Example:
FortiGate SAML configuration:
# config user saml edit "SAML_Auth" set entity-id "http://10.201.4.1:1003/remote/saml/metadata/" set single-sign-on-url "https://10.201.4.1:1003/remote/saml/login/" set single-logout-url "https://10.201.4.1:1003/remote/saml/logout/" set idp-entity-id "https://sts.windows.net/55822b01-86f6-457c-b3f9-7544a45bb192/" set idp-single-sign-on-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2" set idp-single-logout-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2" set idp-cert "REMOTE_Cert_3" set user-name "name" set group-name "group" set digest-method sha1 next end
# Config user group
edit "SAML_Auth" set member "SAML_Auth" next
# Config firewall policy
# config firewall policy edit 11 set name "Azure" <----- This policy will allow MS connectivity for the Authentication. set uuid c0f5d968-e019-51ed-5236-b6dc3ba0b637 set srcintf "port4" set dstintf "port1" set action accept set srcaddr "all" set internet-service enable set internet-service-name "Microsoft-Azure" set schedule "always" set logtraffic all set nat enable set comments " (Copy of internet_Windows_Server)" next edit 10 set name "internet_Windows_Server" set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df set srcintf "port4" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set groups "SAML_Auth" <----- SAML user group. set users "PHOTON-BB" next
When the user will try to access the internet it will redirect to the Microsoft login.
To see the Captive portal page with the SAML option create a dummy local user group:
# config user group
edit "Captive_portal" set member "Captive_portal" next
# config firewall policy edit 10 set name "internet_Windows_Server" set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df set srcintf "port4" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set groups "SAML_Auth" "Captive_portal" <----- Local dummy group and SAML group. next end
After adding a local group when the user tries to access the captive portal page with the SAML login option will be visible:
Select SAML Identity Provider to use the SAML login. to have a user local user login, then select continue:
To configure SAML with Azure IDP use the below-related documents:
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/33053/outbound-firewall-auth...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-SAML-authenticat...
|