FortiClient / FortiGate - SSO Configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for FortiClient / FortiGate using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization
To set up Multi-Pass with FortiClient / FortiGate, ensure you meet the following requirements:
- FortiClient / FortiGate admin rights
*Fortigate v7.x.x +
*FortiClient v7.x.x +
*FortiClient EMS v7.x.x + (Optional)
- Configured user group ID from any IDP
- MPAS Admin rights
- Make sure that all users intended to use SSO inFortiClient / FortiGate are registered in your IdP and have the necessary permissions to access FortiClient / FortiGate.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
FortiClient / FortiGate - SSO Configuration
Step 1 - Prepare FortiClient / FortiGate
In order to make this configuration easier, we advice you to open two windows, one on your Multi-Pass Dashboard and the other on FortiClient / FortiGate admin console. it will allow you to copy and paste the different fields.
Prepare Multi-Pass
- Go to your tenant, click on Integration then on Applications
- Look for SAML in Custom Integration section
- We will complete the form later in the documentation but if you scroll down you can see two option that we will need in the next steps:
- Tenant certificate
- Tenant XML data
- To get the metadata from MPAS, please click on "Download" under Tenant XML Data
- You can get it also by following this link : https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/descriptor
- You will need to provide the x.509 to FortiGate, on "tenant certificate" click on the button on the left of "Download"
- Select PEM and click on download.
- Copy the
x509certificate string and save it as a.crtfile in X.509 format.
- Upload this certificate file to FortiGate.
Configure FortiGate for SAML
- In FortiGate, go to System,
- Select Certificates.
- Select Create/Import, choose Remote Certificate, then upload the certificate from MPAS.
- Navigate to User & Authentication
- Single Sign-On and click Create New.
- Complete the form wiht the values listed below :
SAML Service Provider Settings
| Field | Value |
|---|---|
| Type | Fortinet Product |
| Entity ID | https://ca.auth.kzero.com/tenant/<TENANT_NAME> |
| Assertion Consumer URL | https://ca.auth.kzero.com/tenant/<TENANT_NAME>/protocol/saml |
| Single Logout URL | https://ca.auth.kzero.com/tenant/<TENANT_NAME>/protocol/saml |
| Attribute (Username) | username |
| Attribute (Groups) | groups |
Configure User Group in FortiGate
- Go to User & Authentication
- Select User Groups and click Create New.
- Set type to Firewall.
- Click Add under Remote Groups.
- Select the SAML SSO provider you created earlier.
- Optionally specify a Group ID to restrict access.
VPN Configuration
- Navigate to VPN → SSL-VPN Settings.
- Under Authentication/Portal Mapping, click Create New.
- Select the user group that includes your SSO provider.
If FortiClient is managed by EMS
- Make sure your deployment profile has these enabled in the Tunnel configuration:
- Save username
- Enable SAML login
- Use external browser as user agent for SAML login
- Redundant sort method = server
If FortiClient is self-managed
- Ensure the Use external browser option is selected.
Step 2 - Configure Integration in Multi‑Pass
- Open Multi-Pass Dashboard
- On the left side, click on Integration, and select Applications
- Select Custom SAML integration
- Complete the form with the right values based on FortiGate information :
| Field | Value |
|---|---|
| Client ID | https://vpn.example.com/remote/saml/login |
| Valid Redirect URIs (Assertion Consumer Service URL) | https://vpn.example.com/remote/saml/login |
| Name | For example "forticlient" |
| Description | For example "SSO integration Multi-Pass" |
| NameID Format | username |
- Click on Add integration
Finalize Advanced Settings in Multi‑Pass
- Go to the Advanced Console and select the Client.
- Search for your FortiClient integration and verify:
General settings
| Field | Value |
|---|---|
| Client ID | https://vpn.example.com/remote/saml/login |
| Name | FortiClient |
| Description | SSO integration |
| Always display in UI | On |
Access settings
| Field | Value |
|---|---|
| Home URL | https://ca.auth.kzero.com/realms/Randintegration/protocol/saml/clients/forticlient |
| Valid Redirect URIs | https://vpn.example.com/remote/saml/login |
| Valid Post Logout Redirect URIs | https://vpn.example.com/remote/saml/login |
| IDP-Initiated SSO URL Name | forticlient |
SAML capabilities
| Field | Value |
|---|---|
| Name ID format | username |
| Force POST binding | On |
| Include AuthnStatement | On |
Signature and Encryption
| Field | Value |
|---|---|
| Sign Documents | On |
| Sign Assertions | Off |
- Change to the tab Keys and make sure both parameters are OFF
- Go the advanced tab :
- Assertion Consumer Service POST Binding URL = Valid Redirect URIs = https://vpn.example.com/remote/saml/login
Client Scopes – Mappers
- Select the tab Client Scope
- Select your client
- Create new mappers of type User Attribute:
- Username
| Field | Value |
|---|---|
| Mapper Name | username |
| Mapper Type | User Attribute |
| User Attribute | username |
| SAML Attribute Name | username |
- Groups
| Field | Value |
|---|---|
| Mapper Name | groups |
| Mapper Type | User Attribute |
| User Attribute | groups |
| SAML Attribute Name | groups |
Authentication Flow
- Ensure Browser Flow is properly selected under Authentication Flow Overrides.
Related Articles
Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...Intercom - SSO configuration
Valid redirect URIs Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This ...Lusha - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Huntress - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Huntress using MPAS. SSO simplifies user authentication by allowing access to multiple ...Rocket.chat - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple ...