Created on 03-28-2022 10:12 PM Edited on 02-05-2024 12:49 AM By Jean-Philippe_P
Description |
This article describes how to configure SSL VPN login using FortiAuthenticator as an SAML IdP. |
Scope |
FortiGate v6.4.8, FortiAuthenticator v6.4.2. |
Solution |
A FortiGate can act as SAML-SP (Service Provider) requesting authentication from an SAML IdP (identity provider) FortiAuthenticator.
SSL-VPN -> FortiGate(SP) -> FortiAuthenticator (Idp)(local user database).
Useful links:
config user saml edit "fac-firewall" set entity-id "http://[FGT_IP_or_FQDN]:port/remote/saml/metadata/" set single-sign-on-url "https://[FGT_IP_or_FQDN]:port/remote/saml/login/" set single-logout-url "https://[FGT_IP_or_FQDN]:port/remote/saml/logout/" set idp-entity-id "http://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/metadata/" set idp-single-sign-on-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/login/" set idp-single-logout-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/logout/" set idp-cert "REMOTE_Cert_3" <----- certificate downloaded from Idp(FortiAuthenticator) and imported on FortiGate. set user-name "username" set group-name "group" next end
[SP-name] - Value of "SP name" field in the FAC's Service Provider page.
config user group edit "saml_sslvpn" set member "fac-sslvpn" next end
config vpn ssl settings set servercert "self-sign" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 443 set source-interface "port1" set source-address "all" set source-address6 "all" set default-portal "web-access" config authentication-rule edit 1 set groups "saml_sslvpn" set portal "full-access" next end end
4. Configure the SSL VPN portal:
config vpn ssl web portal edit "full-access" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling disable set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" config bookmark-group edit "gui-bookmarks" next end next edit "web-access" set web-mode enable next end
config firewall policy edit 1 set name "FAC-SAML" set srcintf "ssl.root" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "saml_sslvpn" set nat enable next end
Troubleshooting.
diagnose debug reset diagnose debug application sslvpn -1 diagnose debug console timestamp enable diagnose debug enable
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.