The below steps show how to create an SSL VPN with Azure SAML authentication, optional steps for multiple SSL VPN Realms.
A. Configure Azure as SAML authentication IdP
- Login to Azure Portal > Manage Azure Active Directory
- Then, go to Users and create new users
- After that, go to Groups
notes: remember to assign “owner and member” and please copy the Group Object id, which will be used later when configuring the FortiGate user group
- Now, go to Enterprise applications
- New application > search for “FortiGate” > Select FortiGate SSL VPN and give it a naming
- Assign users and groups > Add user/group
- Create Single sign-on SAML
- Define the Basic SAML Configuration parameters:
Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata
Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login/
Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/login
Relay State: Optional
Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout
- Define Attributes & Claims > edit
- Add a New claim
- Edit the existing Group claim to add Name “group” under Advanced options > Customize the name of the group claim
- Download the “Certificate (Based64)”
notes: Remember to re-download this certificate if you make changes to the FQDN
- Copy down the information from item 4 - Set up FortiGate SSL VPN
B. Configure FortiGate SSL VPN with SAML authentication
- Login to FortiGate WebUI > System > Certificates > Import > Remote Certificate > and upload the downloaded SAML Certificate (Base64)
- Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming “REMOTE_Cert#” where # is a number [1-9]
# CLI command
conf vpn certificate remote
rename REMOTE_Cert# to AzureSAML-CA
- Create SAML IDP
# CLI command
conf user saml
set cert "SSL-VPN settings assigned Server Certificate"
set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata"
set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
set idp-entity-id "<Azure AD identifier>"
set idp-single-sign-on-url "<Login URL>"
set idp-single-logout-url "<Logout URL>"
set idp-cert "<Certificate imported earlier>"
set user-name "username"
set group-name "group"
- Create SAML Group
# CLI command
conf user group
set member “azure-name”
set server-name “azure-name”
set group-name <Group Object id> (notes: from Subject A item steps 2)
- Firewall policy for SSL VPN
C. Optional: May create Multi SSL VPN Realms with SAML authentication
Requirement: create multiple SAML users and group (please refer to A. Configure Azure as SAML authentication IDP steps)
- Login to FortiGate WebUI > System Feature Visibility > enable “SSL-VPN Realms” > Apply
- Go to > VPN > SSL-VPN Realms > Create new (notes: may create multiple realms, example FullTunnel and SplitTunnel)
- Go to > VPN > SSL-VPN Portals > Create 2 new portals (Full Tunnel and Split Tunnel accordingly)
- May separate them with the different SSLVPN IP subnet
- Go to > VPN > SSL-VPN Settings and make sure you have similar output as below screenshot
- Firewall policy for SSL VPN with multiple realms
D. FortiClient configuration and testing:
- FortiClient setup
- SSL VPN with SAML SSO
- SSL VPN realms with SAML SSO
Fortinet Documentation: https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/co...
Fortinet Community KB:
FortiGate WebUI Administrator with SAML SSO: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...
SSL VPN Troubleshooting: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542