is the FortiManager management IP address (or FQDN) that will also be used in SP details.

 

1.png

 

When SP is selected, the SP details are generated.

 

2.png

 

  1. In Azure:

  • Sign in to the Azure portal.
  • Search for Enterprise applications.
  • Create a New Application.

 

3.png

 

4.png

 

5.png

 

Edit basic SAML configuration.

 

6.png

 

Azure

FortiManager

Identifier (Entity ID)

SP Entity ID

Reply URL (Assertion Consumer Service URL)

SP SLS (Logout) URL

Relay State (Optional)

USER: https://<<fmg_ip>>/p/sso_sp/

Logout Url (Optional)

SP SLS (Logout) URL

 

In Azure (Step 2. User Attributes and Claims), add a new claim with the following details:

  • Name: username.
  • Namespace: leave blank.
  • Source: Attribute.
  • Source attribute: user.userprincipalname.

 

Delete the unused attributes.

 

7.png

 

8.png

 

Download the Certificate from Azure (it will be uploaded later to FortiManager).

 

Add the user or security group to the Users and Groups sections, so these users and/or group members can be authenticated.

 

9.png

 

In FortiManager:

 

Copy the values from step 4 into FortiManager IdP settings:

 

10.png


  • Import the certificate that was downloaded earlier.
  • The  'IdP Entity ID' is the Microsoft Entra Identifier in Azure.

 

11.png

 

The next step in FortiManager is to create the admin user. There are three options for Admin users (use any of these options):

  1. Auto-Create Admin option in SAML SSO configuration.

 

12.png

 

Select the admin profile that will be assigned to the admin user upon login. In this case, the admin user will be automatically created on FortiManager

 

 

  1. Create the  SSO Admin in Fortimanager (the auto create admin option should be disabled).

13.png

 

To assign a specific profile (super_user, restricted_user ...) based on the Entra ID group:  (FortiManager/FortiAnalyzer v7.4.3/v7.2.6 and higher).

 

  • Create more than SSO admin with the specified profile and add the group name in advanced ext-auth-group-match:

 

ext-auth-group-match.png

 

  • In Azure (Step 2. User Attributes and Claims), add a new claim with the following details: Add a group claim customize the name of the group claim, and set it to 'groupmatch'.

 

group_match.png

 

  1. Create a generic SSO admin with the Match all users option enabled on the remote server (the auto create admin option should be disabled).

 

14.png

 

In this case, any user that logs in will be logged in as the ssoadmin user.

 

Related article:

Technical Tip: SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options
1546
Suggest New Article
Article Feedback
Comments
saleha
Staff
Staff
‎08-14-2024 07:15 AM

Great kb thank you for this article

mimran
Staff
Staff
‎08-14-2024 07:24 AM

Excellent. Thanks for the detailed steps.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.