Configuring SAML SSO for FortiGate Administrator Login with Microsoft Entra ID


This guide outlines the steps to set up SAML-based Single Sign-On (SSO) for FortiGate administrator access, leveraging Microsoft Entra ID as the Identity Provider (IdP).

Overview

  • FortiGate Role: Service Provider (SP)
  • Identity Provider: Microsoft Entra ID (Azure AD)
  • Objective: Enable administrators to authenticate to FortiGate using SAML SSO.

Terminology Mapping

FortiGate TermAzure AD / Entra ID Equivalent
IdP Entity IDEntra ID Identifier
IdP Single Sign-On URLLogin URL
IdP Single Logout URLLogout URL
SP Entity IDIdentifier (Entity ID)
SP ACS (Login) URLReply URL (Assertion Consumer Service)
SP SLS (Logout) URLLogout URL
SP Portal URLSign-on URL


Note: The ‘username’ attribute in the SAML response is mandatory and corresponds to the administrator’s account name on FortiGate.

Quick CLI Guide for Fortigate

config vpn certificate remote
    edit "EntraID-SSO-Admins"
        set remote "-----BEGIN CERTIFICATE-----
MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
ODAzMTgxNTQwMTlaMFMxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNV
BAcTA2ZvbzEMMAoGA1UEChMDZm9vMQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2Zv
bzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzdGfxi9CNbMf1UUcvDQh7MYB
OveIHyc0E0KIbhjK5FkCBU4CiZrbfHagaW7ZEcN0tt3EvpbOMxxc/ZQU2WN/s/wP
xph0pSfsfFsTKM4RhTWD2v4fgk+xZiKd1p0+L4hTtpwnEw0uXRVd0ki6muwV5y/P
+5FHUeldq+pgTcgzuK8CAwEAAaMPMA0wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEB
BQUAA4GBAJiDAAtY0mQQeuxWdzLRzXmjvdSuL9GoyT3BF/jSnpxz5/58dba8pWen
v3pj4P3w5DoOso0rzkZy2jEsEitlVM2mLSbQpMM+MUVQCQoiG6W9xuCFuxSrwPIS
pAqEAuV4DNoxQKKWmhVv+J0ptMWD25Pnpxeq5sXzghfJnslJlQND
-----END CERTIFICATE----- "
        
    next
end

config system saml
    set status enable
    set default-login-page normal
    set default-profile "super_admin"
    set entity-id "http://192.168.1.1:1234/metadata/"
    set idp-entity-id "https://sts.windows.net/b793f2e8-4d6b-4e8d-9305-2e0c2178f9a1/"
    set idp-single-sign-on-url "https://login.microsoftonline.com/b793f2e8-4d6b-4e8d-9305-2e0c2178f9a1/saml2"
    set idp-single-logout-url "https://login.microsoftonline.com/b793f2e8-4d6b-4e8d-9305-2e0c2178f9a1/saml2"
    set idp-cert "EntraID-SSO-Admins"
    set server-address "192.168.1.1:1234"
end

Configuration Steps

1. Set Up Enterprise Application in Entra ID

  • Navigate to Microsoft Entra ID > Enterprise Applications.
  • Click New Application, name it (e.g., “FortiGate Admin SSO”), and create.
  • In the newly created application, select Single sign-on and choose SAML.

2. Configure SAML Settings in Entra ID

  • In the Basic SAML Configuration section:
    • Identifier (Entity ID): https://<FortiGate_IP>:<Port>/remote/saml/metadata/
    • Reply URL (Assertion Consumer Service URL): https://<FortiGate_IP>:<Port>/remote/saml/login/
    • Sign-on URL: https://<FortiGate_IP>:<Port>/remote/saml/login/
  • In the User Attributes & Claims section:
    • Ensure the username attribute is included.

3. Download and Import IdP Certificate

  • From the SAML Signing Certificate section in Entra ID, download the Base64 certificate.
  • On FortiGate:
    • Go to System > Certificates.
    • Click Create/Import > Remote Certificate.
    • Upload the downloaded certificate.

4. SAML SSO Configuration Overview (GUI & CLI)
Web GUI Configuration by FortiOS Version

For FortiOS 6.2:

  • Navigate to User & Device > SAML SSO.

For FortiOS 6.2.3 and newer:

  • Go to Security Fabric > Settings.
  • Enable FortiGate Telemetry.
  • Specify a Fabric name and an IP address for FortiAnalyzer (this can be a placeholder/unused IP).
  • Enable SAML Single Sign-On and select Advanced Options.

For FortiOS 6.4 and above:

  • Open Security Fabric > Fabric Connectors.
  • Click on Security Fabric Setup and then on Single Sign-On Settings.

CLI Configuration

To configure SAML SSO through CLI, use the following command:

config system saml

Configuration Parameters:

  • Mode: Set to Service Provider (SP).
  • SP Address: This is the address used during the SAML login process and identifies the FortiGate instance as the Service Provider. You can specify either an IP address or an FQDN. Ensure this address is reachable by administrators, as it’s used in authentication redirects.
  • SP Certificate: Leave this disabled — it’s not required by Azure.
  • Default Login Page:
    • Normal: Displays the traditional FortiGate login screen, with a SAML option.
    • Single Sign-On: Redirects all login attempts directly to the SAML IdP.
    It’s recommended to use Normal during initial setup and testing.
  • Default Admin Profile: Specifies the default admin profile assigned to newly created SAML-based admin users.
    • The admin_no_access virtual profile can be used to block GUI access until a valid admin manually assigns proper permissions. Useful for managing first-time logins securely.

Identity Provider (IdP) Settings

  • IdP Type: Set to Custom.
  • IdP Certificate: Use the certificate you imported during the earlier setup step.
  • Fill in the following values using information from your Entra ID SAML setup:
    • IdP Entity ID: (The Entra ID Identifier)
    • IdP Single Sign-On URL: (Login URL from Azure)
    • IdP Single Logout URL: (Logout URL from Azure)

5. Assign Users and Test Access

  • In Entra ID, assign the application to the appropriate users or groups.
  • Attempt to log in to the FortiGate administrator portal.
  • Upon successful authentication, a new administrator account should be created automatically on FortiGate.