Hi, I am attempting to configure our FortiSASE solution to talk with Microsoft Azure/Entra LDAPS service so it can lookup Users and Groups. We already have SSO working between FortiSASE and Entra.
We have a private PKI solution in play.
I have setup Microsoft Entra Domain Services LDAPS service and can connect and browse using LDP.exe and self-signed certificates as per Microsoft documentation.
How do I get FortiSASE to talk to the Microsoft Entra Domain Services LDAPS service? I am unable to use the self-signed certs described in the Microsoft documentation even as a test!
And as I cannot install (or figure out how to) our private PKI root CA and SubCA into Entra I can't use that either.
All advice welcome on this one!
Is this the configuration you're trying to achieve "Searching user groups from Entra ID SSO"?
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/aa1ee3b9-4750-11ee-8e6d-fa163e... (Pag 126-127)
For this configuration, perhaps it would be better to open a case for follow up and revise configuration, SASE and Azure Entra ID.
We have SSO working for user authentication using Entra AAD.
Profile – the endpoint profile needs to be matched against an LDAP server (https://docs.fortinet.com/document/fortisase/latest/administration-guide/209451/profile) and will not pick this info up from a SAML authentication request.
ZTNA Tagging – Same goes for an tagging objects, these need to be populated with an LDAP query and not a SAML auth request https://docs.fortinet.com/document/fortisase/latest/administration-guide/442107/tagging-rule-types
From what I gather from many hours playing with this, is that FortiSASE cannot use Entra LDAP service. Happy for someone to prove me wrong :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.