This article describes how to create an SSL VPN with Microsoft Azure SAML authentication with a dual WAN connection on the FortiGate.

SSL VPN with Azure SAML authentication using SSL VPN Realms for dual WAN link redundancy.

Consider a scenario where the FortiGate has dual WAN connections and needs redundancy for SSL-VPN client authenticating using Azure SAML Single Sign-on.

To achieve this, SSL VPN realms must be configured along with creating multiple Azure SAML applications.

It is possible though to create multiple firewall policies with specific firewall groups applied, where only one IdP is referenced at a time in each firewall policy.

However, in the case of SAML authentication for SSL VPN firewall policies where the source interface is the SSL VPN interface and the source user group references a SAML server, the first firewall policy in the list will be used to choose what IdP the SAML request will be sent to.

In this case, any SAML authentication request will be sent to the first IdP matched in the firewall policies configured, and subsequent policies and IdP's will not be triggered, hence the authentication request may fail.

To overcome this design limitation, it is possible to leverage SSL VPN realms.

Only the firewall policies that have a group that matches the request for that realm will be evaluated.

Therefore, the SAML request will be sent to the specific IdP configured for that SAML group.

1. Create SSL-VPN Realms on the FortiGate:

Enable SSL VPN Realms under Feature Visibility.

Under System -> Feature Visibility -> Additional Features and enable the SSL VPN Realms.

Create an SSL VPN realm for each WAN interface.

Go to VPN -> SSL-VPN Realms.

Create an Application for SAML on Azure.

Create a new Application under Azure Portal.

After logging into the Azure Portal, search for 'Enterprise Applications'.

Search for 'FortiGate', select 'FortiGate SSL VPN', and give it a name.

Assign Users and Groups.

Add Users and Groups under 'Add user/group'.

Create Single Sign-on SAML and define the Basic SAML Configuration parameters:

Identifier (Entity ID): https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/metadata

Reply URL (Assertion consumer Service URL):

https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login

Sign on URL: https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login

Relay State: Optional

Logout URL: https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/logout

Note.

It is not necessary to add the realm name into the URL path for the entity ID, Reply URL, etc.

Define Attributes & Claims:

Add a New Claim: Edit -> Add new claim.

Add a group claim (Advanced options -> Customize the name of the group claim).

Download the 'Certificate (Base64)'.

Copy all the information that will be needed on the FortiGate SSL VPN configuration.

Follow steps 1-6 again to create a new application for WAN2.

The parameters will be similar but instead of WAN1 IP address, enter WAN2 IP address:

Identifier (Entity ID): https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/metadata

Reply URL (Assertion consumer Service URL):

https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/login

Sign on URL: https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/login

Relay State: Optional

Logout URL: https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/logout

2. Configure FortiGate SSL VPN with SAML Authentication.

   Import the certificates downloaded previously from the Azure application (Step 5) into the FortiGate.

    

   Login to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate and upload the downloaded SAML Certificate (Base64):

   Create SAML IDP (Single Sign-On).

    

   On the CLI, enter the following commands for WAN1:

    

   config user saml

       edit "Azure_WAN1"

           set cert "Assigned SSLVPN Certificate"

           set entity-id "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/metadata"

           set single-sign-on-url "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/login"

           set single-logout-url "https://<FortiGate IP address or FQDN of WAN1>:<Custom SSL VPN port>/remote/saml/logout"

           set idp-entity-id "<Azure AD Identifier>"

           set idp-single-sign-on-url "<Azure Login URL>"

           set idp-single-logout-url "<Azure Logout URL>"

           set idp-cert "<Azure Certificate Imported earlier>"

           set user-name "username"

           set group-name "group"

           set digest-method sha1

       next

   end

     

   Similarly, create another entry for WAN2:

    

   config user saml

       edit "Azure_WAN2"

           set cert "Assigned SSLVPN Certificate"

           set entity-id "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/metadata"

           set single-sign-on-url "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/login"

           set single-logout-url "https://<FortiGate IP address or FQDN of WAN2>:<Custom SSL VPN port>/remote/saml/logout"

           set idp-entity-id "<Azure AD Identifier>"

           set idp-single-sign-on-url "<Azure Login URL>"

           set idp-single-logout-url "<Azure Logout URL>"

           set idp-cert "<Azure Certificate Imported earlier>"

           set user-name "username"

           set group-name "group"

           set digest-method sha1

       next

   end

    

   Alternatively, the above configuration can be done on GUI under User & Authentication -> Single Sign-On -> Create New and fill in all the required details:

    

   

    

   

    

    

   Create SAML Groups:

    

   config user group

       edit "Azure_WAN1"

           set member "Azure_WAN1"

               config match

                   edit 1

                       set server-name "Azure_WAN1"

                       set group-name "<Azure AD Group-ID>"

                   next

               end

       next

   end

    

   On the GUI, it can be configured under User & Authentication -> User Groups -> Create New:

    

   

    

   config user group

       edit "Azure_WAN2"

           set member "Azure_WAN2"

               config match

                   edit 1

                       set server-name "Azure_WAN2"

                       set group-name "<Azure AD Group-ID>"

                   next

           end

       next

   end

    

   

    

   Assign User groups to respective SSL-VPN realm and SSL-VPN portal:

    

   config vpn ssl settings

       config authentication-rule

           edit 1

               set groups "<Group-Name>"

               set portal "<SSL-VPN Portal>"

               set realm "<realm_1>"

           next

           edit 2

               set groups "<Group-Name>"

               set portal "<SSL-VPN Portal>"

               set realm "<realm_2>"

           next

       end

   end

    

   On GUI, this is located under VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:

    

   

    

   Configure the Firewall policies for SSL VPN users. Make sure to create multiple firewall policies, each containing a different SAML user group created in previous steps:

    

   

    

   Using two SAML user group on one firewall policy will result to below error.
   
   

   

    

    

3. Configure FortiClient with a dual Remote Gateway for redundancy.

   If the first WAN link (WAN1) is unreachable, the FortiClient will try on the other WAN link (WAN2).

    

   

    

    

4. Verification.

   SSL VPN users are listed on the 'SSL VPN Monitor' widget from GUI.

   Users are also listed on CLI with the command get vpn ssl monitor:

    

   

    

   Once the WAN1 is unreachable, the FortiClient will try to connect to WAN2 Gateway, which can be verified as below: