Description
This article describes how to set up both AWS SSO and FortiGate for SAML SSO for web mode SSL VPN with FortiGate acting as SP.
Scope
FortiOS v6.2 or above.
Solution
Configuring the AWS SSO account IDP application.
- Set up an AWS account.
- Open a browser, log in to the AWS account, and enable AWS SSO. If AWS Organizations is not setup, there will be a prompt to create an organization. Choose 'Create AWS organization' to complete this process.
- Head over to 'Users' and select 'Add user'.
Enter the details for Username, Email address, and First Name.
Select 'Next'.
Optionally, add the user to a group.
Review and Select 'Add user'.
- Go to the 'Applications' and select 'Add a new application'.
- Select 'Add a custom SAML 2.0 application'.
- Enter the Display name. The 'Display name' is the name of the portal the user logs into.
- Set the Application start URL: https://<Public_IP:PORT>
- Select 'If you don't have a metadata file, you can manually type your metadata values'.
- Set the Application ACS URL: https://<Public_IP:PORT>/remote/saml/login
- Set the Application SAML audience: https://<Public_IP:PORT>/remote/saml/metadata
Copy the following items to a text editor as these will be required to configure the FortiGate SAML:
AWS SSO sign-in URL: https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>
AWS SSO sign-out URL: https://portal.sso.us-east-1.amazonaws.com/saml/logout/ <truncated>
AWS SSO issuer URL:https://portal.sso.us-east-1.amazonaws.com/saml/assertion <truncated>
Select 'Download Certificate'. This will be imported to FortiGate later.
Select ‘Save changes’.
- Go to the 'Attribute mappings' tab.
These are the values that will be passed on to the FortiGate by the AWS SSO.
Configure the values as required. A sample configuration is provided below:
Note:
In this case, the 'username' attribute will be used as the SSL VPN user-name on FortiGate (will be seen in later FortiGate configuration).
Other mappings are also available that can be used. Refer to the AWS docs:
- Additionally, a group attribute value can also be passed on FortiGate.
This is optional and is needed only if performing group matching based on group membership of AWS users on FortiGate is intended.
Note: In this case, the 'group' attribute will be used as the SSL VPN grou- name on FortiGate (will be seen in later FortiGate configuration).
Copy the 'Group ID' to a text editor as these will be required to configure the FortiGate Group:
- Go to the 'Assigned users' tab.
Select 'Assign users'.
Select all the desired Users/Groups and Select 'Assign users'.
Configuring the FortiGate for SSL VPN and as SP.
- Select System -> Certificates -> Create/Import -> Remote Certificate.
Upload the AWS certificate as a 'Remote certificate' on FortiGate as Remote Certificate:
- Setup SAML as below:
config user saml
edit "aws"
set entity-id "https://<Public_IP:Port>/remote/saml/metadata" <--- Same as setup on AWS
set single-sign-on-url "https://<Public_IP:Port>/remote/saml/login" <--- Same as setup on AWS
set single-logout-url "https://<Public_IP:Port>/remote/saml/logout" <--- Same as setup on AWS
set idp-entity-id "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>" <--- AWS SSO issuer URL
set idp-single-sign-on-url "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>" <--- AWS SSO sign-in URL
set idp-single-logout-url "https://portal.sso.us-east-1.amazonaws.com/saml/logout/ <truncated>" <--- AWS SSO sign-out URL
set idp-cert "Remote_Cert_1"
set user-name "username" <--- Same as the user-name attribute parameter configured on AWS.
set group-name "group" <--- Same as the group-name attribute parameter configured on AWS.
set digest-method sha1
next
end
- Create a user group as below on FortiGate.
config user group
edit "aws-saml-vpn"
set member "aws"
config match
edit 1
set server-name "aws"
set group-name "90674ed8ce-899577e3-8042-4fe3-ba65-99955f1912c1" <--- Same as the Group-ID value of the AWS GROUP.
next
end
next
end
- Complete the SSL VPN configuration.
config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "aws-saml-vpn"
set portal "full-access"
next
end
end
config firewall policy
edit 1
set name "aws-SSLVPN"
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "aws-saml-vpn"
next
end
Testing SSL VPN:
- Connect to the SSL VPN portal and select 'Single Sign-On'.
- Enter the AWS credentials and it will redirect to the SSL VPN page.
On FortiGate verify by going to Dashboard -> Network -> SSL VPN Monitor:
Related articles:
- Technical Tip: How to fix crashing SAML daemon
- Technical Tip: How to read SAML Debug output
- Technical Tip: A basic explanation of SAML authentication
- Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
- Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting a...
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP - Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP wh...
- Technical Tip: Set up SAML admin LDAP login on FortiGate (SP) with FortiAuthenticator (IDP)
- Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP
- Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) f...
- Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1
- Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
- Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
