FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Article Id 193357


This article describes how to setup both FortiAuthenticator (IDP) and FortiGate (SP) for SAML SSO SSL VPN.




FortiClient, FortiGate.


In the below example, FortiAuthenticator is configured as a IDP which authenticates the user login and FortiGate as a SP.

To configure FortiAuthenticator as the IDP.
1) In FortiAuthenticator, go to Authentication -> SAML IdP -> Service Providers.
2) Select 'Create New'.
3) Configure as desired, then select 'OK'.
4) To add a local user, go to Authentication -> User Management -> Local User, then select 'Create New'. Configure the local user as desired.
5) To add a local user, go to SAML IdP -> General .
To configure FortiGate as the SP.

1) Upload the FAC certificate as a 'remote certificate' on FortiGate.
2) Setup SAML as below:
FGT-Chetu (facsmal) # show
# config user saml

    edit "facsmal"
        set cert "Fortinet_Factory"
        set entity-id ""
        set single-sign-on-url ""
        set single-logout-url ""
        set idp-entity-id ""
        set idp-single-sign-on-url ""
        set idp-single-logout-url ""
        set idp-cert "REMOTE_Cert_2"
        set user-name "Username"
        set group-name "Groups"
        set digest-method sha1
3) Configure the Group and add as a member.
4) Configure the SSL VPN and add the group to respective SSL portal.
5) Set up a policy on the FortiGate from the SSL tunnel interface (ssl.root for example) to whatever destination users should be able to access via the SSLVPN tunnel. Add the above created group as source.
- If no SSLVPN policy is configured, SSLVPN will not work at all. FortiGate will provide a warning on the SSL VPN Settings page if no policy is created.
- If the SAML user group is not included in an SSLVPN policy, FortiGate will not be able to redirect login attempts to the SAML IdP. Only groups/users that are referenced in SSLVPN policies are considered for SSLVPN authentication.
- If there is no other group in authentication portal then SAML group, then authentication window will not appear and the user will be automatically redirected to the SAML provider page
6) Now, connect the FortiClient and select 'Enable SSO for VPN tunnel' option and save.
Once saved, it will be possible to see SAML login icon.
Select and login.