Created on 06-27-2022 09:01 AM Edited on 06-28-2022 10:27 AM By Anonymous
Description
This article is a step-by-step guide on how to configure and setup a SAML SSO login for Wi-Fi SSID using Azure AD as the IdP.
Scope
FortiGate, FOS 7.0.5 and later.
Solution
In FortiOS 7.0.5 and later, a new feature has been added where the SAML authentication for Wifi SSID can be configured with FortiGate as the wireless controller.
This article focuses on using the Azure AD as the IdP. The steps remain the same if any other IdP is used.
Topology:
Configure Enterprise Application (SAML SSO) on Azure:
Setup Single Sign-On:
Once done, the SAML- Based Sign-On page will show up where the FortiGate SP details have to be entered in the Basic SAML Configuration step.
Identifier (Entity ID): http://<FortiGate internal IP address>:1000/saml/metadata/
Reply URL (Assertion consumer Service URL): https://<FortiGate internal IP address>:1003/saml/login/
Sign on URL: https://<FortiGate internal IP address>:1003/saml/login/
Relay State: Optional
Logout URL: https://<FortiGate internal IP address>:1003/saml/logout/
- Download (Base 64) the IdP certificate and install it on the FortiGate – it needs to be selected in the SAML SP configuration.
- Login to FortiGate WebUI and then System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).
Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9].
- Note the AzureAD ID (EntityID) and Login/Logout URLs as it needs to be configured on the FortiGate.
Configure SAML on Fortigate:
By default, FortiGate uses port 1000 (HTTP) and port 1003 (HTTPS) for captive portal authentication.
If using any different port, note those ports' numbers. To get the port number configured on FortiGate, use the below command:
# sh full-configuration | grep auth-http
set auth-http-port 1000
set auth-https-port 1003
Use these port numbers for SAML SP configuration.
# config user saml
edit "saml-ad"
set entity-id "http://10.10.90.1:1000/saml/metadata/"
set single-sign-on-url "https://10.10.90.1:1003/saml/login/"
set single-logout-url "https://10.10.90.1:1003/saml/logout/"
set idp-entity-id "https://sts.windows.net/abc_can_be_random_string/"
set idp-single-sign-on-url "https://login.microsoftonline.com/abc_can_be_random_string"
set idp-single-logout-url "https://login.microsoftonline.com/abc_can_be_random_string"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
- The IP 10.10.90.1 is the internal interface IP (interface of Wifi SSID).
- 1000 and 1003 are the auth-http and auth-https port.
- The entity-id, single-sign-on-url and single-logout-url are to be configured on FortiGate. Use the above template and change the IP add accordingly.
- idp-cert is the certificate that was imported from Azure AD.
- The idp details are the details noted from Step 3 in Azure AD.
- The user-name is the attribute name of user.displayname from Azure AD.
- The group-name is the attribute name user.group from Azure AD.
- Configure appropriate user groups in the Azure AD User and Groups.
- If the requirement is to have specific user groups able to connect, then note the Object ID of that group, it will be later used FortiGate config.
- Edit the existing Group claim to add Name 'group' under Advanced options > All Groups.
- So that Azure sends all the groups the user is part of and can be controlled to whom to allow from the FortiGate.
Configure User Group on FortiGate with SAML IdP as Member:
# config user group
edit "saml_grp"
set member "saml-ad"
config match
edit 1
set server-name "saml-ad"
set group-name "<object Id of the grp from Azure>"
next
end
next
end
group-name is the Object-ID that was noted from Azure ID for the specific group.
In this example, only one specific group is allowed to authenticate. If all users/groups are required to authenticate, then ignore the config match part.
For Example:
# config user group
edit "saml_grp"
set member "saml-ad"
next
end
Configure Address group to Exempt from captive portal:
As the clients try to connect to the SSID, a Microsoft login will be prompted.
Hence, those destinations must be exempted from the Captive Portal so that the user can connect and login for captive portal authentication.
In majority of cases, the Azure IdP queries login.microsoftonline.com and sts.windows.net for authentication. If using Okta, Duo or any similar service for 2FA, those destinations need to be exempted as well.
# config firewall address
edit "sts.windows.net-for-saml"
set type fqdn
set fqdn "sts.windows.net"
next
edit "login.microsoftonline.com-for saml"
set type fqdn
set fqdn "login.microsoftonline.com"
next
end
Configure Firewall Policy to exempt the services to IdP for Authentication:
# config firewall policy
edit <policy Id>
set name "saml-exempt"
set srcintf "CFS HQ"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "login.microsoftonline.com-for saml" "sts.windows.net-for-saml"
set schedule "always"
set service "ALL"
set nat enable
set captive-portal-exempt enable
next
end
Firewall policy to exempt Duo or any similar services for 2FA:
# edit <policy ID>
set name "saml-exempt-duo"
set srcintf "CFS HQ"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set internet-service enable
set internet-service-name "Cisco-Duo.Security"
set schedule "always"
set nat enable
set comments “”
set captive-portal-exempt enable
next
Note: Configure set captive-portal-exempt enable in these firewall policies so that the clients can reach this destination for authentication purposes. Make this change from CLI.
Configure SSID on FortiGate:
- Create an SSID that needs to be configured with SSO, assign the Interface IP (10.10.90.1 in this case), setup the DHCP server as required.
- In the Security Mode, select Captive Portal and Portal Type Authentication.
- And further, select the User groups as the SAML group (saml_grp in this case).
# edit "CFS HQ"
set ssid "CFS HQ"
set security captive-portal
set selected-usergroups "saml_grp"
set security-exempt-list "CFS HQ-exempt-list"
set schedule "always"
next
CFS HQ-exempt-list is the destination group comprising login.microsoftonline.com and sts.windows.net address objects that were created.
This object will be automatically created once the address object is added in the Exempt Destination/Services part in GUI.
Configure Firewall Policy to allow internet post-authentication:
# edit <policy ID>
set name "CFS SAML"
set srcintf "<Wifi SSID Interface>"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "saml_grp"
next
Increase the remote authentication timeout:
# config system global
set remoteauthtimeout 60
next
Troubleshooting:
If firewall authentication gets failed after successful login to Microsoft, collect samld debugs.
#di de app samld -1
#di de en
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.