Description

This article describes the process of setting up FortiClient to authenticate with a FortiGate IPsec tunnel using Google SAML as an idP.

Scope

• FortiGate on FortiOS v7.2.0+.
• FortiClient version v7.2.4+.
  
  

Solution

Configure SAML SSO.

1. Complete step 2.b. in the FortiClient v7.2.4 IPsec VPN SAML-based authentication guide: IPsec VPN SAML-based authentication 7.2.4.
2. Complete the sections starting from 'Start from the Google admin console' and ending at 'Firewall Rule Example' in Technical Tip: Fortinet SSL VPN with G Suite MFA using SAML and SSO, but with the following changes:
   1. Use whichever port number was selected in step 1.
   2. It is highly recommended to use a public FQDN that resolves to the FortiGate's public IP and that has a certificate for a public CA to avoid certificate errors in the final implementation. Follow the steps in Technical Tip: How to configure Dynamic DNS FortiGate to get one with the built-in dynamic DNS on the FortiGate. To get a certificate for the DDNS FQDN, or another custom FQDN, follow the steps described in Automatically provision a certificate to use the built-in ACME shell on the FortiGate to provision and auto-renew certs for the hostname.

Configure the IPsec Tunnel on the FortiGate.

Complete step 2.d. to 2.e.iv. in IPsec VPN SAML-based authentication - FortiClient 7.2.0 documentation and substitute values to match what was configured in previous steps.

Configure FortiClient.

An example of how to deploy the configuration via FortiClient EMS may be found in IPsec VPN SAML-based authentication under Use Case 1, item 3. The following example shows manual configuration settings for an unmanaged FortiClient. Open FortiClient, select the context menu button, and select Add a new connection:

1. Select IPsec VPN for VPN.
2. Configure a Connection Name.
3. Set the IP or FQDN used for the configuration as the Remote Gateway.
4. Set the Pre-Shared Key configured earlier in the Authentication Method.
5. Select Enable Single Sign On (SSO) for VPN Tunnel.
6. Set the Customize port value to the port selected in the first section.
7. Set IKE to Version 2.

Set Options to Mode Config.

For Phase 1 and Phase 2 settings, configure the settings to match the settings configured on the FortiGate, then select Save:

Select 'connect' on the newly created connection. If all is properly configured, a pop-up to authenticate with Google will be shown. After completion, the client will be successfully connected to the FortiGate.

If the connection does not succeed, the first thing to check is that the SP and idP URLs exactly match both on Google and the FortiGate.

From there, if the process is still not successful, run the following debug commands and attempt the connection to get log output relevant to why the connection is failing.

diagnose debug reset
diagnose debug application ike -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable

Note:

Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1 (Support will be added in v7.4.x future release), FortiClient versions 7.2.5 and 7.4.1 for Mac and Windows, and FortiClient version 7.4.3 for Linux.

Starting from FortiOS v7.2.12, v7.4.9, and v7.6.4, FortiGate verifies the signature for SAML response messages. FortiGate expects both Assertion AND Reply to be signed.

SAML certificate verification