FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ctan
Staff
Staff
Article Id 200812
Description

This article describes how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.

Scope ForitOS.
Solution

The below steps show how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.

 

A. Configure Azure as SAML authentication IdP.

  1. Login to Azure Portal -> Microsoft Entra ID.
  2. Then, go to Users and create new users.
  3. After that, go to Groups.

Notes: remember to assign 'owner and member' and copy the Group Object id, which will be used later when configuring the FortiGate user group.

 

ctan_0-1639162582627.png

 

 

  1. Now, go to Enterprise applications. New application -> search for 'FortiGate' -> Select FortiGate SSL VPN and give it a name.


ctan_1-1639162582636.png

 

  1. Assign users and groups -> Add user/group.
     ctan_2-1639162582641.png

     

ctan_3-1639162582645.png

 

  1. Create Single sign-on SAML.

 

  • Define the Basic SAML Configuration parameters:
    Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata
    Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
    Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
    Relay State: Optional
    Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout

Define Attributes & Claims -> edit.

ctan_4-1639162582646.png
Add a New claim.

  •      Edit the existing Group claim to add the Name 'group' under Advanced options > Customize the name of the group claim.

    ctan_5-1639162582651.png

 

  •         If the Security Group claim already exists, it is possible to edit the Claim Name to 'group'.

 

2024-01-15 14 16 40.png

 

2024-01-15 14 16 40.png

 

2024-01-15 14 26 04.png

 

  1. Download the 'Certificate (Based64)'.

Notes: Remember to re-download this certificate if making changes to the FQDN.

ctan_6-1639162582652.png

 

  1. Copy down the information from item 4 - Set up FortiGate SSL VPN.

    ctan_7-1639162582653.png

 

B. Configure FortiGate SSL VPN with SAML authentication.

  1. Login to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).
  • Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9]).

 

CLI command:


# conf vpn certificate remote
    show
    rename REMOTE_Cert# to AzureSAML-CA
end

 

  1. Configure the remote authentication timeout value as needed

config system global
      set remoteauthtimeout 60
  end

  1. Create SAML IDP:


    CLI command:


    conf user saml
        edit “azure-name”
            set cert "SSL-VPN settings assigned Server Certificate"
            set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata"

            set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
            set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
            set idp-entity-id "<Azure AD identifier>"
            set idp-single-sign-on-url "<Login URL>"
            set idp-single-logout-url "<Logout URL>"
            set idp-cert "<Certificate imported earlier>"
            set user-name "username"
            set group-name "group"
        next
    end

  2. Create SAML Group.
    CLI command:


    conf user group
        edit “saml-group01”
            set member “azure-name”
                config match
                    edit 0
                        set server-name “azure-name”
                        set group-name <Group Object id>     Note: from Subject A item steps 2.
                    next

                end
         next
    end

     

  3. Firewall policy for SSL VPN:

    ctan_8-1639162582655.png

     

 

C. Optional: May create Multi SSL VPN Realms with SAML authentication.

Requirement: Create multiple SAML users and groups (refer to A. Configure Azure as SAML authentication IDP steps).

  1. Login to FortiGate WebUI -> System Feature Visibility -> enable “SSL-VPN Realms” -> Apply.
  2. Go to VPN -> SSL-VPN Realms -> Create new  (notes: may create multiple realms, for example, FullTunnel and SplitTunnel).

    ctan_9-1639162582656.png

     

  3. Go to VPN -> SSL-VPN Portals -> Create 2 new portals (Full Tunnel and Split Tunnel accordingly).
    • May separate them with the different SSLVPN IP subnet:

      ctan_10-1639162582657.png

       

       ctan_11-1639162582658.png

       

  4. Go to VPN -> SSL VPN Settings and make sure to have similar output as the below screenshot:

    ctan_12-1639162582660.png
  5. Firewall policy for SSL VPN with multiple realms:

    ctan_13-1639162582662.png

D. FortiClient configuration and testing:

  1. FortiClient setup.
    1. SSL VPN with SAML SSO.

      FortiClient_Test.png

       

      ctan_15-1639162582668.png

       

    2. SSL VPN realms with SAML SSO:

      FortiClient_Test02.png

       

      FortiClient_Test03.png

       

      ctan_18-1639162582677.png

Related documents:

Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...

Troubleshooting Tip: SSL VPN Troubleshooting