Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
rbraha
Staff
Staff

Created on ‎05-12-2025 07:26 AM

Article Id 391416

Technical Tip: FortiPAM SAML authentication with Azure as IdP

Description

 

This article describes how to configure SAML authentication using Azure as IdP.

 

Scope

 

FortiPAM.

 

Solution

 

The SAML authentication has been deployed since FortiPAM 1.0 version.

 

This document will focus on SAML Authentication with Microsoft Azure as the SAML IDP.

Additionally, multiple-group can be used to authenticate users in FortiPAM.

 

Configuration Steps for Microsoft Azure SAML Application.

 

Note.

This configuration assumes users and groups are already created in Azure.

 

  1. 'Create your own application' in Azure and define a name for it:

 

Figure 1. Create your own application AzureFigure 1. Create your own application Azure

 

  1. Once the application is deployed, assign users and groups created before as desired:

     

    Figure 2. Adding user/groupsFigure 2. Adding user/groups

     

     

  2. Configure the Single Sign On URLs for the newly created SAML Application.

     

    Figure 3. Basic SAML ConfigurationFigure 3. Basic SAML Configuration

     

     

  3. Configure the Attribute and Claims for the newly created SAML Application.

When editing Attribute & Claim, make sure that the username claim name has value: 'user.userprincipalname' and group claim has the value: 'user.groups'.

 

However, the claim name must match with 'user-name' and 'group-name' attributes/claims configured in FortiPAM.

 

Figure 4. Creating Attributes & ClaimsFigure 4. Creating Attributes & Claims

 

Note.

Claim names are case-sensitive attributes.

 

  1. Username claim details.

     

    Figure 5. Username claim detailsFigure 5. Username claim details

     

     

  2. Group claim details.

     

    Figure 6. Group claim attributeFigure 6. Group claim attribute

     

  3. Download the certificate in Base64 format to be imported later on to FortiPAM.

     

    Figure 7. Download IdP certificateFigure 7. Download IdP certificate

     

Configuration steps in FortiPAM.

 

  1. Import the IdP certificate as downloaded in the previous step 7.

Go to Sytem-Certificates-Create/Import -> Remote Certificate.

 

Figure 8. Import IdP certificate on FortiPAMFigure 8. Import IdP certificate on FortiPAM

 

  1. Create a new Single Sign-On server matching the IdP settings configured previously in Azure.

     

    Figure 9. Create SSO in FortiPAMFigure 9. Create SSO in FortiPAM

     

     

Enable SAML authentication on FortiPAM.

 

config system global 

    set saml-authentication enable

end

 

  1. Create a remote SAML group on FortiPAM.

Go to User Management -> User Groups -> Create

 

Figure 10.Creating Saml Group in FortiPAMFigure 10.Creating Saml Group in FortiPAM

 

  1. Create a SAML user on FortiPAM

Go to User Management -> User Lists -> Create.

 

Note: Enable Force SAML login for new users created.

 

Figure 11. Create SAML userFigure 11. Create SAML user

 

  1. Results from authentication.

     

    Figure 12.User authenticatedFigure 12.User authenticated

     

 

Troubleshooting debug commands on FortiPAM CLI:

 

diagnose debug console timestamp enable
diagnose debug app samld -1
diagnose wad debug enable category auth
diagnose debug app fnbamd -1
diagnose debug enable

Labels:
432
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.