FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ctan
Staff
Staff
Description

This article describes how to create SSL VPN with Azure SAML authentication, optional steps for multiple SSL VPN Realms

Scope ForitOS
Solution

The below steps show how to create an SSL VPN with Azure SAML authentication, optional steps for multiple SSL VPN Realms.

A. Configure Azure as SAML authentication IdP

  1. Login to Azure Portal > Manage Azure Active Directory
  2. Then, go to Users and create new users
  3. After that, go to Groups

notes: remember to assign “owner and member” and please copy the Group Object id, which will be used later when configuring the FortiGate user group

ctan_0-1639162582627.png

 

 

  1. Now, go to Enterprise applications
    1. New application > search for “FortiGate” > Select FortiGate SSL VPN and give it a naming
      ctan_1-1639162582636.png

       

 

  1. Assign users and groups > Add user/group
     ctan_2-1639162582641.png

     

 

  1. Create Single sign-on SAMLctan_3-1639162582645.png

 

  • Define the Basic SAML Configuration parameters:
    Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata
    Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login/
    Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/login
    Relay State: Optional
    Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout

  • Define Attributes & Claims > edit
    •      Add a New claimctan_4-1639162582646.png
    •      Edit the existing Group claim to add Name “group” under Advanced options > Customize the name of the group claimctan_5-1639162582651.png

 

  1. Download the “Certificate (Based64)”
    notes: Remember to re-download this certificate if you make changes to the FQDNctan_6-1639162582652.png

 

  1. Copy down the information from item 4 - Set up FortiGate SSL VPNctan_7-1639162582653.png

 

B. Configure FortiGate SSL VPN with SAML authentication

  1. Login to FortiGate WebUI > System > Certificates > Import > Remote Certificate > and upload the downloaded SAML Certificate (Base64)
    • Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming REMOTE_Cert#” where # is a number [1-9]
      # CLI command

      conf vpn certificate remote
            show
            rename REMOTE_Cert# to AzureSAML-CA
      end
  1. Create SAML IDP
    # CLI command
    conf user saml
          edit “azure-name”
                set cert "SSL-VPN settings assigned Server Certificate"
                set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata"

                set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
                set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
                set idp-entity-id "<Azure AD identifier>"
                set idp-single-sign-on-url "<Login URL>"
                set idp-single-logout-url "<Logout URL>"
                set idp-cert "<Certificate imported earlier>"
                set user-name "username"
                set group-name "group"
           next
    end
  1. Create SAML Group
    # CLI command
    conf user group
          edit “saml-group01”
                set member “azure-name”
                config match
                      edit 0
                            set server-name “azure-name”
                            set group-name <Group Object id>     (notes: from Subject A item steps 2)
                      next

                    end
            next
    end
  1. Firewall policy for SSL VPN
    ctan_8-1639162582655.png

     



C. Optional: May create Multi SSL VPN Realms with SAML authentication

Requirement: create multiple SAML users and group (please refer to A. Configure Azure as SAML authentication IDP steps)

  1. Login to FortiGate WebUI > System Feature Visibility > enable “SSL-VPN Realms” > Apply
  2. Go to > VPN > SSL-VPN Realms > Create new  (notes:  may create multiple realms, example FullTunnel and SplitTunnel)
    ctan_9-1639162582656.png

     

  3. Go to > VPN > SSL-VPN Portals > Create 2 new portals (Full Tunnel and Split Tunnel accordingly)
    • May separate them with the different SSLVPN IP subnet
      ctan_10-1639162582657.png

       

       ctan_11-1639162582658.png

       

  4. Go to > VPN > SSL-VPN Settings and make sure you have similar output as below screenshot
    ctan_12-1639162582660.png

  5. Firewall policy for SSL VPN with multiple realms
    ctan_13-1639162582662.png

D. FortiClient configuration and testing:

  1. FortiClient setup
    1. SSL VPN with SAML SSO
      FortiClient_Test.png

       

      ctan_15-1639162582668.png

       

    2. SSL VPN realms with SAML SSO
      FortiClient_Test02.png

       

      FortiClient_Test03.png

       

      ctan_18-1639162582677.png

Useful links:
Fortinet Documentation: https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/co...
Fortinet Community KB:
FortiGate WebUI Administrator with SAML SSO: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...

SSL VPN Troubleshooting: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

Contributors