Description
This article describes that mporting a single SAML user in FortiGate (when the FortiGate is configured as SP) as it would be done for RADIUS or LDAP users, is not possible.
In this case group based policies cannot be given for particular users.
Scope
FortiGate.
Solution
IDP replies with all the attributes configured in its SAML login response.
In that it sends user and group name configured in the IDP.
FortiGate has to understand or parse the same group name.
Example:
In the below configuration, FortiGate is SP and OKTA is IDP.
Okta's User & Group Configuration.
Go to Admin Console -> Directory -> Groups.
Attribute Shared by Okta.
FortiGate SAML Configuration.
Setup SAML.
config user saml
edit "ssl-okta-saml"
set cert "Fortinet_Factory"
set entity-id "https://10.5.22.142:10443/remote/saml/metadata"
set single-sign-on-url "https://10.5.22.142:10443/remote/saml/login"
set single-logout-url "https://10.5.22.142:10443/remote/saml/logout"
set idp-entity-id "http://www.okta.com/exks2hhgncBmroVhK4x6"
set idp-single-sign-on-url "https://dev-586321.okta.com/app/fortinettechnologiesdev586321_sslsamltest_1/exks2hhgncBmroVhK4x6/sso..."
set idp-single-logout-url "https://dev-586321.okta.com/app/fortinettechnologiesdev586321_sslsamltest_1/exks2hhgncBmroVhK4x6/slo..."
set idp-cert "REMOTE_Cert_1"
set user-name "Username"
set group-name "Groups"
next
end
Setup User Group.
# config user group
edit "SAML-1"
set member "ssl-okta-saml"
config match
edit 1
set server-name "ssl-okta-saml"
set group-name "SSL-SAML" <----- This matches with the Okta's (IDP) Group Name.
next
end
Note: Firewall policy and SSL VPN setting can be configured with the configured user group name.
SAML & SSL Debug Output:
samld_send_common_reply [123]: Attr: 17, 27, magic=c2ecacb51a5448ef
samld_send_common_reply [120]: Attr: 10, 33, 'Username' 'patras@fortinet.com' <----- User name.
samld_send_common_reply [120]: Attr: 10, 20, 'Groups' 'Everyone'
samld_send_common_reply [120]: Attr: 10, 20, 'Groups' 'SSL-SAML' <----- Group Name.
samld_send_common_reply [123]: Attr: 11, 1138, https://xxx.com
[13196:root:e0]stmt: Username
[13196:root:e0]fsv_saml_login_response:429 Got saml username: patras@fortinet.com.
[13196:root:e0]stmt: Groups
[13196:root:e0]fsv_saml_login_response:436 Got group username: Everyone.
[13196:root:e0]stmt: Groups
[13196:root:e0]fsv_saml_login_response:436 Got group username: SSL-SAML.
[13196:root:e0]fsv_saml_auth_group:259 find a remote match group: SSL-SAML, portal: full-access, group: SAML-1.
[13196:root:e0]fsv_saml_auth_group:280 saml client cert: 0.
[13196:root:e0]fsv_saml_auth_group:286 add saml group info name.
[13196:root:e0]rmt_web_session_create:827 create web session, idx[0]
[13196:root:e0]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
[13196:root:e0]deconstruct_session_id:426 decode session id ok, user=[patras@fortinet.com],group=[SAML-1],authserver=[],portal=[full-access],host=[172.26.137.30],realm=[],idx=0,auth=256,sid=21af6b6c,login=1598592111,access=1598592111,saml_logout_url=no
FGT-1 # get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 patras@fortinet.com SAML-1 256(1) 190 172.26.137.30 0/0 0/0
The same configuration can be followed for every other supported SAML IDP like Azure or ADFS.
Related articles:
Technical Tip: How to fix crashing SAML daemon
Technical Tip: How to read SAML Debug output
Technical Tip: A basic explanation of SAML authentication
Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting a...
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP
Technical Tip: Set up SAML admin LDAP login on FortiGate (SP) with FortiAuthenticator (IDP)
Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP
Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) f...
Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1
Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
