Tutorial: Azure AD SSO integration with FortiWeb Web Application Firewall

In this tutorial, you will research how to combine FortiWeb Web Application Firewall with Azure Active Directory (Azure AD). When you combine FortiWeb Web Application Firewall with Azure AD, you can:

• Control in Azure AD who has to get entry to FortiWeb Web Application Firewall.
• Enable your customers to be robotically signed in to FortiWeb Web Application Firewall with their Azure AD accounts.
• Manage your bills in one central place – the Azure portal.

Prerequisites

To get started, you want the following items:

• An Azure AD subscription. You can sign up for a free account if you don’t already have one.
• Single sign-on (SSO) subscription for FortiWeb Web Application Firewall.

Scenario description

In this tutorial, you configure and take a look at Azure AD SSO in a check environment.

• FortiWeb Web Application Firewall helps SP-initiated SSO.

Adding FortiWeb Web Application Firewall from the gallery

To configure the integration of the FortiWeb Web Application Firewall into Azure AD, you want to add FortiWeb Web Application Firewall from the gallery to your listing of managed SaaS apps.

1. Sign in to the Azure portal the usage of both work or faculty accounts or a private Microsoft account.
2. On the left navigation pane, pick out the Azure Active Directory service.
3. Navigate to Enterprise Applications and then choose All Applications.
4. To add a new application, pick out a New application.
5. Type FortiWeb Web Application Firewall in the search box in the Add from the gallery section.
6. Select FortiWeb Web Application Firewall from the effects panel and then add the app. Wait a few seconds whilst the app is delivered to your tenant.

Configure and check Azure AD SSO for FortiWeb Web Application Firewall

Configure and take a look at Azure AD SSO with FortiWeb Web Application Firewall with the use of a check person known as Simon. For SSO to work, you want to set up a hyperlink relationship between an Azure AD consumer and the associated consumer in FortiWeb Web Application Firewall.

To configure and take a look at Azure AD SSO with FortiWeb Web Application Firewall, function the following steps:

• Configure Azure AD SSO – to allow your customers to use this feature.
  • Create an Azure AD check consumer – to check Azure AD single sign-on with Simon.
  • Assign the Azure AD to take a look at the consumer – to allow B. Simon will use Azure Active Directory single sign-on.
• Configure FortiWeb Web Application Firewall SSO – to configure the single sign-on settings on the utility side.
  • Create FortiWeb Web Application Firewall check consumer – to have a counterpart of Simon in FortiWeb Web Application Firewall that is linked to the Azure AD illustration of the user.
• Test SSO – to confirm whether or not the configuration works.

Configure Azure AD SSO

Follow these steps to allow Azure AD SSO in the Azure portal.

• In the Azure portal, on the FortiWeb Web Application Firewall software integration page, discover the Manage area and pick a single sign-on.
• On the Select a single sign-on approach page, pick out SAML.
• On the Set up single sign-on with SAML page, click on the edit/pen icon for Basic SAML Configuration to edit the settings.

• Fill in the values for the following fields in the Basic SAML Configuration section:
  • In the Identifier (Entity ID) textual content box, kind a URL the use the following pattern: https://www..com
  • In the Reply URL textual content box, kind a URL the usage of the following pattern: https://www..com//saml.sso/SAML2/POST
  • In the Sign on the URL textual content box, kind a URL the usage of the following pattern: https://www..com
  • In the Logout URL textual content box, kind a URL the usage of the following pattern: https://www..info//saml.sso/SLO/POST
• On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, locate Federation Metadata XML and pick Download to download the certificates and shop them on your computer.

Create an Azure AD that takes a look at the user

In this section, you will create take a look at the person in the Azure portal referred to as Simon.

• From the left pane in the Azure portal, pick Azure Active Directory, pick Users, and then choose All users.
• Select a New person at the pinnacle of the screen.
• In the User properties, observe these steps:
  • In the Name field, enter Simon.
  • In the User identify field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
  • Select the Show password to take a look at the box, and then write down the fee it is displayed in the Password box.
  • Click Create.

Assign the Azure AD check user

In this section, you will allow B. Simon to use Azure single sign-on via granting get right of entry to FortiWeb Web Application Firewall.

• In the Azure portal, pick Enterprise Applications, and then pick All applications.
• In the functions list, choose FortiWeb Web Application Firewall.
• On the app’s overview page, locate the Manage area and choose Users and groups.
• Select Add user, then pick Users and businesses in the Add Assignment dialog.
• In the Users and organizations dialog, choose B. Simon from the Users list, then click on the Select button at the backside of the screen.
• If you are anticipating a position to be assigned to the users, you can choose it from the Select a function dropdown. If no function has been set up for this app, you see the “Default Access” function selected.
• In the Add Assignment dialog, click on the Assign button.

Configure FortiWeb Web Application Firewall SSO

• Navigate to HTTPS://:8443 the place is the FQDN or the public IP tackle assigned to the FortiWeb VM.
• Sign in the usage of the administrator credentials supplied at some point of the FortiWeb VM deployment.
• Follow the instructions on the next page.

• In the left-hand menu, click on User.
• Under User, click on Remote Server.
• Click SAML Server.
• Click Create New.
• In the Name field, furnish the fee for use in the Configure Azure AD section.
• In the Entity ID textbox, paste the Azure AD Identifier price which you have copied from the Azure portal.
• Next to Metadata, click on Choose File and choose the Federation Metadata XML file which you have downloaded from the Azure portal.
• Click OK.

Create a Site Publishing Rule

• Navigate to HTTPS://<address>:8443 where <address> is the FQDN or the public IP tackle assigned to the FortiWeb VM.
• Sign in the usage of the administrator credentials supplied at some stage in the FortiWeb VM deployment.
• Follow the instructions on the next page.

• In the left-hand menu, click on Application Delivery.
• Under Application Delivery, click on Site Publish.
• Under Site Publish, click on Site Publish.
• Click Site Publish Rule.
• Click Create New.
• Provide an identity for the website publishing rule.
• Next to Published Site Type, click on Regular Expression.
• Next to Published Site, furnish a string that will healthy the host header of the internet site you are publishing.
• Next to Path, grant a /.
• Next to the Client Authentication Method, choose SAML Authentication.
• In the SAML Server drop-down, choose the SAML Server you created earlier.
• Click OK.

Create a Site Publishing Policy

• Navigate to HTTPS://<address>:8443 where <address> is the FQDN or the public IP tackle assigned to the FortiWeb VM.
• Sign-in the usage of the administrator credentials furnished all through the FortiWeb VM deployment.
• Follow the instructions on the next page.

• In the left-hand menu, click on Application Delivery.
• Under Application Delivery, click on Site Publish.
• Under Site Publish, click on Site Publish.
• Click Site Publish Policy.
• Click Create New.
• Provide a title for the Site Publishing Policy.
• Click OK.
• Click Create New.
• In the Rule drop-down, choose the website publishing rule you created earlier.
• Click OK.

Create and assign a Web Protection Profile

• Navigate to HTTPS://<address>:8443 where <address> is the FQDN or the public IP tackle assigned to the FortiWeb VM.
• Sign-in the use of the administrator credentials supplied all through the FortiWeb VM deployment.
• In the left-hand menu, click on Policy.
• Under Policy, click on Web Protection Profile.
• Click Inline Standard Protection and click on Clone.
• Provide a title for the new internet safety profile and click on OK.
• Select the new internet safety profile and click on Edit.
• Next to Site Publish, pick the web page publishing coverage you created earlier.
• Click OK.

• In the left-hand menu, click on Policy.
• Under Policy, click on Server Policy.
• Select the server coverage used to submit the internet site for which you want to use Azure Active Directory for authentication.
• Click Edit.
• In the Web Protection Profile drop-down, choose the net safety profile that you simply created.
• Click OK.
• Attempt to get the right of entry to the exterior URL to which FortiWeb publishes the website. You need to be redirected to Azure Active Directory for authentication.

Create FortiWeb Web Application Firewall test, user

In this section, you create a consumer referred to as Britta Simon in FortiWeb Web Application Firewall. Work with the FortiWeb Web Application Firewall guide group to add the customers to the FortiWeb Web Application Firewall platform. Users have to be created and activated earlier than you use a single sign-on.

Test SSO

In this section, you take a look at your Azure AD single sign-on configuration with the following options.

• Click on Test this utility in the Azure portal. This will redirect to FortiWeb Web Application Sign-on URL the place you can provoke the login flow.
• Go to FortiWeb Web Application Sign-on URL without delay and provoke the login float from there.
• You can use Microsoft My Apps. When you click on the FortiWeb Web Application tile in the My Apps, this will redirect to FortiWeb Web Application Sign-on URL. For extra data about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure FortiWeb Web Application Firewall you can put into effect session control, which protects the exfiltration and infiltration of your organization’s touchy facts in real-time. Session manipulation extends from Conditional Access. Learn how to implement session manipulation with Microsoft Defender for Cloud Apps.