Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎10-30-2023 01:11 AM

Article Id 281693

Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP

Description

 

This article describes the configuration steps to allow Single Sign-On for FortiGate Administrators using ADFS as SAML IdP.

 

Scope

 

FortiGate v6.2.3 and later.

 

Solution

 

SAML is widely used as an authentication method for SSL VPN on FortiGate, and it can also be leveraged to provide Administrators with Single Sign-On.

This article will focus on the configuration steps of FortiGate and Microsoft ADFS.

 

  1. Download the ADFS Token Signing Certificate by Navigating to ADFS -> Service -> Certificates. 'Right-click' on the Toke-signing certificate and select 'View Certificate...'

 

adfs0.png

 

  1. From the 'Details' tab select 'Copy to File...' and follow the prompts to export the certificate that will be imported to FortiGate.

 

adfs-2.png

 

  1.  Import the ADFS certificate to FortiGate. Make sure this is performed in the Global VDOM if multi-vdom mode is enabled.

 

adfs-3.png

 

  1. Navigate to System -> Settings and select 'Security Fabric Settings', then 'Single Sign-On Settings'.

 

adfs4.png

 

  1. Make a note of the 'Federation Service Name' and 'Federation Service Identifier' that may be used in steps 13 and 14.

 

adfs5.png

 

Note.

Federation Service Name will be the domain of the IdP login and Logout URLs configured in FortiGate.

 

  1. Filling out the 'SP address' field will automatically populate the SP URLs. Those can be viewed by expanding 'SP Details'.

 

adfs6.png

 

Note.

The IdP single logout URL has the following string prepended to the domain '/adfs/ls/?wa=wsignout1.0'

 

Configuration from CLI:

 

config system saml

    set status enable

    set default-profile "super_admin"

    set cert "fgt1_admin_sso"

    set binding-protocol post

    set idp-entity-id "http://adfs.colombas.lab/adfs/services/trust"

    set idp-single-sign-on-url "https://dc1.colombas.lab/adfs/ls/"

    set idp-single-logout-url "https://dc1.colombas.lab/adfs/ls/?wa=wsignout1.0"

    set idp-cert "G_REMOTE_Cert_2"

    set server-address "fgt1-admin.colombas.lab:4444"

end

 

  1. In ADFS Management, expand 'Trusts Relationships' and 'right-click' on 'Relying Party Trusts' and select 'Add Relying Party Trust...'.

 

adfs7.png

 

  1.  Select Start and 'Enter data about the relying party manually'.

 

adfs8.png

 

  1. Alternatively, the command 'diagnose sys saml metadata' can be used to retrieve SAML metadata.

Copy only the content between the lines ************ SP Metadata ************ and ************ IDP Metadata ************, and save to a file in XML format.

 

Select 'Import data about the relying party from a file' and click on 'Browse...'.:

 

adfs9.png

 

  1. Specify a name for this Relying Party and select 'Next'.

 

adfs10.png

 

  1. If the SAML Metadata file was used. Skip to step 15, otherwise continue from here and make sure to follow steps 24 and 25. Select 'AD FS Profile'.

 

adfs100.png

 

  1.  Select 'Browse...' and navigate to the certificate file downloaded from FortiGate in step 6.

 adfs101.png

 

  1. Select 'Enable support for the SAML 2.0 Web SSO protocol' and paste the SP ACS URL from step 6.

 

adfs102.png

 

  1. Paste the SP Entity ID URL from step 6 and select 'Add'.

 

adfs103.png

 

  1. Optionally, the MFA can be configured at this step.

 

adfs11.png

 

  1. FortiGate does not support group attributes in SAML Assertions for Administrators. Keep this setting for now and fine-tune it in steps 22 and 23 if needed.

adfs12.png

 

  1. Review the settings from each tab and select 'Next'. 

 

adfs13.png

 

Note.

When using the SAML Metadata file, the tabs Identifiers, Encryption, Signature, and Endpoints are already configured.

 

  1. Select 'Close' to edit the 'Claim Rules'.

 

adfs14.png

 

  1. In the 'Issuance Transform Rules' tab, select 'Add Rule...'.

  adfs15.png

 

  1. Keep the default option 'Send LDAP Attributes as Claims' and select 'Next'.

 

adfs16.png

 

  1. Specify a name for the rule, select 'Active Directory' for the Attribute store, and define the attributes as per below.

 

adfs17.png

 

  1. If needed, specific AD groups can be selected to limit access to FortiGate via ADFS. Delete the rule created by the Wizard.

 

adfs18.png

 

  1.  Create a new 'Issuance Authorization Rule' based on an unqualified group name.

 

adfs19.png

 

  1.  FortiGate only supports SHA1 for the Signature Algorithm for the SAML Assertions, and ADFS enforces SHA256  by default. Select the Relying Party and select 'Properties'. Navigate to the 'Advanced' tab and select SHA1 from the dropdown menu.

adfs20.png

 

  1. If the SAML Metadata file was not used in step 9, upload the FortiGate certificate downloaded from step 6 and follow step 26. Select the Relying Party and select 'Properties'. Navigate to the 'Signature' tab and select 'Add..' to browse to the certificate file.

 

adfs104.png

 

  1. Select the Relying Party and select  'Properties'. Navigate to the 'Endpoints' tab and select 'Add SAML...'. Select 'SAML Logout' for Endpoint type, 'POST' or 'Redirect' for Binding, and paste the 'SP SLS URL' from step 6 into 'Trusted URL'.. 

 

adfs105.png

Labels:
2348
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.