FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shreyash_P
Staff
Staff
Article Id 216020

Description

 

This article is a step-by-step guide on how to configure and setup a SAML SSO login for Wi-Fi SSID using Azure AD as the IdP.

 

Scope

 

FortiGate, FOS 7.0.5 and later.

 

Solution

 

In FortiOS 7.0.5 and later, a new feature has been added where the SAML authentication for Wifi SSID can be configured with FortiGate as the wireless controller.

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/561062/wireless-authentication-using...

 

This article focuses on using the Azure AD as the IdP. The steps remain the same if any other IdP is used.


Topology:

 

Shreyash_P_9-1656332050207.png

 

Configure Enterprise Application (SAML SSO) on Azure:  

  

Shreyash_P_1-1656331991643.png

   

Shreyash_P_2-1656331991652.png

 

Shreyash_P_3-1656331991663.png


Setup Single Sign-On:

 

Shreyash_P_4-1656331991673.png

      

Once done, the SAML- Based Sign-On page will show up where the FortiGate SP details have to be entered in the Basic SAML Configuration step.

 

Identifier (Entity ID): http://<FortiGate internal IP address>:1000/saml/metadata/
Reply URL (Assertion consumer Service URL): https://<FortiGate internal IP address>:1003/saml/login/
Sign on URL: https://<FortiGate internal IP address>:1003/saml/login/
Relay State: Optional
Logout URL: https://<FortiGate internal IP address>:1003/saml/logout/

 

- Download (Base 64) the IdP certificate and install it on the FortiGate – it needs to be selected in the SAML SP configuration.

 

- Login to FortiGate WebUI and then System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).

 

Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9].

 

Shreyash_P_5-1656331991674.png

 

- Note the AzureAD ID (EntityID) and Login/Logout URLs as it needs to be configured on the FortiGate.

 

Shreyash_P_10-1656332525946.png

 

Configure SAML on Fortigate:

 

By default, FortiGate uses port 1000 (HTTP) and port 1003 (HTTPS) for captive portal authentication.

If using any different port, note those ports' numbers. To get the port number configured on FortiGate, use the below command:

               

# sh full-configuration | grep auth-http

set auth-http-port 1000

set auth-https-port 1003

 

Use these port numbers for SAML SP configuration.

 

# config user saml

edit "saml-ad"

set entity-id "http://10.10.90.1:1000/saml/metadata/"
set single-sign-on-url "https://10.10.90.1:1003/saml/login/"
set single-logout-url "https://10.10.90.1:1003/saml/logout/"
set idp-entity-id "https://sts.windows.net/abc_can_be_random_string/"
set idp-single-sign-on-url "https://login.microsoftonline.com/abc_can_be_random_string"
set idp-single-logout-url "https://login.microsoftonline.com/abc_can_be_random_string"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "group"
set digest-method sha1

next

end

 

- The IP 10.10.90.1 is the internal interface IP (interface of Wifi SSID).

 

- 1000 and 1003 are the auth-http and auth-https port.

 

- The entity-id, single-sign-on-url and single-logout-url are to be configured on       FortiGate. Use the above template and change the IP add accordingly.

 

- idp-cert is the certificate that was imported from Azure AD.

 

- The idp details are the details noted from Step 3 in Azure AD.

 

- The user-name is the attribute name of user.displayname from Azure AD.

 

- The group-name is the attribute name user.group from Azure AD.

 

Shreyash_P_11-1656332562526.png

 

- Configure appropriate user groups in the Azure AD User and Groups.

 

- If the requirement is to have specific user groups able to connect, then note the Object ID of that group, it will be later used FortiGate config.

 

- Edit the existing Group claim to add Name 'group' under Advanced options > All Groups.

 

- So that Azure sends all the groups the user is part of and can be controlled to whom to allow from the FortiGate.

 

Shreyash_P_12-1656332672065.png

 

Configure User Group on FortiGate with SAML IdP as Member:

 

# config user group

edit "saml_grp"

set member "saml-ad"
config match

edit 1

set server-name "saml-ad"
set group-name "<object Id of the grp from Azure>"

next

end

next

end

 

group-name is the Object-ID that was noted from Azure ID for the specific group.

 

In this example, only one specific group is allowed to authenticate. If all users/groups are required to authenticate, then ignore the config match part.

 

For Example:               

 

# config user group

edit "saml_grp"

set member "saml-ad"

next

 end

 

Configure Address group to Exempt from captive portal:

 

As the clients try to connect to the SSID, a Microsoft login will be prompted.

 

Hence, those destinations must be exempted from the Captive Portal so that the user can connect and login for captive portal authentication.

 

In majority of cases, the Azure IdP queries login.microsoftonline.com and sts.windows.net for authentication. If using Okta, Duo or any similar service for 2FA, those destinations need to be exempted as well.

 

# config firewall address

edit "sts.windows.net-for-saml"

set type fqdn
set fqdn "sts.windows.net"

next
edit "login.microsoftonline.com-for saml"

set type fqdn
set fqdn "login.microsoftonline.com"

next

end

 

Configure Firewall Policy to exempt the services to IdP for Authentication:

 

# config firewall policy

edit <policy Id>

set name "saml-exempt"
set srcintf "CFS HQ"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "login.microsoftonline.com-for saml" "sts.windows.net-for-saml"
set schedule "always"
set service "ALL"
set nat enable
set captive-portal-exempt enable

next

end

 

Firewall policy to exempt Duo or any similar services for 2FA:

 

# edit <policy ID>

set name "saml-exempt-duo"
set srcintf "CFS HQ"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set internet-service enable
set internet-service-name "Cisco-Duo.Security"
set schedule "always"
set nat enable
set comments “”
set captive-portal-exempt enable

next

 

Note: Configure set captive-portal-exempt enable in these firewall policies so that the clients can reach this destination for authentication purposes. Make this change from CLI.

 

Configure SSID on FortiGate:

 

- Create an SSID that needs to be configured with SSO, assign the Interface IP (10.10.90.1 in this case), setup the DHCP server as required.

 

- In the Security Mode, select Captive Portal and Portal Type Authentication.

 

- And further, select the User groups as the SAML group (saml_grp in this case).

 

# edit "CFS HQ"

set ssid "CFS HQ"
set security captive-portal
set selected-usergroups "saml_grp"
set security-exempt-list "CFS HQ-exempt-list"
set schedule "always"

next

 

CFS HQ-exempt-list is the destination group comprising login.microsoftonline.com and sts.windows.net address objects that were created.

 

This object will be automatically created once the address object is added in the Exempt Destination/Services part in GUI.

 

Shreyash_P_13-1656333176568.png

 

Shreyash_P_14-1656333187501.png

 

Configure Firewall Policy to allow internet post-authentication:

 

# edit <policy ID>

set name "CFS SAML"
set srcintf "<Wifi SSID Interface>"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "saml_grp"

next

 

Increase the remote authentication timeout:

 

# config system global

set remoteauthtimeout 60

next

 

Troubleshooting:

 

 If firewall authentication gets failed after successful login to Microsoft, collect samld debugs.

 

#di de app samld -1
#di de en

Contributors