Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff

Created on ‎07-14-2022 07:45 AM Edited on ‎11-29-2024 01:48 AM By Moderator

Article Id 217581

Technical Tip: Fortinet SSL VPN with G Suite MFA using SAML and SSO

Description

 

This article describes how to enable the use of a google enterprise account for VPN authentication.

 

Scope

 

FortiGate, G Suite.

 

Solution

 

  1. This is a basic configuration that will allow all users with valid credentials to log in.
  2. All the users should have 2FA enabled on Google before configuring this.

 

When 2FA is in use, need to increase the remoteauthtimeout to 60 seconds, as the default 5 seconds can be too fast when two-factor authentication is in use.


config system global

    set remoteauthtimeout 60

end

 

  1. Use group filtering (optional).

 

 

Demo with WebMode:

 

WebMode ExampleWebMode Example

 

Start from the Google admin console:

 

image.png

 

image.png

 

Copy 'SSO URL', and 'Entity ID' and download the certificate.

 

image.png

 

Service Provider Details:


ACS URL:  https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/login/

Entity ID:  https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/metadata/

Start URL = to ACS URL

 

Example:

 

Gsuire SP details.png

 

Attribute Mapping:

 

image.png

 

Optional: Specify additional attributes and groups.


For example: To use a group-name in G-Suite, use the Department field and the value can be the Groupname.

agrakov_0-1657925475827.png
To assign the value for the Department field on G-Suite, go to Directory -> Users -> Edit User -> User Information.

Assign, for example, IT value using attributes mapping Department = Groupname, 'IT' will be the Group name.

agrakov_1-1657925584456.png


Note:

Attributes are case-sensitive and must match both SP and IdP sides.

 

Enable User access:

 

image.png

 

 

FortiGate Configuration:

Some images have the username or group name field with capital letters and may not match the config.

In the configuration, keep it consistent, for example: If 'username' is set in Google Cloud user 'username' is in the config and not 'Username'.


Import the Google cert that was downloaded.


System -> Certificates -> Create/Import  -> Remote Certificate.

 


Customize the configuration:

 

idp-entity-id                -> 'Entity ID' copy form google console.

idp-single-sign-on-url -> 'SSO URL' copy form google console.

idp-single-logout-url   -> 'https://accounts.google.com/logout'.

 

User saml.


config user saml

    edit "gsuite-sslvpn"

        set cert "Fortinet_Factory"
        set entity-id "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/metadata/"
        set single-sign-on-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/login/"
        set single-logout-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/logout/"
        set idp-entity-id "https://accounts.google.com/o/saml2?idpid="
        set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid="

        set idp-single-logout-url "https://accounts.google.com/logout" 
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"  --> OPTIONAL.
        set digest-method sha1

    next

end


And to use group-name.


config user saml
    edit "Your_SAML"

        set group-name "Groupname"
end

 

config user group
    edit "GOOGLE-SAML-GROUP"
        set member "Your_SAML"

            config match
                edit 1
                    set server-name "Your_SAML"
                    set group-name "IT"
                next
            end
    next
end

 

Some links contain a special character (GOOGLE IDP links containing '?') and cannot copy/paste the SAML configuration in CLI, as it will break the link as a special character will be missing.

To fix:

The first way: via SSH (GUI CLI Console – do not do the trick and must use SSH).

If the link has a value '?' in the string, then enter the value '?' in the CLI, and enter 'Ctrl + V' before '?'.

Here is an example: set idp-entity-id https://accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER.

To copy/paste: set idp-entity-id https://accounts.google.com/o/saml2  <CTRL+V and use '?'> then copy/paste idpid=TENANT_ID_NUMBER.

 

The second way: correct missing characters via GUI or configure it from the GUI (configure the  SAML in the GUI starting from FortiOS 7.0+).

Go to 'Single Sign-On' -> Edit 'Your SAML' and make the proper changes in the strings that are missing characters.

 

Group.


config user group

    edit "saml_gsuite"

        set member "gsuite-sslvpn"

    next

end

 

SSL SETTINGS.


config vpn ssl settings

    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 4434
    set source-interface "port2" "port7"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
        config authentication-rule

      edit 1

       set groups "saml_gsuite"
       set portal "full-access"

      next

     end

end

 

Firewall Rule Example:

 

image.png

 

FortiClient Configuration:

 

FortiClientFortiClient

 

 

Related article:

Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication

31234
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.