Technical Tip: Configuring SAML SSO login for SSL-VPN with ADFS by AD group

nathan_h · ‎09-05-2022

Description

This article describes how to allow specific users by AD group on SSL-VPN with SAML authentication.

Scope

Solution

1) Configure ADFS and FortiGate:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

2) Configure Claims on AD FS:

-Go to AD FS -> Relying Party Trusts -> 'Right click' -> Edit Claim Issuance Policy -> Edit Rule.

- Select 'Token-Groups - Unqualified Names' under 'LDAP Attribute'.
- Select 'Group' under 'Outgoing Claim Type'.

- Select 'OK'.

3) Ensure to use the correct AD group.

4) Additional FortiGate configuration.

# config user saml

edit "adfs"
set group-name "http://schemas.xmlsoap.org/claims/Group"
next
end

# config user group
edit "ADFS_Group"
set member "adfs"
config match
edit 1
set server-name "adfs"
set group-name "sslvpn_saml"
next
end

next
end

# config vpn ssl setting
# config authentication-rule
edit 1
set groups "ADFS_Group"
set portal "Full"
next
end
end

Testing:

SAML attributes:

SAML debug:

samld_send_common_reply [122]: Attr: 17, 27, magic=cd82693da567030a
samld_send_common_reply [118]: Attr: 10, 40, 'username' 'adfs_nathan@fortinat.local'
samld_send_common_reply [118]: Attr: 10, 57, 'http://schemas.xmlsoap.org/claims/Group' 'Domain Users'
samld_send_common_reply [118]: Attr: 10, 56, 'http://schemas.xmlsoap.org/claims/Group' 'sslvpn_saml'

Technical Tip: Configuring SAML SSO login for SSL-VPN with ADFS by AD group

You are leaving our website