Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
ihaidar
Staff
Staff

Created on ‎05-15-2025 05:36 AM Edited on ‎06-25-2025 05:03 AM By Moderator

Article Id 392010

Technical Tip: Configuring SWG SSO with Internal IDP behind SPA Tunnel

Description This article describes the requirements and process of configuring SWG SSO when the IDP is behind the SPA Tunnel.
Scope FortiSASE.
Solution

To configure SWG SSO when IDP is behind SPA, its needed to configure the following:

 

  1. SWG SSO Configuration, refer to the below article for detailed steps: Configuring FortiSASE with Entra ID SSO in SWG agentless mode.

 

  1. It is necessary to configure deep inspection on both SIA and SPA policies:

    1. Download the certificate from FortiSASE and install it on the client machine.
       Untitled.png

    2.  
       

       

      Configure deep inspection profiles for SIA and SPA.
    3. Add the profiles to SIA and SPA policies. 

  1. Follow the screenshots below, configure the DNS, and choose the private DNS able to resolve the internal IDP.

DNS1.png

 

Select 'private' and add the internal DNS servers.

DNS config 2.png

 

  1. Exempt the IDP URL from the client Machine as shown below:


Exempt.png

 

215
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.