Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
idavidsonukdn
New Contributor

FortiSASE LDAPS integration with Azure AAD

Hi, I am attempting to configure our FortiSASE solution to talk with Microsoft Azure/Entra LDAPS service so it can lookup Users and Groups. We already have SSO working between FortiSASE and Entra.

 

We have a private PKI solution in play.

I have setup Microsoft Entra Domain Services LDAPS service and can connect and browse using LDP.exe and self-signed certificates as per Microsoft documentation.

How do I get FortiSASE to talk to the Microsoft Entra Domain Services LDAPS service? I am unable to use the self-signed certs described in the Microsoft documentation even as a test!

And as I cannot install (or figure out how to) our private PKI root CA and SubCA into Entra I can't use that either.

 

All advice welcome on this one!

 

#fortisase

2 REPLIES 2
pvalente
Staff
Staff

Hi David, 

 

Is this the configuration you're trying to achieve "Searching user groups from Entra ID SSO"?

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/aa1ee3b9-4750-11ee-8e6d-fa163e... (Pag 126-127)

 

https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-configure-ldaps

 

For this configuration, perhaps it would be better to open a case for follow up and revise configuration, SASE and Azure Entra ID.

 

 

 

 

 

 

Pedro Valente
idavidsonukdn
New Contributor

Hi Pedro,

We have SSO working for user authentication using Entra AAD.

 

Profile – the endpoint profile needs to be matched against an LDAP server (https://docs.fortinet.com/document/fortisase/latest/administration-guide/209451/profile) and will not pick this info up from a SAML authentication request.

 

ZTNA Tagging – Same goes for an tagging objects, these need to be populated with an LDAP query and not a SAML auth request https://docs.fortinet.com/document/fortisase/latest/administration-guide/442107/tagging-rule-types

 

 

From what I gather from many hours playing with this, is that FortiSASE cannot use Entra LDAP service. Happy for someone to prove me wrong :)

 

Ian

Top Kudoed Authors