Description
This article describes how to configure SAML authentication on both Jumpcloud and the FortiGate for remote access VPN (both IPsec and SSL VPN).
Scope
FortiGate, SSL VPN (FortiOS v6.4 up to FortiOS v7.6.2), IPsec (FortiOS v7.2 and later).
Solution
Configuration On FortiGate.
As an initial reference, see the following general documentation on configuring SAML on the FortiGate:
Technical Tip: A basic explanation of SAML authentication
Technical Tip: FortiGate SAML authentication resource list
The following is an example SAML configuration on the FortiGate for usage with remote-access VPN (as opposed to administrator SAML logins, which use slightly different URLs):
config user saml
edit 'jumpcloud'
set cert 'Fortinet_Factory'
set entity-id 'https://<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/metadata/'
set single-sign-on-url '<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/login/'
set single-logout-url '<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/logout/'
set idp-entity-id 'https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>'
set idp-single-sign-on-url 'https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>'
set idp-single-logout-url 'https://console.jumpcloud.com/userconsole'
set idp-cert 'REMOTE_Cert_2'
set user-name 'user'
set group-name 'group'
set digest-method sha256
next
end
config user group
edit 'Jumpcloud_SSO_Users'
set member 'jumpcloud'
next
end
Before entering the above, take note of the following:
- The SP entity-id, single-sign-on-url, and single-logout-url must be updated with the FQDN or IP address assigned to the FortiGate interface that will receive SAML requests. Additionally, the port that is utilized is different depending on whether IPsec or SSL-VPN is being used:
- For IPsec, the SAML port must be set to the same port as auth-ike-saml-port under config system global (default = 1001).
- For SSL VPN, the SAML port must be set to the same port as the SSL VPN itself (e.g., 443, 8443, 10443, etc).
- The idp-entity-id is manually specified on the Jumpcloud side and does not follow a strict format (it simply must match on both Jumpcloud and FortiGate). Any string is appropriate here, but the above example uses https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label>, where <Jumpcloud_Display_Label> would be replaced with the Jumpcloud application name.
The idp-single-sign-on-url is similar, though Jumpcloud does use the above format by default. Note that this SSO IdP URL may not be changed on Jumpcloud after the application is initially created.
- The idp-cert must be uploaded to the FortiGate first before it can be set here. Refer to the following documentation for how this is done: Uploading SAML IdP certificate to the FortiGate SP.
- The default user-name attribute on Jumpcloud is 'email' and corresponds to the user's email address, so that has been set on the FortiGate in the above example. However, it can be set on the Jumpcloud side to other options (username, first name, last name, etc.)
- The digest-method is set to SHA256 to match Jumpcloud defaults.
- The User Group on the FortiGate must be placed into Firewall Policies for the remote-access VPN interface before SAML authentication can be activated.
Configuration On Jumpcloud.
Log in to the Jumpcloud Admin portal, then go to User Authentication -> SSO Applications. Select the Get Started button or the + Add New Application button, then search for and select the 'SAML 2.0' application. Select Next to continue.
Specify a Display Label for this Application on Jumpcloud, and optionally specify a Logo or Color Indicator for the User Portal Image. Select Save Application, then select Configure Application.
- By default, the Display Label will be used to generate the SSO IdP URL (aka idp-single-sign-on-url). This can be overridden under the Advanced Settings section, though it cannot be changed after the Application is created.
Under the SSO tab, perform the following tasks:
- Download the Jumpcloud IdP certificate (select IDP Certificate Valid and then Download Certificate.
This must be uploaded to the FortiGate and then set to the idp-cert field. Failure to do this can result in authentication appearing to succeed, followed by the user being immediately redirected to the Jumpcloud login again.
- Specify the IdP Entity ID (can be any string, but a URL like https://sso.jumpcloud.com/saml2/<Jumpcloud_Display_Label> can be appropriate).
- Set the SP Entity ID as an exact match to the FortiGate's entity-id setting (case-sensitive, must match exactly).
- Set the ACS URLs to the FortiGate's single-sign-on-url setting.
- Select the Replace SP Certificate button and upload the FortiGate's SP certificate (this would match the cert setting on the FortiGate SAML config and can be downloaded from System -> Certificates).
- The SAMLSubject NameID Format can be left as-is at this time, as can the Signature Algorithm.
- Set the Sign option to Assertion and Response (though any of the three is acceptable). Default RelayState may be left unmodified if this Application will be used for SP-initiated logins only (i.e., FortiClient VPN tunnels).
Optionally, it may be set to https://<FQDN_or_IP_Address_of_FortiGate>:<port>/remote/saml/start?realm= if users want to connect to SSL-VPN web mode specifically via the Jumpcloud console. - Set Login URL to the FortiGate's single-sign-on-url setting (in addition to the ACS URL).
- Important: toggle-on Declare Redirect Endpoint. If toggled off, authentication will appear to succeed, but the SAML client will be bounced back to the Jumpcloud login page.
- Note the IDP URL (cannot be modified since the application has been created).
- Configure User and Group Attributes to match the FortiGate user-name and group-name settings. The 'user' and 'group' attribute names are used here for simplicity, though Jumpcloud defaults to 'email' and 'memberOf' respectively.
To summarize:
Service Provider Attribute Name (Jumpcloud) = user-name (FortiGate).
Include group attribute (JumpCloud) = group-name (FortiGate).
Switch to the User Groups tab and select all groups that should be bound to this Jumpcloud application (these users will be able to authenticate to the VPN using SAML). If a user tries to authenticate to the VPN using SAML/FortiClient and is not a member of a bound group, then a script error will occur and authentication will fail.
Select the Save button in the bottom-right corner to commit all of the changes.
At this point, the SAML configuration is complete, and the VPN itself can be configured to utilize SAML (refer to appropriate documentation.
Example: Testing SSL-VPN Web Mode
Enter the SSL VPN URL in the browser and select Single Sign-On.
Log in using Jumpcloud user credentials (not administrator credentials). Jumpcloud will then redirect to the SSL VPN Web mode portal if authentication is successful.
On the FortiGate side, SSL VPN users can be verified by running get vpn ssl monitor in the CLI:
get vpn ssl monitor
SSL-VPN Login Users
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 support@fortinet.com Jumpcloud_SSO_Users 256(1) N/A 211.24.155.98 0/0 0/0 0
SSL VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
Log out of the SSL-VPN portal. The SSL-VPN will redirect to the Jumpcloud console, where the option to sign in to the FortiGate is available (i.e., IdP-initiated login). Note that for SSL-VPN and IPsec tunnel-mode connections, this console option cannot be used (FortiClient-based connections are SP-initiated SAML only).
