Configure Fortigate SSL VPN to use Azure AD as SAML IDP (MFA / Conditional Access)

Welcome to this tutorial video on Using Azure AD and SAML to authenticate Foritgate SSL VPN Users.

Traditionally to authenticate VPN users you would use LDAP or Radius. Radius was required if you needed to provided different levels of access to different groups of users. And would be handled by having the Radius server return a Vendor-specific attribute that matched the name of a group defined on the Fortigate.

But what if you want to authenticate agains Azure AD, and make use of Multi-factor Authentication. This video will allow you to provide Role based access to users with full access to Azure AD MFA as well as Conditional Access policies.

There are other solutions that make use of radius, and an add-on for Network Policy Server, but these solutions have limitation regarding authentication methods and returning vendor specific attributes for role based access.

I am using FortiOS 7.0 on my lab appliance and a newly created trial Microsoft 365 tennant. However documentation states that this should work with all versions of FortiOS 6.2 and Higher.

Fortinet Docs:
https://docs.fortinet.com/document/fo...

**Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140):
https://fortinetweb.s3.amazonaws.com/...


Microsoft Docs:
https://docs.microsoft.com/en-us/azur...

No group info in SAML response:
Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.so, you need to use the option "groups assigned to the application" under User attributes and claims | add a group claim