Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            (V3.x) How do I Configure SAML2 Single Sign-on (Authentication) to use Azure AD SSO?

            Modified on Tue, 20 Jan at 9:21 AM

            Note

            Before following these steps, ensure you have configured and verified your custom domain:  Domain setup (Premium level service)


            Follow the steps below to configure single sign-on with Azure AD.


            1.) Log in to the Fortinet Security Awareness and Training Service Admin view as the tenant administrator or a user with the Admin role assignment. 


            2.) Select the Settings dropdown from the navigation menu, then select the Admin Settings sub-menu item. Now select the Configure button in the Single Sign-On (SSO) section: 



            3.) Select the Add Fortinet as a SAML service provider (SP) option button: 



            4.) Now, log in to the Microsoft Azure / Entra admin console and navigate to the Enterprise applications pageThe Enterprise applications console is displayed: 



            5.)  Select + New application from the header menu: 



            6.) From the Browse Microsoft Entra Gallery page, select + Create your own application option: 



            7.) Enter the following name (or a name of your choice) in the What's the name of your app? field in the Create your own application dialogue:  "FortiSATS"



            8.) Ensure the Integrate any other application you don't find in the gallery (Non-gallery) option button is selected, then select the Create button:  



            9.)  You can either select Users and Groups from the navigation menu OR select Assign users and groups in the Getting Started section in the box labelled: 1. Assign users and groups



            10.) Select the + Add user/group option at the top of the right-hand pane: 



            11.)  Add all of the staff or a group containing all of the staff by searching and assigning the users or groups: 



            Note

            Depending on your service level. you may receive a warning stating:  


            Groups are not available for assignment due to your Active Directory plan level. You can assign individual users to the application.


            In this case, you will need to select each user invidiviually.


            12.)  Once the users have been assigned, you can close the Users and groups window by selecting the X in the upper right hand corner: 



            13.)  Now, from the Overview page for the app, you can either select Single Sign-on from the navigation menu OR select the Get Started link in Section 2. Set up single sign on



            14.) Select SAML from the Select a single sign-on method section: 



            15.) Select the Edit link in section 1 - Basic SAML Configuration section: 



            16.) Return to the Fortinet Security Awareness and Training Service tab in your browser and click on the copy icon in the Copy this SP Entitiy ID (service provider metadata) section (the second link, ending in ...metadata):



            17.)  Return to the Microsoft Entra admin center  tab in your browser and click on the Add identifier link in the Identiifier (Entity ID) section of the Basic SAML Configuration section, then paste the value copied: 



            18.) Return to the Fortinet Security Awareness and Training Service tab in your browser and click on the copy icon in the Copy this ACS URL section (the first link ending in ...acs):



            19.)  Return to the Microsoft Entra admin center  tab in your browser and click on the Add Reply URL link in the Reply URL ((Assertion Consumer Service URL)  section of the Basic SAML Configuration section, then paste the value copied: 



            20.) Select the Save link at the top of the page: 



            21.) Close the window after saving, to return to the main application page: 



            22.) Select the Edit link in section 2: Attributes and Claims



            23.) In the Required claim section, click on the claim name:  Unique User Identifier (Name ID) link: 



            24.) Set the Source attribute value to user.mail (you can type mail into the search box to find the attribute): 



            25.) Click the Save button:  



            26.) Delete all claims in the Additional claims section by selecting the three dots on the right of the entry, then select Delete, then confirm: 



            There should be no Additional claims entries when you are finsished. We will new ones in the next step:. 



            27.) Select the +Add new claim link in the upper right: 



            28.) Return to the Fortinet Security Awareness and Training Service tab in your browser and click the Continue button: 



            29.) Assign the Attributes you will map in the Entra admin console by typing them in the Attributes fields. There must be no spaces in these values. You may use the examples below (i.e. email, firstname and lastname) You can use underscores. Once entered, click the Continue button:  


             


            30.) Return to the Microsoft Entra admin center  tab in your browser and create the three claims using the values you specified in the previous step. For the first claim, pupulate the Name value matching above, in this example, Email. Then map the source attribute to user.mail and save the entry: 



            The new additional claim is listed:  



            31.) Now, create two additional claims using the attribute name you specified for firstname (map this to the user.givenname source attribute) and lastname (map this to the user.surname source attribute).  Your entry should look similar to this example: 



            32.) Close this section by selecting the X in the upper right-hand of the screen: 



            33.) Once users have been given permissions, select Single sign-on from the App navigation menu: 



            34.) From section 3:  SAML Certificates, click the copy button on the right-hand side of the App Federation Metadata url field: 



            35.) Return to the Fortinet Security Awareness and Training Service tab in your browser and ensure the Input Metadata URL option button is selected on the final page, paste the value you just copied from the Entra console and click the complete button to save the configuration: 



            Single Sign-On (SSO) displays a status of Enabled: 



            36.)  Since we do not support the SAML 2 logout functionality, you must also complete this additional step. Select 'Edit SSO config from the Single SIgn-On (SSO) section of the Settings > Admin Settings page: 



            37.)  Replace the contents (url value) of the IdP Logout URL field with:


            https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0


            ... then click the Continue button:  



            38.) Now, create a single user in the Fortinet Security Awareness and Training service and use the configured domain for your tenant to verify that users can log in using SSO credentials from Entra. You may also continue, per below, and configure auto-provisioning to add and manage your active users, automatically. 



            If you wish to configure Microsoft Entra/Azure/O365 Auto-provisioning (using SCIM protocol), click here.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0