Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff

Created on ‎09-23-2024 01:33 AM

Article Id 343176

Technical Tip: Seamless Integration: Setting Up SWG in FortiSASE Using Azure as IdP

Description

This article describes the process of setting up a Secure Web Gateway (SWG) in FortiSASE while leveraging Azure as the Identity Provider (IdP).

 

Scope

 

FortiSASE, Azure AD.

 

Solution

 

In this example, Azure is used as the Identity Provider and FortiSASE is used as SP and end users are connecting via the proxy.

 

Installing the IDP cert on FortiSASE:

Access the Azure Portal, navigate to Enterprise Applications, and select the FortiSASE application. Under 'Set up Single Sign-On', locate the SAML Certificates section to download the Certificate (base64), which can then be imported into FortiSASE.

 

Capture.PNG

 

Configuring SAML IDP settings on the Azure side.

Setup the SAML configuration on the Azure side as below:

 

Capture.PNG

 

 

Configure IDP configuration on FortiSASE:

 

Capture.PNG

 

Make sure the username and group attribute are matching on both ends.

 

User Groups Fetching:

Go to Configuration -> Users & Groups -> Create New. Select User group (Assuming all of the groups have been configured in Azure AD). Under Remote Group -> Create New, pull out the previously defined SWG SSO.

 

Capture.PNG

 

Now, proceed to the SWG Policies category by navigating to Configuration.

 

Capture.PNG

 

 

Enrolling Endpoints:

To direct web-based traffic to the FortiSASE Proxy, administrators have several options for instructing clients:

Configure the client Operating System's proxy settings to automatically retrieve the PAC file hosted on the FortiSASE public web server.

Go to System -> SWG Configuration -> Copy Hosted PAC File.

 

Capture.PNG

 

Open Proxy settings and specify the 'Hosted PAC File' URL copied from the FortiSASE console into the 'Script address', as shown in the picture below:

 

Capture.PNG

 

install the certificate used by SWG on the endpoints from System -> SWG configuration -> Download SWG Certificate.

 

Validate proxy functionality by opening a web browser on the test client machine. Confirm the authentication pop-up window, and enter the credentials for a corporate user as per the defined SAML authentication scheme on FortiSASE.

 

a.PNG

 

Once authenticated with the correct credentials, internet access via the FortiSASE will be granted.

206
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.