Use SAML in firewall policies?

Hi @esec

What do you like to achive? 

Would you like to use SAML User Group for internal Policy (e.g. lan1 to wan1)? 

Usergroups for SSLVPN SAML works only with SSLVPN. The reason behind is the callback URL from SAML.

Hi,

We would like to use SAML User Group for internal policy.

My question is if it is possible and if it is, what reply/signon or callback URL that needs to be configured.

Hi

You have to configure it als "Authentication Scheme" for explicit and transparent proxies.

Follow this documentation:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/447498/saml-authentication-in-a-proxy-policy

Hi @esec

Can you try below format.

set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"

set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"

Hi esec,

I think this is actually the documentation you are looking for:

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/219787/saml-sp-for-vpn-authentication

As Suraj pointed out, the links are not correct. remote/saml/.... is the correct format.

Since we see it often mistaken:

The SAML configuration will require a

set user-name "username"
set group "group"

This part says literally:

In the SAML response we found the username VALUE in the ATTRIBUTE called "username".

In the SAML response we found the group VALUE in the ATTRIBUTE called "group".

Whatever your IdP uses as Attribute for putting the user/group into - set it here appropriately.

Best regards,

Markus

Hi,

it seems like that /remote/saml is for SSLVPN and for firewall authentication /saml/login according to the documentation below, I will try to test it out :)

Administration Guide | FortiGate / FortiOS 6.4.2 | Fortinet Documentation Library

Best Regards