Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN
In this tutorial, you'll learn how to integrate FortiGate SSL VPN with Azure Active Directory (Azure AD). When you integrate FortiGate SSL VPN with Azure AD, you can:
- Use Azure AD to control who can access FortiGate SSL VPN.
- Enable your users to be automatically signed in to FortiGate SSL VPN with their Azure AD accounts.
- Manage your accounts in one central location: the Azure portal.
Prerequisites
To get started, you need the following items:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- A FortiGate SSL VPN subscription with single sign-on (SSO) enabled.
Tutorial description
In this tutorial, you'll configure and test Azure AD SSO in a test environment.
FortiGate SSL VPN supports SP-initiated SSO.
Add FortiGate SSL VPN from the gallery
To configure the integration of FortiGate SSL VPN into Azure AD, you need to add FortiGate SSL VPN from the gallery to your list of managed SaaS apps:
- Sign in to the Azure portal with a work or school account or with a personal Microsoft account.
- In the left pane, select Azure Active Directory.
- Go to Enterprise applications and then select All Applications.
- To add an application, select New application.
- In the Add from the gallery section, enter FortiGate SSL VPN in the search box.
- Select FortiGate SSL VPN in the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configure and test Azure AD SSO for FortiGate SSL VPN
You'll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding user in FortiGate SSL VPN.
To configure and test Azure AD SSO with FortiGate SSL VPN, you'll complete these high-level steps:
- Configure Azure AD SSO to enable the feature for your users.
- Create an Azure AD test user to test Azure AD single sign-on.
- Grant access to the test user to enable Azure AD single sign-on for that user.
- Configure FortiGate SSL VPN SSO on the application side.
- Create a FortiGate SSL VPN test user as a counterpart to the Azure AD representation of the user.
- Test SSO to verify that the configuration works.
Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal:
In the Azure portal, on the FortiGate SSL VPN application integration page, in the Manage section, select single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, select the pencil button for Basic SAML Configuration to edit the settings:

On the Set up Single Sign-On with SAML page, enter the following values:
a. In the Sign on URL box, enter a URL in the pattern
https://<FQDN>/remote/saml/login.b. In the Identifier box, enter a URL in the pattern
https://<FQDN>/remote/saml/metadata.c. In the Reply URL box, enter a URL in the pattern
https://<FQDN>/remote/saml/login.d. In the Logout URL box, enter a URL in the pattern
https://<FQDN>/remote/saml/logout.Note
These values are just patterns. You need to use the actual Sign on URL, Identifier, Reply URL, and Logout URL. Contact Fortinet support for guidance. You can also refer to the example patterns shown in the Fortinet documentation and the Basic SAML Configuration section in the Azure portal.
The FortiGate SSL VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration. The following screenshot shows the list of default attributes.

The two additional claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the Perform FortiGate command-line configuration section of this tutorial.
Name Source attribute username user.userprincipalname group user.groups To create these additional claims:
a. Next to User Attributes & Claims, select Edit.
b. Select Add new claim.
c. For Name, enter username.
d. For Source attribute, select user.userprincipalname.
e. Select Save.
f. Select Add a group claim.
g. Select All groups.
h. Select the Customize the name of the group claim check box.
i. For Name, enter group.
j. Select Save.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the Download link next to Certificate (Base64) to download the certificate and save it on your computer:

In the Set up FortiGate SSL VPN section, copy the appropriate URL or URLs, based on your requirements:

Create an Azure AD test user
In this section, you'll create a test user named B.Simon in the Azure portal.
- In the left pane of the Azure portal, select Azure Active Directory. Select Users, and then select All users.
- Select New user at the top of the screen.
- In the User properties, complete these steps:
- In the Name box, enter B.Simon.
- In the User name box, enter <username>@<companydomain>.<extension>. For example,
B.Simon@contoso.com. - Select Show password, and then write down the value that's displayed in the Password box.
- Select Create.
Grant access to the test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting that user access to FortiGate SSL VPN.
- In the Azure portal, select Enterprise applications, and then select All applications.
- In the applications list, select FortiGate SSL VPN.
- On the app's overview page, in the Manage section, select Users and groups.
- Select Add user, then select Users and groups in the Add Assignment dialog.
- In the Users and groups dialog box, select B.Simon in the Users list, and then click the Select button at the bottom of the screen.
- If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the appropriate role for the user from the list. Click the Select button at the bottom of the screen.
- In the Add Assignment dialog box, select Assign.
Create a security group for the test user
In this section, you'll create a security group in Azure Active Directory for the test user. FortiGate will use this security group to grant the user network access via the VPN.
- In the left pane of the Azure portal, select Azure Active Directory. Then select Groups.
- Select New group at the top of the screen.
- In the New Group properties, complete these steps:
- In the Group type list, select Security.
- In the Group name box, enter FortiGateAccess.
- In the Group description box, enter Group for granting FortiGate VPN access.
- For the Azure AD roles can be assigned to the group (Preview) settings, select No.
- In the Membership type box, select Assigned.
- Under Members, select No members selected.
- In the Users and groups dialog box, select B.Simon from the Users list, and then click the Select button at the bottom of the screen.
- Select Create.
- After you're back in the Groups section in Azure Active Directory, find the FortiGate Access group and note the Object Id. You'll need it later.
Configure FortiGate SSL VPN SSO
Upload the Base64 SAML Certificate to the FortiGate appliance
After you completed the SAML configuration of the FortiGate app in your tenant, you downloaded the Base64-encoded SAML certificate. You need to upload this certificate to the FortiGate appliance:
- Sign in to the management portal of your FortiGate appliance.
- In the left pane, select System.
- Under System, select Certificates.
- Select Import > Remote Certificate.
- Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK.
After the certificate is uploaded, take note of its name under System > Certificates > Remote Certificate. By default, it will be named REMOTE_Cert_N, where N is an integer value.
Complete FortiGate command-line configuration
The following steps require that you configure the Azure Logout URL. This URL contains a question mark character (?). You need to take specific steps to successfully submit this character. You can't complete these steps from the FortiGate CLI Console. Instead, establish an SSH session to the FortiGate appliance by using a tool like PuTTY. If your FortiGate appliance is an Azure virtual machine, you can complete the following steps from the serial console for Azure virtual machines.
To complete these steps, you'll need the values you recorded earlier:
- Entity ID
- Reply URL
- Logout URL
- Azure Login URL
- Azure AD Identifier
- Azure Logout URL
- Base64 SAML certificate name (REMOTE_Cert_N)
Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.
Run these commands:
config user saml edit azure set cert <FortiGate VPN Server Certificate Name> set entity-id <Entity ID> set single-sign-on-url <Reply URL> set single-logout-url <Logout URL> set idp-single-sign-on-url <Azure Login URL> set idp-entity-id <Azure AD Identifier> set idp-single-logout-url <Azure Logout URL> set idp-cert <Base64 SAML Certificate Name> set user-name username set group-name group endNote
The Azure Logout URL contains a
?character. You must enter a special key sequence to correctly provide this URL to the FortiGate serial console. The URL is usuallyhttps://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0.To enter the Azure Logout URL in the serial console, enter
set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation.Then select CTRL+V and paste the rest of the URL to complete the line:
set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0.
Configure FortiGate for group matching
In this section, you'll configure FortiGate to recognize the Object ID of the security group that includes the test user. This configuration will allow FortiGate to make access decisions based on the group membership.
To complete these steps, you'll need the Object ID of the FortiGateAccess security group that you created earlier in this tutorial.
Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.
Run these commands:
config user group edit FortiGateAccess set member azure config match edit 1 set server-name azure set group-name <Object Id> next end next end
Create a FortiGate VPN Portals and Firewall Policy
In this section, you'll configure a FortiGate VPN Portals and Firewall Policy that grants access to the FortiGateAccess security group you created earlier in this tutorial.
Work with the FortiGate support team to add the VPN Portals and Firewall Policy to the FortiGate VPN platform. You need to complete this step before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
Click on Test this application in Azure portal. This will redirect to FortiGate VPN Sign-on URL where you can initiate the login flow.
Go to FortiGate VPN Sign-on URL directly and initiate the login flow from there.
You can use Microsoft My Apps. When you click the FortiGate VPN tile in the My Apps, this will redirect to FortiGate VPN Sign-on URL. For more information about the My Apps, see Introduction to the My Apps.
Next steps
Once you configure FortiGate VPN you can enforce Session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.