This article describes how to configure SSL VPN login using FortiAuthenticator as an SAML IdP.

FortiGate v6.4.8, FortiAuthenticator v6.4.2.

A FortiGate can act as SAML-SP (Service Provider) requesting authentication from an SAML IdP (identity provider), FortiAuthenticator.

When a FortiGate is configured as a service provider (SP), it is possible to create an authentication profile that uses SAML for SSL-VPN web portal authentication as well as tunnel mode.

Go under SSL-VPN -> FortiGate(SP) -> FortiAuthenticator (IdP)(local user database).

Related documents:

FortiGate SSL VPN with FortiAuthenticator as SAML IdP

Configuring SAML IdP settings

Configuring SP settings on FortiAuthenticator

SAML SP for VPN authentication

1. Configure the FortiGate SP to be a SAML user:

config user saml

    edit "fac-firewall"

        set entity-id "http://[FGT_IP_or_FQDN]:port/remote/saml/metadata/"

        set single-sign-on-url "https://[FGT_IP_or_FQDN]:port/remote/saml/login/"

        set single-logout-url "https://[FGT_IP_or_FQDN]:port/remote/saml/logout/"

        set idp-entity-id "http://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/metadata/"

        set idp-single-sign-on-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/login/"

        set idp-single-logout-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/logout/"

        set idp-cert "REMOTE_Cert_3" <----- Certificate downloaded from IdP (FortiAuthenticator) and imported on FortiGate.

        set user-name "username"

        set group-name "group"

    next

end

[SP-name] - Value of "SP name" field in the FAC's Service Provider page.

2. Add the SAML user to the user group (group matching may also be configured):

config user group 

    edit "saml_sslvpn"       

        set member "fac-sslvpn"   

    next

end

3. Configure SSL VPN:

config vpn ssl settings  

    set servercert "self-sign"   

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"  

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" 

    set port 443   

    set source-interface "port1"   

    set source-address "all"   

    set source-address6 "all"   

    set default-portal "web-access"   

        config authentication-rule      

            edit 1           

                set groups "saml_sslvpn"          

                set portal "full-access"       

            next   

        end

end

     4. Configure the SSL VPN portal:

config vpn ssl web portal  

    edit "full-access"       

        set tunnel-mode enable       

        set ipv6-tunnel-mode enable       

        set web-mode enable       

        set ip-pools "SSLVPN_TUNNEL_ADDR1"       

        set split-tunneling disable       

        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"       

            config bookmark-group          

                edit "gui-bookmarks"           

                next       

            end   

    next   

    edit "web-access"       

        set web-mode enable   

    next

end

5. Add the SAML user group to a firewall policy: 

config firewall policy  

    edit 1       

        set name "FAC-SAML"            

        set srcintf "ssl.root"       

        set dstintf "port3"       

        set srcaddr "all"       

        set dstaddr "all"       

        set action accept       

        set schedule "always"        

        set service "ALL"       

        set logtraffic all       

        set groups "saml_sslvpn"       

        set nat enable   

    next

end  

6. Configure the remote authentication timeout value as needed:

config system global
    set remoteauthtimeout 120
end

7. Configure the FortiAuthenticator IDP as needed.  Configure SAML IdP settings: Go to Authentication -> SAML IdP -> General.
                                                          

From FortiAuthenticator version 6.6.3, realms are not provided under Authentication -> SAML IdP -> General. and is moved to Authentication -> SAML IdP -> User Sources.
                                           

8. Configure SP settings on FortiAuthenticator: Go to Authentication -> SAML IdP -> Service Providers and create a new reference for the service provider that will be used as the SAML client.

9. Create a local user and group on the FortiAuthenticator under Authentication -> User Management -> Local User.

10. Create a User group: Local_Group01.

11. Run SSL VPN web mode authentication for a remote user. The SAML login page will appear:

Troubleshooting commands to run on FortiGate:

diagnose debug reset

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug application fnbamd -1

diagnose debug console timestamp enable

diagnose debug enable

Note:
In v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3

Related articles:

Technical Tip: Configure group based policies for SAML users

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ....