The below steps show how to create an SSL VPN with Azure SAML authentication, optional steps for multiple SSL VPN Realms.
A. Configure Azure as SAML authentication IdP
- Login to Azure Portal > Manage Azure Active Directory
- Then, go to Users and create new users
- After that, go to Groups
notes: remember to assign “owner and member” and please copy the Group Object id, which will be used later when configuring the FortiGate user group
- Now, go to Enterprise applications
- New application > search for “FortiGate” > Select FortiGate SSL VPN and give it a naming
- Assign users and groups > Add user/group
- Create Single sign-on SAML

- Define the Basic SAML Configuration parameters:
Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login/ Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/login Relay State: Optional Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout
- Define Attributes & Claims > edit
- Add a New claim

- Edit the existing Group claim to add Name “group” under Advanced options > Customize the name of the group claim

- Download the “Certificate (Based64)”
notes: Remember to re-download this certificate if you make changes to the FQDN
- Copy down the information from item 4 - Set up FortiGate SSL VPN

B. Configure FortiGate SSL VPN with SAML authentication
- Login to FortiGate WebUI > System > Certificates > Import > Remote Certificate > and upload the downloaded SAML Certificate (Base64)
- Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming “REMOTE_Cert#” where # is a number [1-9]
# CLI command conf vpn certificate remote show rename REMOTE_Cert# to AzureSAML-CA end
- Create SAML IDP
# CLI command conf user saml edit “azure-name” set cert "SSL-VPN settings assigned Server Certificate" set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata" set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login" set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout" set idp-entity-id "<Azure AD identifier>" set idp-single-sign-on-url "<Login URL>" set idp-single-logout-url "<Logout URL>" set idp-cert "<Certificate imported earlier>" set user-name "username" set group-name "group" next end
- Create SAML Group
# CLI command conf user group edit “saml-group01” set member “azure-name” config match edit 0 set server-name “azure-name” set group-name <Group Object id> (notes: from Subject A item steps 2) next end next end
- Firewall policy for SSL VPN
C. Optional: May create Multi SSL VPN Realms with SAML authentication
Requirement: create multiple SAML users and group (please refer to A. Configure Azure as SAML authentication IDP steps)
- Login to FortiGate WebUI > System Feature Visibility > enable “SSL-VPN Realms” > Apply
- Go to > VPN > SSL-VPN Realms > Create new (notes: may create multiple realms, example FullTunnel and SplitTunnel)
- Go to > VPN > SSL-VPN Portals > Create 2 new portals (Full Tunnel and Split Tunnel accordingly)
- May separate them with the different SSLVPN IP subnet
- Go to > VPN > SSL-VPN Settings and make sure you have similar output as below screenshot

- Firewall policy for SSL VPN with multiple realms

D. FortiClient configuration and testing:
- FortiClient setup
- SSL VPN with SAML SSO
- SSL VPN realms with SAML SSO

Useful links: Fortinet Documentation: https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/co... Fortinet Community KB: FortiGate WebUI Administrator with SAML SSO: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...
SSL VPN Troubleshooting: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
|