Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
J_J
New Contributor II

Created on ‎01-07-2026 02:42 PM

FortiEMS cloud invite authentication via SAML/Entra

I have an on prem AD synced to Entra - my EMS cloud is connected and the Entra domain is imported over. I have configured SAML so when the client is pushed to my contractors who are non-domain joined devices, they will be prompted for credentials before connecting to EMS. The SAML redirect is occurring, but I am receiving an invalid response error after attempted log in. Any Ideas?

 

EMS client packager version 7.4 patch 7.4.5

 

2026-01-07_15-41-48.jpg2026-01-07_16-25-04.jpgems .png

 

 

Labels:
93
0 Kudos
1 Solution
J_J
New Contributor II

Created on ‎01-09-2026 07:26 AM Edited on ‎01-09-2026 07:26 AM

This specific issue for me was resolved by copying out the x509 used in the SAML trace to create a new cert that i uploaded to the EMS - for whatever reason it was using a different cert to sign then the one generated at the time of creating the Azure app. 

 

NEW ISSUE: EMS cloud is only seeing the username from the SAML and domain users fall through a test policy where the entire Entra domain is attached for users to hit and land in the default

View solution in original post

27
0 Kudos
4 REPLIES 4
mpapisetty
Staff
Staff

Created on ‎01-07-2026 07:06 PM

Hi @J_J ,

This is most likely due to a certification verification issue. Check on this post to see if it helps - https://community.fortinet.com/t5/Support-Forum/Getting-SAML-error-with-FortiClient-EMS-Cloud/m-p/31...

HTH
Manoj Papisetty
78
0 Kudos
J_J
New Contributor II
In response to mpapisetty

Created on ‎01-08-2026 06:50 AM

EMS cloud is connected the Entra domain - there is no specific ADFS host. The certificate is what was generated by the custom application made for the SSO SAML on Azure side....am i missing something? 

56
0 Kudos
J_J
New Contributor II
In response to J_J

Created on ‎01-08-2026 07:34 AM

I have verified that federation status - it was already disabled, and no domain was associated to it before.

 

2026-01-08_09-33-50.jpg

50
0 Kudos
J_J
New Contributor II

Created on ‎01-09-2026 07:26 AM Edited on ‎01-09-2026 07:26 AM

This specific issue for me was resolved by copying out the x509 used in the SAML trace to create a new cert that i uploaded to the EMS - for whatever reason it was using a different cert to sign then the one generated at the time of creating the Azure app. 

 

NEW ISSUE: EMS cloud is only seeing the username from the SAML and domain users fall through a test policy where the entire Entra domain is attached for users to hit and land in the default

28
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.