| Scope |
FortiAuthenticator 6.4.X, or later releases.
FortiGate 7.2.0, or later releases.
FortiClient 7.2.4, or later releases.
|
| Solution |
- Specify a TCP port, which should be accepted by FortiGate. This option for the time being is available via CLI command only. In a VDOM enabled appliance, config should be executed on the Global VDOM:
config system global
set auth-ike-saml-port 9443
end
- Specify the certificate which will be presented to the FortiClient. Certificate import guide:
config user setting
set auth-cert "fgt01.brave.you"
end
- Right now, it is better to preconfigure a FortiAuthenticator as an IdP, because it allows to save settings without some specified field, which is not possible on the FortiGate side. SAML IdP settings can be find there:
- SAML IdP settings on the FortiAuthenticator.
- Service Provided template.
- Verify if the SAML service is enabled on the particular interface of FortiAuthenticator.
There are already configured settings as a reference:
- SAML IdP General settings:
- For this particular KB article, other SP settings were used. All IdP settings should be configured on FortiGate’s ‘IdP’ settings, and all ‘SP Metadata’ fields should be taken from the FortiGate's ‘Service Provider’ settings:
- ‘Assertion Attributes’ also should be the identical:
-
Configure IdP settings on the FortiGate, go to the GUI -> User & Authentication -> Single Sign-on -> Select ‘Create new’ button:
-
Adjust settings accordingly (every mentioned attribute underlined in a screenshot below):
a. Address field should be FortiGate’s SAML IKEv2 listening FQDN/IP and port in step 1.
b. All other FortiGate’s ‘Service Provider Configuration’ section is grayed, they are not adjustable. These fields should be copied to the FortiAuthenticator’s Service provider settings (refer to step 3).
c. There are two options on the ‘Identity Provider Configuration’ type field. For this KB, a type ‘Fortinet Product’ was selected, because the FortiAuthenticator was acting as the IdP server.
For this specific option, these three attributes should be configured in the ‘Identity Provider Configuration’:
a. IdP’s listening interface.
b. Prefix.
c. A certificate, which has been imported to the FortiGate. The certificate can be found on the FortiAuthenticator’s ‘SAML IdP General settings’ in step 3.1.
d. Section ‘Additional SAML attributes’ should be the same as on the SAML IdP (refer to step 3):
These settings are also configurable via the CLI console:
config user saml
edit "FAC-IPSec"
set entity-id "http://10.191.35.84:9443/remote/saml/metadata/"
set single-sign-on-url "https://10.191.35.84:9443/remote/saml/login"
set single-logout-url "https://10.191.35.84:9443/remote/saml/logout"
set idp-entity-id "http://10.191.36.157/saml-idp/fc87gp0rbb35vu70/metadata/"
set idp-single-sign-on-url "https://10.191.36.157/saml-idp/fc87gp0rbb35vu70/login/"
set idp-single-logout-url "https://10.191.36.157/saml-idp/fc87gp0rbb35vu70/logout/"
set idp-cert "FAC_Idp"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
-
Configure 'ike-saml-server' under the listening interface:
config system interface
edit "port3"
set ike-saml-server " FAC-IPSec"
next
end
-
Create a remote SAML user group:
GUI: Go to the GUI -> User & Authentication -> User Groups -> Select a 'Create New' button. Specify SAML Server and group name under ‘Remote Server’:
CLI settings:
config user group
edit "FAC-IPSec-Gr01"
set member "FAC-IPSec"
next
end
-
Configure a Dial-up IPsec VPN:
config vpn ipsec phase1-interface
edit "fac-saml-vpn"
set type dynamic
set interface "port3"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha1
set dpd on-idle
set eap enable
set eap-identity send-request
set authusrgrp "FAC-IPSec-Gr01" <-- SAML group.
set ipv4-start-ip 10.1.1.1
set ipv4-end-ip 10.1.1.254
set dns-mode auto
set psksecret ENC lxorIx6jKIyKMgONO7xeP23mAmONx/ePNMS4l/ERtkpOaIT2mAm6Ga3OHc8R3t7H8/arJvOBYWvk4J003DwVXqhjeFlGmj/Tif/46B4fMJloZpyn0XWhE0IjsoBDOIVIVnWdt5PrHsRew0PZ6U05g6TEWmy99E4qrYpdCPyjzM2A9qzEqoqail3BaaTgfi+7YERI0llmMjY3dkVA
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "fac-saml-vpn"
set phase1name "fac-saml-vpn"
set proposal aes128-sha1 aes256-sha256
set dhgrp 14
set keylifeseconds 86400
next
end
-
Create a firewall policy for the IPSec traffic:
config firewall policy
edit 2
set name "IPSec-vpn"
set uuid 9c1f013c-eda2-51ed-5c50-93db6dd6a717
set srcintf "fac-saml-vpn"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "DNS" "NTP"
set logtraffic all
set nat enable
next
end
-
FortiClient configuration on the workstation. Fill the fields according to the settings:
-
Connecting outcomes, note there could be a certificate warning message, refer to step 2:
Troubleshooting:
For the troubleshooting, enable these debugs on the FortiGate, also enable radius debug on the FortiAuthenticator:
diag debug console timestamp enable
diag debug app saml -1
diag debug app ike -1
diag debug enable
diag debug disable <-- To disable debugs.
Related document:
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
|
