Note: The Microsoft Entra ID environment frequently changes, so the description corresponds to the time of writing. For FortiGate, it is based on FortiOS 7.2.8.
SAML Certificate Renewal Process
Within the Entra ID application, we can have multiple SAML certificates, but only one can be active.
In our case of SSL VPN, we can prepare a new certificate and upload it to FortiGate. Replacing the certificate will not affect established VPNs (unlike uploading a new HTTPS server certificate for FortiGate). When we activate the certificate in Entra ID, VPN login will stop working until we set it up on FortiGate for the corresponding SAML SSO Server. This can be done very quickly, so the impact on operations is minimal.
Note: Microsoft states that if our application does not check the certificate expiration, everything will work even with an expired certificate.
Certificate Replacement Steps
- Entra ID - create a new certificate
- FortiGate - upload the certificate
- Entra ID - activate the certificate
- FortiGate - replace the certificate for the SAML SSO Server
Creating a New Certificate in Entra ID
Before the certificate expires, we issue a new one.
- Microsoft Entra admin center
- Identity - Applications - Enterprise applications - All applications - find our application
- switch to Single sign-on
- in the SAML Certificates (Token signing certificate) section, click Edit
- in the SAML Signing Certificate window, click New Certificate and Save
- the certificate is created (default validity is 3 years) and its status is Inactive
- click the three dots next to the certificate and save it - Base64 Certificate download
Uploading the Certificate to FortiGate
- (Global/VDOM) - System - Certificates - Import - Remote Certificate
Upload the new certificate to FortiGate. It gets an automatic name (G_REMOTE_Cert_1
), which can optionally be changed in the CLI.
FW (global) # config certificate remote FW (remote) # rename G_REMOTE_Cert_1 to Entra_SSO_VPN_2024
Activating the Certificate in Entra ID
When we are ready to change the certificate (until the replacement is complete, VPN login will not work), we activate the certificate in Entra ID.
- Microsoft Entra admin center
- Identity - Applications - Enterprise applications - All applications - find our application
- switch to Single sign-on
- in the SAML Certificates (Token signing certificate) section, click Edit
- click the three dots next to the certificate and select Make certificate active, confirm activation Yes
- the old certificate is deactivated and the new one is activated
Replacing the Certificate on FortiGate
Replace the certificate in the SAML SSO Server (config user saml
)
- (Global/VDOM) - User & Authentication - Single Sign-On
- edit our SSO settings
- replace the Certificate with the new one and save
There are no comments yet.