FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nathan_h
Staff
Staff
Article Id 222915
Description This article describes how to allow specific users by AD group on SSL-VPN with SAML authentication.
Scope  
Solution

1) Configure ADFS and FortiGate:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

 

2) Configure Claims on AD FS:

 

-Go to AD FS -> Relying Party Trusts -> 'Right click' -> Edit Claim Issuance Policy -> Edit Rule.

- Select 'Token-Groups - Unqualified Names' under 'LDAP Attribute'.
- Select 'Group' under 'Outgoing Claim Type'.

- Select 'OK'.

 

nathan_h_0-1662430987019.png

 

nathan_h_1-1662431105598.png

 

 3) Ensure to use the correct AD group.

 

nathan_h_3-1662431202231.png

 

4) Additional FortiGate configuration.

 

# config user saml

    edit "adfs"
        set group-name "http://schemas.xmlsoap.org/claims/Group"
    next
end

 

# config user group
    edit "ADFS_Group"
        set member "adfs"
        config match
            edit 1
                set server-name "adfs"
                set group-name "sslvpn_saml"
          next
     end

next
end

 

# config vpn ssl setting
# config authentication-rule
    edit 1
       set groups "ADFS_Group"
       set portal "Full"
    next
end
end

 

Testing:

 

nathan_h_4-1662431840752.png

 

nathan_h_5-1662431855038.png

 

SAML attributes:

 

nathan_h_6-1662431999394.png

 

SAML debug:

 

samld_send_common_reply [122]: Attr: 17, 27, magic=cd82693da567030a
samld_send_common_reply [118]: Attr: 10, 40, 'username' 'adfs_nathan@fortinat.local'
samld_send_common_reply [118]: Attr: 10, 57, 'http://schemas.xmlsoap.org/claims/Group' 'Domain Users'
samld_send_common_reply [118]: Attr: 10, 56, 'http://schemas.xmlsoap.org/claims/Group' 'sslvpn_saml'

Contributors