|
The below steps show how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.
By default, there is a default connection with no realm. If this default connection is also using SAML, it is required to configure another Realm for the default (no realm) to avoid conflict with other Realm.
A. Configure Azure here as SAML authentication IdP.
- Login to Azure Portal -> Microsoft Entra ID.
- Then, go to Users and create new users.
- After that, go to Groups.
Note: Remember to assign 'owner and member' and copy the Group Object id, which will be used later when configuring the FortiGate user group.
- Now, go to Enterprise applications. New application -> Search for 'FortiGate' -> Select FortiGate SSL VPN and give it a name.
- Assign Users and groups -> Add user/group.
- Create Single sign-on SAML.
- Define the Basic SAML Configuration parameters:
Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata
Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
Sign-on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
Relay State: Optional
Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout
Define Attributes & Claims -> Edit.
Add a New claim.
- Edit the existing Group claim to add the Name 'group' under Advanced options -> Customize the name of the group claim.
- If the Security Group claim already exists, it is possible to edit the Claim Name to 'group'.
- Download the 'Certificate (Based64)'.
Note: Remember to re-download this certificate if making changes to the FQDN.
- Copy down the information from item 4 - Set up FortiGate SSL VPN.
B. Configure FortiGate SSL VPN with SAML authentication.
- Login to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).
- Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9]).
CLI command:
conf vpn certificate remote
show
rename REMOTE_Cert# to AzureSAML-CA
end
- Configure the remote authentication timeout value as needed
config system global
set remoteauthtimeout 60
end
- Create SAML IDP:
CLI command:
conf user saml
edit “azure-name”
set cert "SSL-VPN settings assigned Server Certificate"
set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata"
set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
set idp-entity-id "<Azure AD identifier>"
set idp-single-sign-on-url "<Login URL>"
set idp-single-logout-url "<Logout URL>"
set idp-cert "<Certificate imported earlier>"
set user-name "username"
set group-name "group"
next
end
- Create SAML Group.
CLI command:
conf user group
edit “saml-group01”
set member “azure-name”
config match
edit 0
set server-name “azure-name”
set group-name <Group Object id> Note: from Subject A item steps 2.
next
end
next
end
- Firewall policy for SSL VPN:
C. Optional: May create Multi SSL VPN Realms with SAML authentication.
Requirement: Create multiple SAML users and groups (refer to A. Configure Azure as SAML authentication IDP steps).
- Login to FortiGate WebUI -> System Feature Visibility -> Enable 'SSL-VPN Realms' -> Apply.
- Go to VPN -> SSL-VPN Realms -> Create new (Note: it is possible to create multiple realms, for example, FullTunnel and SplitTunnel).
- Go to VPN -> SSL-VPN Portals -> Create 2 new portals (Full Tunnel and Split Tunnel accordingly).
- May separate them with the different SSL VPN IP subnets:
- Go to VPN -> SSL VPN Settings and make sure to have a similar output as the below screenshot:
- Firewall policy for SSL VPN with multiple realms:
D. FortiClient configuration and testing:
- FortiClient setup.
- SSL VPN with SAML SSO.
- SSL VPN realms with SAML SSO:
Related documents:
Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...
Troubleshooting Tip: SSL VPN Troubleshooting
|
