FortiAuthenticator as Identity Provider (IdP) for Office365 / Azure Active Directory

Author
tbrewster
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/23 19:52:43
  • Status: offline
2019/06/25 08:14:05 (permalink)
0

FortiAuthenticator as Identity Provider (IdP) for Office365 / Azure Active Directory

Has anyone successfully setup and used the FortiAuthenticator as the IdP for Azure AD?
We're following the Microsoft guidelines here https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp and having issues with the final steps.
 
The user login page is redirected to the FortiAuthenticator, successfully authenticated and then passed back to Microsoft where we are getting "Message: AADSTS50107: Requested federation realm object 'http://{Our-FA-URL}/saml-idp/{Our-IDP-Prefix}/metadata/' does not exist.
 
The FA logs show;
SAML request from SP 'Office365_GCC' failed: SAML assertion request validation error: Issuer 'urn:federation:microsoftonline.us' does not match SP config
#1

1 Reply Related Threads

    tbrewster
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/23 19:52:43
    • Status: offline
    Re: FortiAuthenticator as Identity Provider (IdP) for Office365 / Azure Active Directory 2019/07/10 10:34:09 (permalink)
    0
    For any others that run into these issues; after getting all the steps in https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol completed and working the final missing piece for us was the 
    "NameID" had to be set to the "ImmutableID" (i.e. the Remote LDAP Server / user objectGUID).
     
    Both Microsoft’s and Fortinet's documentation is a bit shaky....
     
    Hopefully better PowerShell EXAMPLE
     
    $dom = "EXAMPLE.com"
    $BrandName = "FortiAuthenticator.EXAMPLE.com SAML 2.0 IDP"
    $LogOnUrl = "https://FortiAuthenticator.EXAMPLE.com/saml-idp/-RANDOM-/login/"
    $LogOffUrl = "https://FortiAuthenticator.EXAMPLE.com/saml-idp/-RANDOM-/logout/"
    $MyURI = "urn:oasis:names:tc:SAML:2.0"
    $MyMetadataExchangeUri = "https://FortiAuthenticator.EXAMPLE.com/saml-idp/-RANDOM-/metadata/"
    $MySigningCert = "***CERT***"
    $Protocol = "SAMLP"
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $LogOnUrl -ActiveLogOnUri $LogOnUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl -MetadataExchangeUri $MyMetadataExchangeUri -PreferredAuthenticationProtocol $Protocol
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5