Question
IPSEC vpn for remote users with SAML authentication
Starting with FortiOS 7.6.3, the SSL VPN tunnel mode has been replaced by IPsec. I have prepared a consolidated document that outlines the key steps and configuration required to set up IPsec VPN for remote users using SAML authentication. This single document can be used as a reference, eliminating the need to consult multiple sources.
IPSEC Remote Access VPN with SAML Authentication
This document provides a summarized configuration guide for setting up an IPsec-based Remote Access VPN for users with SAML authentication. Starting from FortiOS 7.6.3, SSL VPN tunnel mode is replaced with IPsec.
Reference Document:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/446639/saml-based-user-authentication
This document provides a summarized configuration guide for setting up an IPsec-based Remote Access VPN for users with SAML authentication. Starting from FortiOS 7.6.3, SSL VPN tunnel mode is replaced with IPsec.
Reference Document:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/446639/saml-based-user-authentication
Summary Notes
IPsec supports SAML-based authentication on FortiClient version 7.2.4 and later.
Only IPsec IKEv2 supports SAML authentication. IKEv1 is not supported.
1. IDP Configuration (Okta)
Create a new application in the Identity Provider (Okta).
Assign the appropriate user group(s) to the application. Group attribute setting should be like this.
2. FortiGate Configuration
-SAML Single Sign-On Setup
Navigate to User & Authentication > Single Sign-On > Create New on the FortiGate device to create a new SAML Single Sign-On connection.
Share the following parameters with the Okta administrator to configure on IDP side:
Entity ID
Assertion Consumer Service (ACS) URL
Single Logout Service URL
After Okta configuration, the IDP will provide the corresponding values which must be updated on the FortiGate SAML configuration.
Username and group attributes must be configured as required.
-SAML Single Sign-On Setup
Navigate to User & Authentication > Single Sign-On > Create New on the FortiGate device to create a new SAML Single Sign-On connection.
Share the following parameters with the Okta administrator to configure on IDP side:
Entity ID
Assertion Consumer Service (ACS) URL
Single Logout Service URL
After Okta configuration, the IDP will provide the corresponding values which must be updated on the FortiGate SAML configuration.
Username and group attributes must be configured as required.
-Configure IPsec Tunnel (Wizard)
Configure the IPsec tunnel using the built-in IPsec Wizard. Reference guide:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/137787/part-2-configuring-ipsec-tunnels-using-the-ipsec-wizard
Configure the IPsec tunnel using the built-in IPsec Wizard. Reference guide:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/137787/part-2-configuring-ipsec-tunnels-using-the-ipsec-wizard
-Configure auth-ike-saml-port
Configure the auth-ike-saml-port, which is used for establishing the VPN session with SAML authentication.
Configure the auth-ike-saml-port, which is used for establishing the VPN session with SAML authentication.
config system global set auth-ike-saml-port 10428 end
-Configure ike-saml-server on WAN Interface
Configure the ike-saml-server on the WAN interface used for remote user VPN connections.
Configure the ike-saml-server on the WAN interface used for remote user VPN connections.
# config system interface
# edit <port> ← WAN port
# set ike-saml-server <Name> ← SSO object name created earlier
# edit <port> ← WAN port
# set ike-saml-server <Name> ← SSO object name created earlier
-Firewall Policy Configuration
Create appropriate firewall policies to allow authenticated groups access to internal resources. Multiple policies may be created based on group mapping from the IDP.
Note – If you want to restrict internal resources with different groups through policies then don’t assign group in phase-1 interface setting.
Create appropriate firewall policies to allow authenticated groups access to internal resources. Multiple policies may be created based on group mapping from the IDP.
Note – If you want to restrict internal resources with different groups through policies then don’t assign group in phase-1 interface setting.
3. FortiClient Configuration
Configure FortiClient using the pre-shared key, Phase 1, and Phase 2 parameters defined during IPsec setup.
Reference document:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/477942/forticlient-endpoint-configuration-migration
Configure FortiClient using the pre-shared key, Phase 1, and Phase 2 parameters defined during IPsec setup.
Reference document:
https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/477942/forticlient-endpoint-configuration-migration