Technical Tip: Configuring SAML SSO login for FortiGate VPN with Jumpcloud acting as SAML IdP
Description
This article describes how to configure SAML authentication on both Jumpcloud and the FortiGate for remote access VPN (both IPsec and SSL VPN).
Scope
FortiGate, SSL VPN (FortiOS v6.4 up to FortiOS v7.6.2), IPsec (FortiOS v7.2 and later).
Solution
Configuration On FortiGate.
As an initial reference, see the following general documentation on configuring SAML on the FortiGate:
Technical Tip: A basic explanation of SAML authentication
Technical Tip: FortiGate SAML authentication resource list
The following is an example SAML configuration on the FortiGate for usage with remote-access VPN (as opposed to administrator SAML logins, which use slightly different URLs):
config user saml
edit 'jumpcloud'
set cert 'Fortinet_Factory'
set entity-id 'https://<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/metadata/'
set single-sign-on-url '<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/login/'
set single-logout-url '<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/logout/'
set idp-entity-id 'https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>'
set idp-single-sign-on-url 'https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>'
set idp-single-logout-url 'https://console.jumpcloud.com/userconsole'
set idp-cert 'REMOTE_Cert_2'
set user-name 'user'
set group-name 'group'
set digest-method sha256
next
end
config user group
edit 'Jumpcloud_SSO_Users'
set member 'jumpcloud'
next
end
Before entering the above, take note of the following:
- The SP entity-id, single-sign-on-url, and single-logout-url must be updated with the FQDN or IP address assigned to the FortiGate interface that will receive SAML requests. Additionally, the port that is utilized is different depending on whether IPsec or SSL-VPN is being used:
- For IPsec, the SAML port must be set to the same port as auth-ike-saml-port under config system global (default = 1001).
- For SSL VPN, the SAML port must be set to the same port as the SSL VPN itself (e.g., 443, 8443, 10443, etc).
- The idp-entity-id is manually specified on the Jumpcloud side and does not follow a strict format (it simply must match on both Jumpcloud and FortiGate). Any string is appropriate here, but the above example uses https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>, where <Jumpcloud_Display_Label> would be replaced with the Jumpcloud application name.
The idp-single-sign-on-url is similar, though Jumpcloud does use the above format by default. Note that this SSO IdP URL may not be changed on Jumpcloud after the application is initially created.
- The idp-cert must be uploaded to the FortiGate first before it can be set here. Refer to the following documentation for how this is done: Uploading SAML IdP certificate to the FortiGate SP.
- The default user-name attribute on Jumpcloud is 'email' and corresponds to the user's email address, so that has been set on the FortiGate in the above example. However, it can be set on the Jumpcloud side to other options (username, first name, last name, etc.)
- The digest-method is set to SHA256 to match Jumpcloud defaults.
- The User Group on the FortiGate must be placed into Firewall Policies for the remote-access VPN interface before SAML authentication can be activated.
Configuration On Jumpcloud.
Log in to the Jumpcloud Admin portal, then go to User Authentication -> SSO Applications. Select the Get Started button or the + Add New Application button, then search for and select the 'SAML 2.0' application. Select Next to continue.
- By default, the Display Label will be used to generate the SSO IdP URL (aka idp-single-sign-on-url). This can be overridden under the Advanced Settings section, though it cannot be changed after the Application is created.
- Download the Jumpcloud IdP certificate (select IDP Certificate Valid and then Download Certificate.
This must be uploaded to the FortiGate and then set to the idp-cert field. Failure to do this can result in authentication appearing to succeed, followed by the user being immediately redirected to the Jumpcloud login again.
- Specify the IdP Entity ID (can be any string, but a URL like https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label> can be appropriate).
- Set the SP Entity ID as an exact match to the FortiGate's entity-id setting (case-sensitive, must match exactly).
- Set the ACS URLs to the FortiGate's single-sign-on-url setting.
- Select the Replace SP Certificate button and upload the FortiGate's SP certificate (this would match the cert setting on the FortiGate SAML config and can be downloaded from System -> Certificates).
- The SAMLSubject NameID Format can be left as-is at this time, as can the Signature Algorithm.
- Set the Sign option to Assertion and Response (though any of the three is acceptable). Default RelayState may be left unmodified if this Application will be used for SP-initiated logins only (i.e., FortiClient VPN tunnels).
Optionally, it may be set to https://<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/start?realm= if users want to connect to SSL-VPN web mode specifically via the Jumpcloud console. - Set Login URL to the FortiGate's single-sign-on-url setting (in addition to the ACS URL).
- Important: toggle-on Declare Redirect Endpoint. If toggled off, authentication will appear to succeed, but the SAML client will be bounced back to the Jumpcloud login page.
- Note the IDP URL (cannot be modified since the application has been created).
- Configure User and Group Attributes to match the FortiGate user-name and group-name settings. The 'user' and 'group' attribute names are used here for simplicity, though Jumpcloud defaults to 'email' and 'memberOf' respectively.
