Technical Tip: ZTNA Agentless with SAML authentication (Entra ID)

This article provides a step-by-step guide to configure a ZTNA agentless web portal using SAML authentication with Entra ID as the Identity Provider (IDP) . This enhanced ZTNA web portal allows access to protected resources using only a client browser.

The Entra ID enterprise application should be configured previously by including the FortiGate 'Service Provider' (SP) URLs ('http://ztna.fortilab.local:2587/xxxx'). The Entra ID SAML certificate should be downloaded and imported into the FortiGate Remote certificate store. The imported certificate can be renamed to maintain a clean and consistent configuration:

config vpn certificate remote

    rename Remote_Cert_1 to saml-ztna-entra

end

The SSL server certificate 'ztna.fortilab.local' was previously imported to FortiGate (Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12, PEM and CER)).

1. Configure the FortiGate SAML server according to the Entra ID 'Identity Provider' (IdP) settings (IdP URLs and username/group attribute name):

config user saml
    edit "saml-ztna"
        set cert "ztna.fortilab.local"
        set entity-id "http://ztna.fortilab.local:2587/remote/saml/metadata/"
        set single-sign-on-url "https://ztna.fortilab.local:2587/remote/saml/login"
        set single-logout-url "https://ztna.fortilab.local:2587/remote/saml/logout"
        set idp-entity-id "https://sts.windows.net/xxxxxx/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxx/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/xxxxxx/saml2"
        set idp-cert "saml-ztna-entra"
        set user-name "name"
        set group-name "groups"
        set digest-method sha1
    next
end

2. Create a user group for ZTNA with SAML authentication. The group name 'xxxxxxxxxxxx' is the Object ID obtained from the Azure portal for the allowed group.

config user group
    edit "saml-ztna"
        set member "saml-ztna"
            config match
                edit 1
                    set server-name "saml-ztna"
                    set group-name "xxxxxxxxxxxx"
                next
            end
    next
end

3. Set up the VIP for the ZTNA agentless access: 

config firewall vip
    edit "ZTNA-agentless"
        set type access-proxy
        set server-type https
        set extip 10.5.147.78
        set extintf "port1"

        set client-cert disable
        set extport 2587
        set ssl-certificate "ztna.fortilab.local"

    next
end

4. Define the virtual host for the web portal:

config firewall access-proxy-virtual-host
    edit "ztna-web-portal-fqdn"
        set ssl-certificate "ztna.fortilab.local"
        set host "ztna.fortilab.local"

        set client-cert disable
    next
end

5. Create an authentication scheme using the SAML method and assign the previously configured SAML server:

config authentication scheme
    edit "ztna-web-portal-saml"
        set method saml
        set saml-server "saml-ztna"
    next
end

6. Configure the authentication rule, using the SAML method scheme:

config authentication rule
    edit "ztna-web-portal-rule"
        set protocol ztna-portal
        set ip-based disable
        set active-auth-method "ztna-web-portal-saml"
        set web-auth-cookie enable
    next
end

7. Configure the ZTNA web portal using the previously configured firewall vip, access-proxy-virtual-host, and authentication rule: 

config ztna web-portal
    edit "ztna-web-portal"
        set vip "ZTNA-agentless"
        set host "ztna-web-portal-fqdn"
        set auth-rule "ztna-web-portal-rule"
    next
end

8. Create bookmarks for the ZTNA web portal (this example is for an RDP connection to 10.15.19.81).

config ztna web-portal-bookmark
    edit "bookmarks"
        set groups "saml-ztna"
            config bookmarks
                edit "rdp"
                    set apptype rdp
                    set host "10.15.19.81"
                    set port 3389
                next
            end
    next
end

9. Set up the proxy policy for the ZTNA web portal:

config firewall proxy-policy
    edit 0
        set name "ZTNA-web-portal"
        set proxy ztna-proxy
        set ztna-proxy "ztna-web-portal"
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

The remote client should navigate to 'https://ztna.fortilab.local:2587', select the 'Login' button on the web portal, and authenticate via the Microsoft login page. Once authenticated, access to the ZTNA agentless web portal with pre-configured bookmarks will be available.

Use the following FortiGate CLI command to verify the user authentication: 

diagnose wad user list

ID: 6, VDOM: root, IPv4: 10.5.147.84
user name : user1@fortilab.onmicrosoft.com
worker : 0
duration : 3
auth_type : Session
auth_method : SAML
pol_id : 0
g_id : 0
user_based : 0
expire : no
LAN:
bytes_in=3945 bytes_out=1170959
WAN:
bytes_in=0 bytes_out=0

Notes:

For 'apptype web' to function, the FQDN must be defined under 'config ztna web-portal-bookmark'.

• The FortiGate must be able to resolve the FQDN to the internal web server IP address.
• The client workstation must resolve the same FQDN to the FortiGate external IP address used for ZTNA access (modifying the Windows Hosts file may be required).

Configuration example:

config ztna web-portal-bookmark

    edit "bookmarks"

        set groups "saml-ztna"

            config bookmarks

                edit "URL_HTTPS"

                    set url "https://example.com"

                next

            end

        next

    end

Related document:

ZTNA agentless web-based application access (7.6.5) 
Technical Tip: How to configure Agentless ZTNA with FortiGate v7.6

Technical Tip: Unable to access ZTNA Agentless Web-Based Bookmarks

Technical Tip: ZTNA Agentless not working properly on 90G devices in v7.6.x

Technical Tip: Agentless ZTNA Access Proxy Portal unable to access internal HTTP/HTTPS resources using ‘apptype web’