Technical Tip: Configuring SAML SSO for SSLVPN with FortiAuthenticator as an SAML IdP

mihediwa · ‎03-28-2022

Description

This article describes how to configure SSL VPN login using FortiAuthenticator as an SAML IdP.

Scope

FortiGate v6.4.8, FortiAuthenticator v6.4.2.

Solution

A FortiGate can act as SAML-SP (Service Provider) requesting authentication from an SAML IdP (identity provider) FortiAuthenticator.

When a FortiGate is configured as a service provider (SP), it is possible to create an authentication profile that uses SAML for SSL-VPN web portal authentication as well as tunnel mode.

SSL-VPN -> FortiGate(SP) -> FortiAuthenticator (Idp)(local user database).

Useful links:

Configure the FortiGate SP to be a SAML user:

config user saml

edit "fac-firewall"

set entity-id "http://[FGT_IP_or_FQDN]:port/remote/saml/metadata/"

set single-sign-on-url "https://[FGT_IP_or_FQDN]:port/remote/saml/login/"

set single-logout-url "https://[FGT_IP_or_FQDN]:port/remote/saml/logout/"

set idp-entity-id "http://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/metadata/"

set idp-single-sign-on-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/login/"

set idp-single-logout-url "https://[FAC_IP_or_FQDN]/saml-idp/[SP-name]/logout/"

set idp-cert "REMOTE_Cert_3" <----- certificate downloaded from Idp(FortiAuthenticator) and imported on FortiGate.

set user-name "username"

set group-name "group"

[SP-name] - Value of "SP name" field in the FAC's Service Provider page.

Add the SAML user to the user group (group matching may also be configured):

config user group

edit "saml_sslvpn"

set member "fac-sslvpn"

Configure SSL VPN:

config vpn ssl settings

set servercert "self-sign"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

set port 443

set source-interface "port1"

set source-address "all"

set source-address6 "all"

set default-portal "web-access"

config authentication-rule

edit 1

set groups "saml_sslvpn"

set portal "full-access"

end

4. Configure the SSL VPN portal:

config vpn ssl web portal

edit "full-access"

set tunnel-mode enable

set ipv6-tunnel-mode enable

set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable

set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

config bookmark-group

edit "gui-bookmarks"

set web-mode enable

Add the SAML user group to a firewall policy:

config firewall policy

edit 1

set name "FAC-SAML"

set srcintf "ssl.root"

set dstintf "port3"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set groups "saml_sslvpn"

set nat enable

Configure the FortiAuthenticator IdP as needed.
Configure SAML IdP settings: Go to Authentication -> SAML IdP -> General.

Configure SP settings on FortiAuthenticator: Go to Authentication -> SAML IdP -> Service Providers and create a new reference for the service provider that will be used as the SAML client.