EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Výměna SAML certifikátu pro Entra ID Enterprise Application

Exchange of SAML certificate for Entra ID Enterprise Application

| Petr Bouška - Samuraj |
We have a situation where for some application, here we will show for SSL VPN on Fortinet FortiGate, we are using Microsoft Entra ID user authentication using SAML 2.0. When we set up SAML Single sign-on in the Enterprise Application, a self-signed certificate with a validity of 3 years was generated. This is used for communication between the application and Entra ID. We will describe the procedure for renewing (replacing) a certificate when it expires.
displayed: 732x (704 CZ, 28 EN) | Comments [0]

Note: The Microsoft Entra ID environment frequently changes, so the description corresponds to the time of writing. For FortiGate, it is based on FortiOS 7.2.8.

SAML Certificate Renewal Process

Within the Entra ID application, we can have multiple SAML certificates, but only one can be active.

In our case of SSL VPN, we can prepare a new certificate and upload it to FortiGate. Replacing the certificate will not affect established VPNs (unlike uploading a new HTTPS server certificate for FortiGate). When we activate the certificate in Entra ID, VPN login will stop working until we set it up on FortiGate for the corresponding SAML SSO Server. This can be done very quickly, so the impact on operations is minimal.

Note: Microsoft states that if our application does not check the certificate expiration, everything will work even with an expired certificate.

Certificate Replacement Steps

  • Entra ID - create a new certificate
  • FortiGate - upload the certificate
  • Entra ID - activate the certificate
  • FortiGate - replace the certificate for the SAML SSO Server

Creating a New Certificate in Entra ID

Before the certificate expires, we issue a new one.

  • Microsoft Entra admin center
  • Identity - Applications - Enterprise applications - All applications - find our application
  • switch to Single sign-on
  • in the SAML Certificates (Token signing certificate) section, click Edit
Microsoft Entra - Enterprise applications - Single sign-on
  • in the SAML Signing Certificate window, click New Certificate and Save
  • the certificate is created (default validity is 3 years) and its status is Inactive
  • click the three dots next to the certificate and save it - Base64 Certificate download
Microsoft Entra - Enterprise applications - SAML Signing Certificate

Uploading the Certificate to FortiGate

  • (Global/VDOM) - System - Certificates - Import - Remote Certificate

Upload the new certificate to FortiGate. It gets an automatic name (G_REMOTE_Cert_1), which can optionally be changed in the CLI.

FW (global) # config certificate remote 
FW (remote) # rename G_REMOTE_Cert_1 to Entra_SSO_VPN_2024

Activating the Certificate in Entra ID

When we are ready to change the certificate (until the replacement is complete, VPN login will not work), we activate the certificate in Entra ID.

  • Microsoft Entra admin center
  • Identity - Applications - Enterprise applications - All applications - find our application
  • switch to Single sign-on
  • in the SAML Certificates (Token signing certificate) section, click Edit
  • click the three dots next to the certificate and select Make certificate active, confirm activation Yes
  • the old certificate is deactivated and the new one is activated
Microsoft Entra - Enterprise applications - SAML Signing Certificate 2

Replacing the Certificate on FortiGate

Replace the certificate in the SAML SSO Server (config user saml)

  • (Global/VDOM) - User & Authentication - Single Sign-On
  • edit our SSO settings
  • replace the Certificate with the new one and save
FortiGate - User & Authentication - Single Sign-On
Author:

Related articles:

Fortinet FortiGate and more

Fortinet security solutions. Mostly focused on the Next Generation Firewall (NGFW) FortiGate. Configuration of FW, policies, NAT, but also VPN and authentication options. Marginally working with logs using FortiAnalyzer and with clients using FortiClient EMS.

Azure, Microsoft 365, Office 365, Cloud

Various popular topics regarding the public cloud. More focused on Microsoft services, i.e. IaaS, PaaS, SaaS Azure, Entra ID directory services (formerly Azure AD) and hosted Microsoft 365 / Office 365 services.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)