|
This feature allows a customer's Windows endpoint with the FortiClient agent installed to automatically sign into FortiSASE IPsec using the same Azure AD credentials that the user used to log into the endpoint.
Below is the 'config user saml' configuration in 7.4.1 and below:
config user saml
edit "Test_7.4.1"
set cert ''
set entity-id ''
set single-sign-on-url ''
set single-logout-url ''
set idp-entity-id ''
set idp-single-sign-on-url ''
set idp-single-logout-url ''
set idp-cert ''
set user-name ''
set group-name ''
set digest-method sha1
set limit-relaystate disable
set clock-tolerance 15
set auth-url '' <- 'set auth-url' is still present in FortiOS 7.4.1 and below.
set adfs-claim disable
set reauth disable
next
end
Below is the 'config user saml' configuration in 7.4.2 and above:
config user saml
edit "Test_7.4.2"
set cert ''
set entity-id ''
set single-sign-on-url ''
set single-logout-url ''
set idp-entity-id ''
set idp-single-sign-on-url ''
set idp-single-logout-url ''
set idp-cert ''
set user-name ''
set group-name ''
set digest-method sha1
set limit-relaystate disable
set clock-tolerance 15
set adfs-claim disable
set reauth disable
next
end
As seen from the above 'Test_7.4.2' configuration, 'set auth-url' has been removed and has been replaced by the following configuration in 7.4.2 and above:
config user external-identity-provider
edit "Test_eidp_7.4.2"
set type ms-graph
set version v1.0
set user-attr-name "userPrincipalName"
set group-attr-name "id"
set port 0
set source-ip ''
set interface-select-method auto
set server-identity-check enable
set timeout 5
next
end
Note: Once the external identity provider is set, ensure that it is assigned to the existing user group used for SAML in addition to the SAML server.
|
