• Home
• App Integrations
• Single Sign-On Integrations
• FortiClient SSO

FortiClient Single Sign-On (FSSO)

---

FortiClient Single Sign-On (SSO) by miniOrange gives you secure single sign-on to on-premises and cloud applications with one set of credentials—including FortiClient VPN and related Fortinet services. With miniOrange as the SAML Identity Provider (IdP), users sign in through miniOrange (or through your linked directory) instead of managing separate Fortinet-only passwords. If your users already live in a third-party identity provider (Microsoft Entra ID, Okta, Auth0, and others), you can keep using those credentials for FortiClient and Fortinet access.

Scope: Steps 1–2 configure miniOrange as SAML IdP toward FortiAuthenticator (or equivalent SP metadata). For IPsec VPN with IKE-SAML (SAML during IKEv2 EAP), you also configure SAML on FortiGate, bind the IKE-SAML listener to your WAN, create user groups and an IKEv2 tunnel, and point FortiClient at that VPN—see Steps 3–7 below. If you only need Security Fabric or SSL VPN SAML without IPsec IKE-SAML, follow your FortiOS version guide and use the steps that apply to your deployment.

miniOrange and FortiClient Single Sign-On (SSO) integration supports the following features:

• SP Initiated Single Sign-On (SSO)
• IdP Initiated Single Sign-On (SSO)

Prerequisites:

• To get the SP metadata details, log in to FortiAuthenticator as an admin.
• Navigate to Authentication >> SAML IdP >> Service Providers.



• Copy the SP Entity ID and ACS URL, you will require in the Step 1 while configuring the SSO in miniOrange dashboard.

Follow the Step-by-Step Guide given below for FortiClient Single Sign-On (FSSO)

1. Configure FortiClient in miniOrange

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• In Choose Application Type, select SAML/WS-FED from the All Apps dropdown.



• Search for FortiClient in the list, if you don't find FortiClient in the list then, search for custom and you can set up your application in Custom SAML App.

• Enter the following values in the respective fields.

SP Entity ID	SP Entity ID or Issuer from the Prerequisites.
Assertion Consumer Service	ACS URL from Prerequisites.




• Click Next to go to the Advanced settings. Then select Sign Response and Sign Assertion.



• Click Next to go to the Login options tab. Here, you can configure the following settings:

Primary Identity Provider	Select the identity source from where you want the authentication to happen. You will see the list of all configured sources.
Force Authentication	Enable this to enforce authentication on each request to access the application.
Show On End User Dashboard	Disable this if you do not want the app to be visible for all users on end user dashboard.




• Click Next to go to the Attribute Mapping page. Here you can add and configure the attributes to be sent to the app.

NameID	NameID is the unique identifier for the authenticated user included in the SAML assertion. It allows the Service Provider to recognize and map the user to an account. Generally, NameID is a username or Email Address.
NameID format	Defines what type of identifier is used in the NameID (e.g., email, persistent, transient) so the SP can correctly map the user. If the SP does not request a specific format, the IdP can leave it unspecified and use a default.
Add Name Format	Name Format defines how attribute names are represented in a SAML assertion (e.g., as simple strings or URIs). It helps the SP correctly interpret attribute naming and ensures consistency between IdP and SP.
Enable Multi-Valued Attributes	Enabled: Commas (,) and semicolons (;) are treated as separators, so the attribute is split into a clean list. Example: roles = ['admin', 'editor', 'viewer']. Disabled: Commas and semicolons are not treated as separators, so the attribute stays as one combined string. Example: roles = "admin;editor;viewer".
Attribute Mapping	You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, full name, username, email, custom profile attributes, and user groups, etc.




• Click Next to go to the Login policy. You need to Save the Application first to configure the policy for the application.



• After the application is saved you can configure the policy for that application.



• Click on the Assign group button. A new Configure Group Assignment Modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create a new group, click on Add New Group button.
  • Enter the Group name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it’s successfully added.




To get miniOrange metadata details in order to configure FortiClient :

• Go to Apps >> Applications.
• Search for your app and click on the icon ' ' in Actions menu against your app.
• Click on Metadata to get metadata details, which will be required later. Click on Show SSO Link to see the IDP initiated SSO link for FortiClient.



• On the View IDP Metadata page -
  
  1. If you want to use miniOrange as User-Store i.e., your user identities will be stored in miniOrange then download the metadata file under the heading 'INFORMATION REQUIRED TO SET MINIORANGE AS IDP'.
  
  2. If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, Google, Apple ID, etc then download the Metadata file under the heading 'INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS'.



• Then click on Download Metadata.

2. Configure SSO in FortiAuthenticator and on FortiGate

• Log in to FortiAuthenticator as an admin.
• Navigate to User & Authentication >> Single Sign-On >> Create New to setup a SAML Single Sign-On connection.



• Click Next and on this next page you’ll enter your IdP URLs either under Custom (if using a non-Fortinet IdP) or Fortinet (if using FortiAuthenticator):



• Navigate to Authentication >> SAML IdP >> Service Providers.
• Copy the IdP metadata from Step 1 in miniOrange, and paste it into the Fortinet IdP metadata section.



• Fill in the fields according to the following table.

  IDP Entity ID	Entity ID or Issuer in miniOrange
  IDP Single Sign-On URL	SAML Login URL in miniOrange metadata
  IDP Single Logout URL	SAML Logout URL in miniOrange metadata

• Click on Apply to save changes.
• Navigate to User & Authentication >> User Groups >> Create New. For the first group, create a blanket user group with no group name associated—for example, FAC-VPN. That blanket group is referenced later in the IPsec configuration and alongside individual groups in firewall policies. One approach is not to restrict VPN access to a single group (that remains optional); instead, allow any user in any group to connect to the VPN, then use groups in firewall policies to restrict access to resources. During testing, omitting this blanket user group produced FNBAM_DENIED and Wrong EAP Credentials errors.



• Select Firewall as the Type. Also, create User Groups (e.g., Accounting, Sales Engineers, System Administration) to map them in Firewall Policies.

3. Configure FortiGate SAML SSO for IKE-SAML (IPsec VPN)

• The FortiGate accepts SAML traffic from FortiClient on the TCP port set by auth-ike-saml-port (valid range 1–65535; default is often 1001—use the same value you set in User & Authentication > Single Sign-On, for example 10428). If your FortiOS version requires it, set this in the CLI to match that port:
  
  config system global set auth-ike-saml-port 10428 end
  
• Configure the “ike-saml-server” attribute on the WAN interface used for Remote Access IPsec VPN. This setting must be applied on the interface that first receives FortiClient traffic.
  
  config system interface edit "wan1" set ike-saml-server enable next end


• FortiClient validates the certificate the FortiGate presents during SAML. Configure that certificate under User & Authentication > Authentication Settings (or equivalent) in the User authentication >> certificate section for your FortiOS version.



• Specify the certificate the FortiGate will present FortiClient.

4. Configure IPsec IKEv2 for FortiClient

• Create the IPsec VPN on the FortiGate. Go to VPN > IPsec Wizard and choose Template Type: Custom:



• IPsec Wizard — part 1: Select IP version (IPv4 or IPv6).
• Set Remote Gateway to Dialup User
• Choose WAN Interface
• Enable Mode Config → Assign IP (range/object)
• (Optional) Enable Split Tunneling → Add networks
• Set Authentication (Pre-shared key / Certificate)
• Select IKE Version: 2
• Set Accept Types: Any Peer ID
• Keep Phase 2 selectors at the default (all zeroes) unless you need explicit selectors.



• IKEv2 uses EAP for user authentication. After the wizard creates the tunnel, enable EAP and attach the blanket group (for example FAC-VPN) on the phase 1 interface. Example (adjust the tunnel name to match yours): config vpn ipsec phase1-interface edit "IPsec-SAML" set eap enable set eap-identity send-request set authusrgrp "FAC-VPN" next end
  
• Reference the same blanket group you created in Step 2; use firewall policies (Step 5) to limit which users or groups can reach internal resources. See the FortiGate documentation for your release for additional remote-access options.

5. Create Firewall Policies for IPsec VPN

• Go to Policy & Objects >> Firewall Policy >> Create New. Set the incoming interface to your IPsec VPN interface. Under Source, select the user groups that should reach each destination (for example mapped groups from SAML, or the blanket group for a simple lab).



• Create separate rules per team or sensitivity level so users only reach the subnets and applications they need.
• Example: a permissive lab rule that allows traffic from the blanket FAC-VPN group to a test subnet:



• Alternatively, use a simple allow rule without per-user group conditions if you do not need group-based segmentation.

6. FortiClient Configuration

• Install FortiClient from Fortinet support, then open Configure VPN:



• You’ll specify the following settings:
• VPN: IPsec VPN
• Remote Gateway: public IP on your WAN interface
• Authentication method: pre-shared key or certificate (match the FortiGate tunnel)
• Enable Single Sign-On for the VPN tunnel
• Specify the port we selected earlier (i.e. 10428)
• Expand Advanced Settings > VPN Settings
• IKE: Version 2
• Options: Mode Config
• Add the VPN, click Connect, log in via IdP, and confirm the connection on FortiGate.

7. Test SSO Configuration

Test SSO login to your FortiClient account with miniOrange IdP:

Using SP Initiated Login

• Go to your FortiClient URL, here you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.



• Enter your miniOrange login credential and click on Login. You will be automatically logged in to your FortiClient account.

Using IDP Initiated Login

• Login to miniOrange IdP using your credentials.



• On the Dashboard, click on FortiClient application which you have added, to verify SSO configuration.





Not able to configure or test SSO?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.

Troubleshooting (FortiGate / FortiClient)

• On the FortiGate CLI, enable debug for IKE and SAML-related daemons while you reproduce the issue, then turn debugging off when you are done: diag debug reset diag debug application ike -1 diag debug application samld -1 diag debug application fnbamd -1 diag debug application eap_proxy -1 diag debug console timestamp enable diag debug enable
• Verify time sync (NTP) on FortiGate and the IdP; SAML is sensitive to clock skew.
• Confirm the IdP’s SAML assertion NameID and group attributes match the FortiGate mappings and firewall groups.

Frequently Asked Questions

External References

• Single Sign-On (SSO)
• Know more about SAML SSO
• FortiGate Administration Guide: SAML single sign-on (SSO) user authentication (Fortinet Documentation)