Technical Tip: How to see SAML login option in captive portal page for outbound firewall authentication

Example:

FortiGate SAML configuration:

# config user saml
    edit "SAML_Auth"
        set entity-id "http://10.201.4.1:1003/remote/saml/metadata/"
        set single-sign-on-url "https://10.201.4.1:1003/remote/saml/login/"
        set single-logout-url "https://10.201.4.1:1003/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/55822b01-86f6-457c-b3f9-7544a45bb192/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-cert "REMOTE_Cert_3"
        set user-name "name"
        set group-name "group"
        set digest-method sha1
    next
end

# Config user group

    edit "SAML_Auth"
        set member "SAML_Auth"
    next

# Config firewall policy

    # config firewall policy
        edit 11
            set name "Azure" <----- This policy will allow MS connectivity for the Authentication.
            set uuid c0f5d968-e019-51ed-5236-b6dc3ba0b637
            set srcintf "port4"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set internet-service enable
            set internet-service-name "Microsoft-Azure"
            set schedule "always"
            set logtraffic all
            set nat enable
            set comments " (Copy of internet_Windows_Server)"
        next
            edit 10
                set name "internet_Windows_Server"
                set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
                set srcintf "port4"
                set dstintf "port1"
                set action accept
                set srcaddr "all"
                set dstaddr "all"
                set schedule "always"
                set service "ALL"
                set logtraffic all
                set nat enable
                set groups "SAML_Auth" <----- SAML user group.
                set users "PHOTON-BB"
            next

When the user will try to access the internet it will redirect to the Microsoft login.

 To see the Captive portal page with the SAML option create a dummy local user group:

# config user group

    edit "Captive_portal"
        set member "Captive_portal"
    next

# config firewall policy
    edit 10
        set name "internet_Windows_Server"
        set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "SAML_Auth" "Captive_portal" <----- Local dummy group and SAML group.
    next
end

After adding a local group when the user tries to access the captive portal page with the SAML login option will be visible:

Select SAML Identity Provider to use the SAML login. to have a user local user login, then select continue:

To configure SAML with Azure IDP use the below-related documents:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/33053/outbound-firewall-auth...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-SAML-authenticat...