Description
This article describes how to secure FortiSASE with SAML-based SSL VPN, using Azure Active Directory as the Identity Provider. It covers the step-by-step process of integrating Azure AD with FortiSASE, ensuring secure remote access through Single Sign-On (SSO).
Scope
FortiSASE, Azure AD, FortiClient.
Solution
In this example, Azure AD is used as the Identity Provider. FortiSASE is used as SP and end users are connecting using FortiClient.
Installing the IDP cert on FortiSASE:
Access the Azure Portal, navigate to Enterprise Applications, and select the FortiSASE application. Under 'Set up Single Sign-On', locate the SAML Certificates section to download the Certificate (base64), which can then be imported into FortiSASE.
Configuring SAML IDP settings on the Azure side.
Setup the SAML configuration on the Azure side as below:
Configure IDP configuration on FortiSase:
Make sure the username and group attribute are matching on both ends.
User Groups Fetching:
Go to Configuration -> Users & Groups -> Create New. Select User group (Assuming all of the groups have been configured in Azure AD). Under Remote Group -> Create New, pull out the previously defined VPN SSO.
Onboard the user, and once the telemetry connection is connected to the FortiClient endpoint, it is possible to connect with the VPN using Azure Single sign-on.
