FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff

Description

 

This article describes how to enable the use of a google enterprise account for VPN authentication.

 

Scope

 

FortiGate, G Suite.

 

Solution

 

1) This is a basic configuration that will allow all users with valid credentials to log in.

2) All the users should have 2FA enabled on google before configuring this.

 

When 2FA is in use, need to increase the remoteauthtimeout to 60 seconds, as the default 5 seconds can be too fast when two-factor authentication is in use.

# config system global

    set remoteauthtimeout 60

  end


3) Use group filtering (optional).

 

Demo with WebMode:

 

WebMode ExampleWebMode Example

 

Start from the Google admin console:

 

image.png

 

image.png

 

Copy 'SSO URL', and 'Entity ID' and download the certificate.

 

image.png

 

Service Provider Details:


ACS URL:  https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/login/

Entity ID:  http://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/metadata/

Start URL = to ACS URL

 

Example:

 

image.png

 

Attribute Mapping:

 

image.png

 

Optional - Specify additional attributes and group.


For example: To use group-name in G-Suite, using the Department field and the value can be the Groupname.

agrakov_0-1657925475827.png



To assign the value for the Department field on G-Suite, go to Directory - > Users - > Edit User - > User Information. Assign, for example, IT value using attributes mapping Department = Groupname, 'IT' will be the Groupname.

agrakov_1-1657925584456.png


Note.

Attributes are case sensitive and must match both SP and IdP sides.

 

Enable User access:

 

image.png

 

 

FortiGate Configuration:

Some images have the username or group name field with capital letters and may not match the config.

In the configurtaion, keep it consistent. e.g  If 'username' is set in google cloud user 'username' in config and not 'Username'.


Import the google cert that was downloaded.


System -> Certificates -> Create/Import  -> Remote Certificate

 


Customize the configuration:

 

idp-entity-id                -> 'Entity ID' copy form google console

idp-single-sign-on-url -> 'SSO URL' copy form google console

 

### user saml ###
# config user saml

edit "gsuite-sslvpn"

set cert "Fortinet_Factory"
set entity-id "http://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/metadata/"
set single-sign-on-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/login/"
set single-logout-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/logout/"
set idp-entity-id "https://accounts.google.com/o/saml2?idpid="
set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid="
set idp-cert "REMOTE_Cert_1"
set user-name "username"
# OPTIONAL # set group-name "group"
set digest-method sha1

next

end


And to use group-name.

# config user saml
    edit "Your_SAML"

    set group-name "Groupname"
  end

 

# config user group
    edit "GOOGLE-SAML-GROUP"
        set member "Your_SAML"


# config match
    edit 1
        set server-name "Your_SAML"
        set group-name "IT"
    next
 end
next
end

 

As some links contains a special character (GOOGLE IDP links containing '?') and cannot  copy/paste the SAML configuration in CLI, as it will break the link as a special character will be missing.

To fix:

First way - via SSH (GUI CLI Console – do not do the trick and  must use SSH).

If the link has a value '?' in the string, then enter the value '?' in the CLI, and enter 'Ctrl + V' before '?'.

Here is an example: set idp-entity-id https://accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER

copy/paste: set idp-entity-id https://accounts.google.com/o/saml2  <CTRL+V and use “?“> then copy/paste idpid=TENANT_ID_NUMBER

 

Second way – correct missing characters via GUI or configure it from the GUI (configure the  SAML in the GUI starting from FortiOS 7.0+).

Go to 'Single Sign-On' - > Edit 'Your SAML' and make the proper changes in the strings that are missing characters.

 

### Group ###
# config user group

edit "saml_gsuite"

set member "gsuite-sslvpn"

next

end

 

### SSL SETTINGS ###
# config vpn ssl settings

set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 4434
set source-interface "port2" "port7"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule

edit 1

set groups "saml_gsuite"
set portal "full-access"

next

end

end

 

Firewall Rule Example:

 

image.png

 

FortiClient Configuration:

 

FortiClientFortiClient