Update fortigate-ssl-vpn-tutorial.md

Author: markreno

articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md

@@ -145,10 +145,69 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure FortiGate SSL VPN SSO
 
-To configure single sign-on on **FortiGate SSL VPN** side, please follow [this](https://aka.ms/AA9avum) document.
+### Upload the Base64 SAML Certificate to the FortiGate Appliance
 
-> [!NOTE]
-> For more information to Configure FortiGate SSL VPN, refer [this](https://docs.fortinet.com/document/fortigate/6.4.0/new-features/558169/saml-sp-for-vpn-authentication) link.
+After completing the SAML configuration of the FortiGate App in your tenant, you downloaded the Base64 encoded SAML certificate. This must be uploaded to the FortiGate Appliance. To do so,
+
+1. Sign-in to the management portal of your FortiGate Appliance
+1. In the left-hand menu, click **System**
+1. Under **System**, click **Certificates**
+1. Click **Import** -> **Remote Certificate**
+1. Browse to the certificate downloaded from the FortiGate App deployment in the Azure tenant, select it and click **OK**
+
+After the certificate has uploaded, take note of its name under **System** -> **Certificates** -> **Remote Certificate**. By default, it will be named REMOTE_Cert_**N** where **N** is an integer value
+
+### Perform FortiGate Command Line Configuration
+
+The following steps requires the Azure Logout URL to be configured. This URL contains a question mark character (?). Special steps are required to submit this character successfully and they cannot be performed from the FortiGate CLI Console. Instead you will need to establish an SSH session to the FortiGate applicance using a tool like PuTTY. If your FortiGate appliance is an Azure Virtual Machine, you can perform the following steps from the Azure Virtual Machine Serial Console
+
+To perform these steps you will need the values recorded earlier
+
+- Entity ID
+- Reply URL
+- Logout URL
+- Azure Login URL
+- Azure AD Identifier
+- Azure Logout URL
+- Base64 SAML Certificate Name (REMOTE_Cert_N)
+
+1. Establish an SSH session to your FortiGate Applicance and sign-in with a FortiGate Administrator account
+1. Perform the following commands -
+
+   ```
+    config user saml
+    edit azure
+    set entity-id <Entity ID>
+    set single-sign-on-url <Reply URL>
+    set single-logout-url <Logout URL>
+    set idp-single-sign-on-url <Azure Login URL>
+    set idp-entity-id <Azure AD Identifier>
+    set idp-single-logout-url <Azure Logout URL>
+    set idp-cert <Base64 SAML Certificate Name>
+    set user-name username
+    set group-name group
+    end
+
+   ```
+
+**NOTE:** The **Azure Logout URL** contains a ? character. This requires a special key sequence in order for it to be correctly provided to the FortiGate Serial Console. The URL is typically
+
+   ```
+    https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
+   ```
+
+To provide this in the Serial Console, proceed by typing
+
+   ```
+    set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation
+   ```
+
+Then type **CTRL+V**
+Then paste the rest of the URL in to complete the line
+
+   ```
+    set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
+   ```
 
 ### Create FortiGate SSL VPN test user
 
@@ -160,6 +219,8 @@ In this section, you test your Azure AD single sign-on configuration using the A
 
 When you click the FortiGate SSL VPN tile in the Access Panel, you should be automatically signed in to the FortiGate SSL VPN for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
 
+Microsoft and FortiGate recommend that you use the Fortinet VPN client, FortiClient for the best end user experience.
+
 ## Additional resources
 
 - [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)