Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MJ_FTNT
Staff
Staff

Created on ‎02-08-2023 10:07 PM Edited on ‎02-22-2024 09:20 PM By Community Manager

Article Id 245214

Technical Tip: Dual-WAN SSL VPN with Azure SAML SSO Authentication

Description

This article describes how to create an SSL VPN with Microsoft Azure SAML authentication with a dual WAN connection on the FortiGate.

 

MJ_FTNT_0-1675877459538.png
Scope

SSL VPN with Azure SAML authentication using SSL VPN Realms for dual WAN link redundancy.

Consider a scenario where the FortiGate has dual WAN connections and needs redundancy for SSL-VPN client authenticating using Azure SAML Single Sign-on.

 

To achieve this, SSL VPN realms must be configured along with creating multiple Azure SAML applications.

It is possible though to create multiple firewall policies with specific firewall groups applied, where only one IdP is referenced at a time in each firewall policy.

 

However, in the case of SAML authentication for SSL VPN firewall policies where the source interface is the SSL VPN interface and the source user group references a SAML server, the first firewall policy in the list will be used to choose what IdP the SAML request will be sent to.

 

In this case, any SAML authentication request will be sent to the first IdP matched in the firewall policies configured, and subsequent policies and IdP's will not be triggered, hence the authentication request may fail.

 

To overcome this design limitation, it is possible to leverage SSL VPN realms.

Only the firewall policies that have a group that matches the request for that realm will be evaluated.

Therefore, the SAML request will be sent to the specific IdP configured for that SAML group.
Solution
  1. Create SSL-VPN Realms on the FortiGate:

 

MJ_FTNT_1-1675877484996.png

 

Enable SSL VPN Realms under Feature Visibility.

Under System -> Feature Visibility -> Additional Features and enable the SSL VPN Realms.

 

Create an SSL VPN realm for each WAN interface.

Go to VPN -> SSL-VPN Realms.

 

MJ_FTNT_2-1675877508356.png

 

MJ_FTNT_3-1675877516381.png

 

Create an Application for SAML on Azure.

Create a new Application under Azure Portal.

After logging into the Azure Portal, search for 'Enterprise Applications'.

 

MJ_FTNT_4-1675877609943.png

 

Search for 'FortiGate', select 'FortiGate SSL VPN', and give it a name.

 

MJ_FTNT_5-1675877628678.png

 

Assign Users and Groups.

 

MJ_FTNT_6-1675877648074.png

 

Add Users and Groups under 'Add user/group'.

 

MJ_FTNT_7-1675877659155.png

 

Create Single Sign-on SAML and define the Basic SAML Configuration parameters:

 

MJ_FTNT_8-1675877685813.png

 

Identifier (Entity ID): https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/metadata

Reply URL (Assertion consumer Service URL):

https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login

Sign on URL: https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login

Relay State: Optional

Logout URL: https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/logout

 

MJ_FTNT_9-1675877705698.png

 

Note.

It is not necessary to add the realm name into the URL path for the entity ID, Reply URL, etc.

 

Define Attributes & Claims:

Add a New Claim: Edit -> Add new claim.

 

MJ_FTNT_10-1675877750644.png

  

Add a group claim (Advanced options -> Customize the name of the group claim).

 

MJ_FTNT_11-1675877763385.png

 

Download the 'Certificate (Base64)'.

 

MJ_FTNT_12-1675877789992.png

 

Copy all the information that will be needed on the FortiGate SSL VPN configuration.

 

MJ_FTNT_13-1675877801977.png

 

Follow steps 1-6 again to create a new application for WAN2.

The parameters will be similar but instead of WAN1 IP address, enter WAN2 IP address:

 

Identifier (Entity ID): https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/metadata

Reply URL (Assertion consumer Service URL):

https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/login

Sign on URL: https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/login

Relay State: Optional

Logout URL: https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/logout

 

MJ_FTNT_14-1675877820567.png

 

  1. Configure FortiGate SSL VPN with SAML Authentication.

    Import the certificates downloaded previously from the Azure application (Step 5) into the FortiGate.

     

    Login to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate and upload the downloaded SAML Certificate (Base64):

    Create SAML IDP (Single Sign-On).

     

    On the CLI, enter the following commands for WAN1:

     

    config user saml

        edit "Azure_WAN1"

            set cert "Assigned SSLVPN Certificate"

            set entity-id "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/metadata"

            set single-sign-on-url "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login"

            set single-logout-url "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/logout"

            set idp-entity-id "<Azure AD Identifier>"

            set idp-single-sign-on-url "<Azure Login URL>"

            set idp-single-logout-url "<Azure Logout URL>"

            set idp-cert "<Azure Certificate Imported earlier>"

            set user-name "username"

            set group-name "group"

            set digest-method sha1

        next

    end

      

    Similarly, create another entry for WAN2:

     

    config user saml

        edit "Azure_WAN2"

            set cert "Assigned SSLVPN Certificate"

            set entity-id "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/metadata"

            set single-sign-on-url "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/login"

            set single-logout-url "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/logout"

            set idp-entity-id "<Azure AD Identifier>"

            set idp-single-sign-on-url "<Azure Login URL>"

            set idp-single-logout-url "<Azure Logout URL>"

            set idp-cert "<Azure Certificate Imported earlier>"

            set user-name "username"

            set group-name "group"

            set digest-method sha1

        next

    end

     

    Alternatively, the above configuration can be done on GUI under User & Authentication -> Single Sign-On -> Create New and fill in all the required details:

     

    MJ_FTNT_15-1675877999564.png

     

    MJ_FTNT_16-1675878003823.png

     

     

    Create SAML Groups:

     

    config user group

        edit "Azure_WAN1"

            set member "Azure_WAN1"

                config match

                    edit 1

                        set server-name "Azure_WAN1"

                        set group-name "<Azure AD Group-ID>"

                    next

                end

        next

    end

     

    On the GUI, it can be configured under User & Authentication -> User Groups -> Create New:

     

    MJ_FTNT_17-1675878034233.png

     

    config user group

        edit "Azure_WAN2"

            set member "Azure_WAN2"

                config match

                    edit 1

                        set server-name "Azure_WAN2"

                        set group-name "<Azure AD Group-ID>"

                    next

            end

        next

    end

     

    MJ_FTNT_18-1675878070904.png

     

    Assign User groups to respective SSL-VPN realm and SSL-VPN portal:

     

    config vpn ssl settings

        config authentication-rule

            edit 1

                set groups "<Group-Name>"

                set portal "<SSL-VPN Portal>"

                set realm "<realm_1>"

            next

            edit 2

                set groups "<Group-Name>"

                set portal "<SSL-VPN Portal>"

                set realm "<realm_2>"

            next

        end

    end

     

    On GUI, this is located under VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:

     

    MJ_FTNT_19-1675878107030.png

     

    Configure the Firewall policies for SSL VPN users. Make sure to create multiple firewall policies, each containing a different SAML user group created in previous steps:

     

    MJ_FTNT_20-1675878126078.png

     

    Using two SAML user group on one firewall policy will result to below error.

    SAML.PNG

     

  2. Configure FortiClient with a dual Remote Gateway for redundancy.

    If the first WAN link (WAN1) is unreachable, the FortiClient will try on the other WAN link (WAN2).

     

    MJ_FTNT_21-1675878154703.png

     

     

  3. Verification.

    SSL VPN users are listed on the 'SSL VPN Monitor' widget from GUI.

    Users are also listed on CLI with the command get vpn ssl monitor:

     

    MJ_FTNT_22-1675878180132.png

     

    Once the WAN1 is unreachable, the FortiClient will try to connect to WAN2 Gateway, which can be verified as below:

     

    MJ_FTNT_23-1675878190352.png

 

4417
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.