Description
This article describes how to configure SAML SSO login for Wi-Fi SSID over a captive portal using FortiAuthenticator as the IdP.
Scope
FortiAuthenticator.
Solution
Configuration on the FortiAuthenticator:
- Configure local users on the FortiAuthenticator by navigating to Authentication -> User Management -> Local User and selecting 'Create New'.
Note:
Remote users can also be used in this configuration.
To create users on FortiAuthenticator, refer to:
Configuring local user on FortiAuthenticator
- Configure FortiAuthenticator as SAML IdP. Refer to: General
For this example, the following configuration is being used:
Navigate to Authentication -> SAML IdP -> General and enable SAML Identity Provider Portal
- Enter the IP or domain name of the FortiAuthenticator in the Server Address.
- Select the realm as per the configuration.
- Select the IdP certificate.
- Configure Service Provider (SP) information. Refer to: Service providers
Navigate to Authentication -> SAML IdP -> Service Providers and select 'Create New'.
- Add the name of the SP.
- Create a new IdP prefix by using the '+' icon and selecting 'OK'.
- After creating an IdP prefix, IdP details should be visible and saved it in a notepad.
- Configure the assertion attributes.
- Save the configuration.
- After saving the configuration, it should give an option to add SP details in SP Metadata:
This information is available from the SP which in this case is the FortiGate on which the SSID is configured.
Note:
Get this information from Step 3 of Configuration on the FortiGate.
- Download the IdP certificate selected in Step 2 by navigating to Certificate Management -> End Entities -> Local Services and selecting the certificate and Export.
Configuration on the FortiGate:
- Import the IdP certificate downloaded in Step 4 of 'Configuration on the FortiAuthenticator by navigating to System -> Certificates -> Create/Import -> Remote Certificate.
- Configure Tunnel mode SSID on the FortiGate and enable DHCP on the SSID interface.
- Configure FortiGate as SP.
The default ports of the Captive portal for HTTP and HTTPS are 1000 and 1003 respectively as used above. However, if the default ports need to be changed, then refer to the article: Technical Tip: Change the captive portal port
- Configure user group using SAML server 'SAML-FAC':
config user group
edit "SAML-FAC"
set member "SAML-FAC"
next
end
- Create an address object for the FortiAuthenticator IP address or FQDN:
config firewall address
edit "FAC"
set subnet 192.168.100.100 255.255.255.255
next
end
- Set security Mode settings in the SSID:
Select the options as shown below:
Make sure to exempt the FQDN or IP address of the FortiAuthenticator.
- Add the SSID in the FortiAP profiles to broadcast it.
- Create firewall policy from SSID interface to WAN and SSID interface to Fortiauthenticator.
Note:
Enable captive-portal-exempt in policy for SSID to FortiAuthenticator
config firewall policy
edit 1
set name "SAML-FAC_to_FortiAuth"
set srcintf "SAML-FAC"
set dstintf "Internal1"
set action accept
set srcaddr "all"
set dstaddr "FAC"
set schedule "always"
set service "ALL"
set nat enable
set captive-portal-exempt enable ß
next
end
edit 2
set name "SAML-FAC_to_Outside"
set srcintf "SAML-FAC"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
Result:
Connect the client to the broadcasted SSID and authenticate as a local or remote user based on the above configuration.
Related documents:
Troubleshooting Tip: How to troubleshoot SAML authentication
