Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor III

Created on ‎08-19-2022 11:12 AM

Admin login - Azure saml

This may be more of an Azure question, but... I want to use Azure saml for admin logins. I've set it up on a single device and it works great. Now I have 15-20 other Fortis I want to use it on but I really don't want to create an Azure app for each one. Is it possible to do it all within one app or is there a better way to do this?

 

Within Azure, I add in the urls of the other Fortigates to the Entity ID and that works as expected; user authentics. The problem is that the asc url always uses the default url so the reply always goes to the initial forti and the login fails.

 

FortiGate  

Labels:
1582
0 Kudos
3 REPLIES 3
Markus_M
Staff
Staff

Created on ‎08-20-2022 05:39 AM

Hello Random Guy,

 

what do you mean by Azure App? On the Azure portal itself you mean?

I think you may have to. The config on FortiGate is relatively simple with copy and paste. But the IdP Azure must know which SP (FortiGate) is supposed to connect. The SPs don't know of each other, the Azure portal must have either a capability to tell them apart or a separate app must be created.

 

Best regards,

 

Markus

1551
0 Kudos
random_guy
New Contributor III
In response to Markus_M

Created on ‎08-20-2022 06:53 AM

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...

 

By Azure app I mean step 1 in the guide above.

 

In step 7, you have the ability to add additional EntityID and Reply urls. Adding the EntityID of an additional firewall prompts for authentication correctly but the first reply entry in the list is always used so the login fails. 

I really don't want to have to create a separate application for each. 

1549
0 Kudos
pminarik
Staff
Staff
In response to random_guy

Created on ‎08-20-2022 12:52 PM Edited on ‎08-20-2022 12:53 PM

That's a question you should direct at Microsoft/Azure. The FortiGate has no control over what the IdP does once you're on the IdPs website.

 

FortiGate sends both it's entity-ID (.../metadata) and the reply (.../saml/?acs) URIs, so if Azure is not capable of returning the user back to the correct FortiGate even when it's given all of this information on a silver platter, that's on Azure to fix, or explain.

[ corrections always welcome ]
1542
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.