The below steps show how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.
A. Configure Azure as SAML authentication IdP.
- Login to Azure Portal -> Manage Azure Active Directory.
- Then, go to Users and create new users.
- After that, go to Groups.
Notes: remember to assign 'owner and member' and copy the Group Object id, which will be used later when configuring the FortiGate user group.
- Now, go to Enterprise applications. New application -> search for 'FortiGate' -> Select FortiGate SSL VPN and give it a name.
- Assign users and groups -> Add user/group.
- Create Single sign-on SAML.
- Define the Basic SAML Configuration parameters:
Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login Relay State: Optional Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout
Define Attributes & Claims -> edit.
Add a New claim.
- Edit the existing Group claim to add the Name 'group' under Advanced options > Customize the name of the group claim.
- If the Security Group claim already exists, it is possible to edit the Claim Name to 'group'.
- Download the 'Certificate (Based64)'.
Notes: Remember to re-download this certificate if making changes to the FQDN.
- Copy down the information from item 4 - Set up FortiGate SSL VPN.
B. Configure FortiGate SSL VPN with SAML authentication.
- Login to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).
- Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9]).
CLI command:
conf vpn certificate remote show rename REMOTE_Cert# to AzureSAML-CA end
- Create SAML IDP:
CLI command:
conf user saml edit “azure-name” set cert "SSL-VPN settings assigned Server Certificate" set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata" set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login" set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout" set idp-entity-id "<Azure AD identifier>" set idp-single-sign-on-url "<Login URL>" set idp-single-logout-url "<Logout URL>" set idp-cert "<Certificate imported earlier>" set user-name "username" set group-name "group" next end
- Create SAML Group.
CLI command:
conf user group edit “saml-group01” set member “azure-name” config match edit 0 set server-name “azure-name” set group-name <Group Object id> Note: from Subject A item steps 2. next end next end
- Firewall policy for SSL VPN:
C. Optional: May create Multi SSL VPN Realms with SAML authentication.
Requirement: Create multiple SAML users and groups (refer to A. Configure Azure as SAML authentication IDP steps).
- Login to FortiGate WebUI -> System Feature Visibility -> enable “SSL-VPN Realms” -> Apply.
- Go to VPN -> SSL-VPN Realms -> Create new (notes: may create multiple realms, for example, FullTunnel and SplitTunnel).
- Go to VPN -> SSL-VPN Portals -> Create 2 new portals (Full Tunnel and Split Tunnel accordingly).
- May separate them with the different SSLVPN IP subnet:
- Go to VPN -> SSL VPN Settings and make sure to have similar output as the below screenshot:
- Firewall policy for SSL VPN with multiple realms:
D. FortiClient configuration and testing:
- FortiClient setup.
- SSL VPN with SAML SSO.
- SSL VPN realms with SAML SSO:
Related documents:
Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...
Troubleshooting Tip: SSL VPN Troubleshooting
|