Skip to main content
mihediwa
Staff
mihediwa
Staff
March 29, 2022

Technical Tip: Configuring SAML SSO for SSL VPN with FortiAuthenticator as an SAML IdP

  • March 29, 2022
  • 0 replies
  • 6084 views

 

 
Description

This article describes how to configure SSL VPN login using FortiAuthenticator as an SAML IdP.
Scope

FortiGate v6.4.8, FortiAuthenticator v6.4.2.
Solution

A FortiGate can act as SAML-SP (Service Provider) requesting authentication from an SAML IdP (identity provider), FortiAuthenticator.


When a FortiGate is configured as a service provider (SP), it is possible to create an authentication profile that uses SAML for SSL-VPN web portal authentication as well as tunnel mode.

 

Go under SSL-VPN -> FortiGate(SP) -> FortiAuthenticator (IdP)(local user database).

 

Related documents:

FortiGate SSL VPN with FortiAuthenticator as SAML IdP

Configuring SAML IdP settings

Configuring SP settings on FortiAuthenticator

SAML SP for VPN authentication

 

  1. Configure the FortiGate SP to be a SAML user:

 

config user saml

    edit "fac-firewall"

        set entity-id "http://[FGT_IP_or_FQDN]:port/remote/saml/metadata/"

        set single-sign-on-url "https://[FGT_IP_or_FQDN]:port/remote/saml/login/"

        set single-logout-url "https://[FGT_IP_or_FQDN]:port/remote/saml/logout/"

        set idp-entity-id "http://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/metadata/"

        set idp-single-sign-on-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/login/"

        set idp-single-logout-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/logout/"

        set idp-cert "REMOTE_Cert_3" <----- Certificate downloaded from IdP (FortiAuthenticator) and imported on FortiGate.

        set user-name "username"

        set group-name "group"

    next

end

 

[SP-name] - Value of "SP name" field in the FAC's Service Provider page.

 

  1. Add the SAML user to the user group (group matching may also be configured):

 

config user group 

    edit "saml_sslvpn"       

        set member "fac-sslvpn"   

    next

end

 

  1. Configure SSL VPN:

 

config vpn ssl settings  

    set servercert "self-sign"   

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"  

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" 

    set port 443   

    set source-interface "port1"   

    set source-address "all"   

    set source-address6 "all"   

    set default-portal "web-access"   

        config authentication-rule      

            edit 1           

                set groups "saml_sslvpn"          

                set portal "full-access"       

            next   

        end

end

 

mihediwa_0-1648501715719.png

 

     4. Configure the SSL VPN portal:

 

config vpn ssl web portal  

    edit "full-access"       

        set tunnel-mode enable       

        set ipv6-tunnel-mode enable       

        set web-mode enable       

        set ip-pools "SSLVPN_TUNNEL_ADDR1"       

        set split-tunneling disable       

        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"       

            config bookmark-group          

                edit "gui-bookmarks"           

                next       

            end   

    next   

    edit "web-access"       

        set web-mode enable   

    next

end

 

mihediwa_2-1648501875617.png

 

  1. Add the SAML user group to a firewall policy: 

 

config firewall policy  

    edit 1       

        set name "FAC-SAML"            

        set srcintf "ssl.root"       

        set dstintf "port3"       

        set srcaddr "all"       

        set dstaddr "all"       

        set action accept       

        set schedule "always"        

        set service "ALL"       

        set logtraffic all       

        set groups "saml_sslvpn"       

        set nat enable   

    next

end  

 

  1. Configure the remote authentication timeout value as needed:


config system global
    set remoteauthtimeout 120
end

  1. Configure the FortiAuthenticator IDP as needed.  Configure SAML IdP settings: Go to Authentication -> SAML IdP -> General.
                                                           
mihediwa_3-1648501964169.png

 

From FortiAuthenticator version 6.6.3, realms are not provided under Authentication -> SAML IdP -> General. and is moved to Authentication -> SAML IdP -> User Sources.
                                           

                             user_sources.png

 

  1. Configure SP settings on FortiAuthenticator: Go to Authentication -> SAML IdP -> Service Providers and create a new reference for the service provider that will be used as the SAML client.

 

mihediwa_4-1648502008017.png

 

mihediwa_5-1648502026350.png

 

  1. Create a local user and group on the FortiAuthenticator under Authentication -> User Management -> Local User.

 

mihediwa_5-1648502026350.png

 

  1. Create a User group: Local_Group01.

 

mihediwa_6-1648502150864.png

 

  1. Run SSL VPN web mode authentication for a remote user. The SAML login page will appear:

 

mihediwa_7-1648502305085.png

 

mihediwa_8-1648502331369.png

 

mihediwa_9-1648502345831.png

 

mihediwa_10-1648502389929.png

 

Troubleshooting commands to run on FortiGate:

 

diagnose debug reset

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug application fnbamd -1

diagnose debug console timestamp enable

diagnose debug enable


Note:
In v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3

Related articles:

Technical Tip: Configure group based policies for SAML users

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ....
Terms & ConditionsAccessibility statement