| Description |
This article describes how to configure FortiGate Wi-Fi with Google SAML authentication and how to troubleshoot it. |
| Scope | FortiGate 7.0.5 and above. |
| Solution |
FortiGate Wi-Fi configuration with Google SAML authentication and how to troubleshoot.
'FortiGate' will be acting as 'Service Provider' (SP) and 'GOOGLE' will be acting as 'Identity Provider' (IdP).
SP: provide the service. IdP: proved the authentication.
From FortiOS 7.0.5 and up, it is possible to configure Wi-Fi Access with SAML authentication.
By default, FortiGate will use port 1000 to authenticate HTTP and 1003 to HTTPS traffic.
# config system global set auth-http-port 1000 set auth-https-port 1003 end
Template:
# config user saml edit "Wi-Fi-GOOGLE-SAML" set entity-id "https://FGT-IP:1000/saml/metadata/" set single-sign-on-url "https://FGT-IP:1003/saml/login/" set single-logout-url "https://FGT-IP:1003/saml/logout/" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=YOUR_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=YOUR_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "Google_SAML_cert" set user-name "Username" set group-name "Groupname" set digest-method sha1 next end
Replace FortiGate-IP with the SSID Interface IP address.
For example:
Replace FortiGate-IP with SSID interface IP 10.200.220.1.
set entity-id "https://10.200.220.1:1000/saml/metadata/" set single-sign-on-url "https://10.200.220.1:1003/saml/login/" set single-logout-url "https://10.200.220.1:1003/saml/logout/"
View IdP details at admin.google.com:
Go to Security -> Authentication -> SSO with SAML applications.
Copy/paste into the template SSO URL, and Entity ID and download the Certificate. 
edit "Wi-Fi-GOOGLE-SAML" set entity-id "https://10.200.220.1:1000/saml/metadata/" set single-sign-on-url "https://10.200.220.1:1003/saml/login/" set single-logout-url "https://10.200.220.1:1003/saml/logout/" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "GOOGLE-IDP" set user-name "Username" set group-name "Groupname" set digest-method sha1 next end
Go to System -> Certificates -> Import -> Remote Certificate.
In the 'Upload', choose the certificate downloaded from the Google IDP and select 'OK'.
To rename the certificate, open the CLI console:
# config certificate remote rename REMOTE_Cert_2 to GOOGLE-IDP end
2) Paste the preconfigured template into the FortiGate Firewall via SSH CLI.
Because some links are containing a special character (GOOGLE IDP links containing '?) and it is not possible to just copy/paste the SAML configuration, as it will break the link as a special character will be missing.
1st way: via SSH (GUI CLI Console – do not do the trick and use SSH).
If the link has a value '?' in the string, then to enter the value '?' in the CLI, press 'Ctrl + V' before entering '?'.
Here is an example: set idp-entity-id: 'https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID' copy/paste: set idp-entity-id 'https://accounts.google.com/o/saml2 <CTRL+V and use '?'> then copy/paste idpid=MY_TENANT_ID'.
2) Correct missing characters from GUI (it is possible to configure SAML in the GUI starting from FortiOS 7.0+) or just configure it from the GUI.
# config user saml edit "Wi-Fi-GOOGLE-SAML" set entity-id "https://10.200.220.1:1000/saml/metadata/" set single-sign-on-url "https://10.200.220.1:1003/saml/login/" set single-logout-url "https://10.200.220.1:1003/saml/logout/" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "GOOGLE-IDP" set user-name "Username" set group-name "Groupname" set digest-method sha1 next end
3) Configure SAML group:
In the example: Group Name will be IT-Support.
edit "Wi-Fi-GOOGLE-SAML-grp_IT-Support" set member "Wi-Fi-GOOGLE-SAML" config match edit 1 set server-name "Wi-Fi-GOOGLE-SAML" set group-name "IT-Support" next end
4) Configure SSID for the Captive portal and select the SAML groups
Go to Security mode -> Captive portal -> Authentication portal -> Local
# config wireless-controller vap edit "GRAKOV NETWORK" set ssid "GRAKOV NETWORK" set security captive-portal set selected-usergroups "Wi-Fi-GOOGLE-SAML-grp_IT-Support" next end
The first policy to allow authentication via Google IDP.
This policy for exempt from the captive portal internet-service-name: 'Google-Web' 'Google-DNS', as it is required for the authentication process and DNS resolution.
# config firewall policy edit 0 set name "GOOGLE EXEMPT SAML and DNS" set srcintf "GRAKOV NETWORK" -> Your SSID set dstintf "WAN_LAG" -> Your WAN interface set action accept set srcaddr "all" set internet-service enable set internet-service-name "Google-Web" "Google-DNS" -> For DNS resolution and Authentication. set schedule "always" set inspection-mode proxy set logtraffic all set nat enable set comments "SAML exclude policy for Google with DNS" set captive-portal-exempt enable -> To allow authentication on IDP Google, for not authenticated users. next end
# config firewall policy edit 0 set srcintf "GRAKOV NETWORK" set dstintf "WAN_LAG" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable set groups "Wi-Fi-GOOGLE-SAML-grp_IT-Support" next end
At this point, the FortiGate portion (SP portions) is done.
Configure the IdP side (Google). Once logged into the admin portal (admin.google.com): Go to the Application, select the 'Web and mobile app', select 'Add app' and Choose 'custom SAML app'.
In Application details: Give 'App name' and if required 'Description'. In this example: App name 'Alpha Wi-Fi' and select 'CONTINUE'.
Google will provide IDP details, same details as in Security -> Authentication -> SSO with SAML applications. 
In the Google Identity provider details, select 'CONTINUE' there are already all the necessary links and certificates.
In Service provider details, copy the value from the entity-id field: 'https://10.200.220.1:1000/saml/metadata/' and paste it into the Entity ID string, then copy the value from single-sign-on-URL: 'https://10.200.220.1:1003/saml/login/' and paste it into ACS URL string. 
For example, Primary Email will be as a username, and 'Google groups' will be as Groupname.
Once the configuration is done, the default action for the User Access is off for everyone. Select user Access and change the Service status to ON for everyone and select 'SAVE'.
To configure, go to Google groups -> Directory -> Groups -> Configure Group -> Create group with members. 
Connect to the SSID and the user will be redirected to the Google IDP. Enter the credentials and after that, it will be authenticated.
Verification:
src_mac: a8:64:f1:e4:d3:3d type: fw, id: 0, duration: 329, idled: 0 expire: 300, allow-idle: 300 flag(100): wsso server: Wi-Fi-GOOGLE-SAML packets: in 53776 out 89084, bytes: in 15918171 out 117613581 group_id: 24 group_name: Wi-Fi-GOOGLE-SAML-grp_IT-Support
----- 1 listed, 0 filtered ------
# diagnose debug application samld -1 <----- (with a debug level of -1 for detailed results). # diagnose debug enable
# diagnose firewall auth filter method fw |
